Social Science Principles in Penetration Testing
The field of Cybersecurity is widely recognized as multidisciplinary, with many careers in the field utilizing various social science principles and ideas in their day-to-day tasks. Of the plentiful number of jobs that Cybersecurity majors can pursue, Penetration testing is an extremely rewarding career that focuses on identifying security weaknesses within an organization, and part of that process includes social engineering and Human Systems Integration exercises that test employee’s cyber hygiene (Coursera). While penetration testing deals significantly with the technological side of security systems, human error is one of the leading causes of data breaches, and a study from Stanford University in 2020 concluded that 85% of cybersecurity data breaches are due to human error (“The Psychology of Human Error”). To ensure that computer systems and their users are equipped with the necessary tools to maintain security, and that company employees act as a “human firewall”, penetration testers undergo a series of technical, and physical social-engineering tests to help organizations better understand their areas of strength and weakness regarding security practices.
One common social-engineering method that penetration testers utilize to test employee’s cyber hygiene is through simulated phishing attempts. Since cyber victimization is often associated with behavior, an employee who falls for a phishing attempt may be more trusting, sympathetic, and easier to manipulate. An ordinary phishing attempt would include sending out emails to random users within an organization, and encouraging receivers to click on a link that leads to a webpage designed to obtain data from a user. Simulated phishing uses a similar process, with the main objective of this test being the comparison between the number of users who clicked on the link versus the total amount of people who were sent the suspicious email. Much like when conducting any test or experiment, its important to remain ethical, and ensure that the simulated webpage created doesn’t record personal data from users (Kabay).
Another social-engineering tool commonly used by cyber offenders is the concept of baiting. According to an article from Carnegie Mellon University, “The most common form of baiting uses physical media to disperse malware” (University). To form the test, a device such as a USB drive is placed in a random location inside an office, with the hopes that an employee discovers it and reports it. In some cases, though, like discussed in course material, individuals with certain personality traits might be more susceptible to fall for a baiting attempt. According to theories and personalities described within module material such as Reinforcement Sensitivity Theory, those who show curious, impulsive, and open personality traits may be more likely to plug the USB drive into a computer, which could lead to malware being downloaded onto the system. On the other hand, users who have high levels of self-control, and who are conscientious by nature would be more likely to report the suspicious device to higher authority.
Penetration testing and many other Cybersecurity careers are similar in the way that they lack diversity when analyzing numbers for marginalized groups within the field. According to an article from Forbes, only 9% of Cybersecurity experts are Black, 8% are Asian, and only 4% are Hispanic. To combat this, focuses should be aimed on encouraging a more diverse workforce within the Cybersecurity community. This can be done by financial assistance, grants, and mentorships. Issues for minorities such as language barriers could pose problems for careers that require strong communication skills such as Penetration Testing, and organizations should consider investing in translation services to help combat this issue.
Penetration testing is extremely important for organizations in society. For businesses to ensure they’re equipped with the right security programs, systems, and personnel, and to aid in the overall improvement of security structures, hiring a penetration tester to identify vulnerabilities and weaknesses is crucial to this process. Most managers and CEO’s will agree that it’s much better for a professional to identify flaws in a system before a legitimate threat does. Without professional assistance, companies will likely not be ready to face legitimate threats in real time, which could lead to monetary loss, and the breach of private data from customers, patients, or clients within that organization. Depending on the size of the organization, this could have negative effects on many members of society. Penetration testers help to prevent these threats before they happen and will only become more sought after and integral as cyber threats increase in the ever-growing world of technology.
Works Cited
Allen, Ben. “Council Post: Minorities and the Cybersecurity Skills Gap.” Forbes, www.forbes.com/sites/forbestechcouncil/2022/09/30/minorities-and-the-cybersecurity skills-gap/?sh=2e6c7efc7f3f. Accessed 8 Apr. 2023.
Coursera. “10 Cybersecurity Jobs: Entry-Level and Beyond.” Coursera, 22 Sept. 2022, www.coursera.org/articles/cybersecurity-jobs.
“The Psychology of Human Error.” Tessian, www.tessian.com/research/the-psychology-of human-error/.
University, Carnegie Mellon. “Social Engineering – Information Security Office – Computing Services – Carnegie Mellon University.” Www.cmu.edu, www.cmu.edu/iso/aware/dont take-the-bait/social-engineering.html.