The Importance of Social Science to Penetration Testing


Penetration Testing is an exciting, ever changing career field which requires
increasingly more the skills of adaptability, versatility, ingenuity and a “try harder”
mindset. The importance of social science is integral to multiple aspects of the career,
with an emphasis on understanding human behavior and decision making processes. A
more vital emphasis within the field must be made to understand marginalized groups,
so that cybersecurity processes and interactions can be tailored to meet their needs.
Penetration Testing relies on social science to understand human behavior.
Understanding those behaviors allow for bespoke approaches to penetration testing
engagements. Examples of this include creating effective phishing campaigns and
thorough, efficient password-cracking wordlists. Understanding how humans interact
with phishing emails, or how they choose their passwords can allow for a penetration
testing audit to perform to the highest degree, and thus provide a customer with the
most effective avenues for remediation.
Understanding the human psyche and how humans interact within the physical
world can help create tailored risk assessments and user awareness and security
trainings. Without this intimate knowledge, many avenues to risk and vulnerability can
go unchecked and untested, leaving customers vulnerable to threat actors who
understand and utilize social sciences better. Social engineering campaigns all fall
within this realm of needing to utilize social science, because without it the most
effective and efficient solutions to cybersecurity will not be found.
Because of the vast array of differences in communities, companies and
industries, people in this field must learn the highlighted skills of versatility and
adaptability. Creating unique and tailored cybersecurity policy is a must, as the needs of
all customers are different. Because of social science applications, one can better
understand the needs of customers. Meeting these unique needs cannot be done
without first understanding these groups through the lens of psychology and sociology.
All the applications of social science within the penetration testing field need to
be viewed through different lenses. Marginalized groups can be disproportionately
affected by cybersecurity measures, or a lack thereof. Many schools without proper
funding do not receive the attention and detail needed to be effective against threats
and vulnerabilities. Through the use of social sciences within this field, all-
encompassing and inclusive security testing can be performed that meets the diverse
needs of marginalized groups.
As penetration testers, special care must be taken to adapt and be versatile in
meeting the needs of customers. Penetration testers must advocate for security
awareness, training and discipline to groups that face inequalities and disparities.
With all the different needs of customers and diverse groups in mind, we must
ensure to integrate ethical considerations when developing cybersecurity policy and
penetration testing engagements. Considering the wider implications of our actions, and
the actions of others, we can realize that we have an ethical responsibility to protect
people. When ethical responsibility is factored in, penetration testers must ensure that
the greatest care is taken in protecting people and delivering the highest quality of
product and service. Integrating social science into the field is not just smart, it is
necessary to produce relevant, accurate information.
References
Carpenter, Perry. “Council Post: Cybersecurity: What Can We Learn from the Social