Cybersecurity Career Professional Paper
By: George “Trey” Smith
Penetration Tester and Social Sciences in Cybersecurity
Introduction
Google describes penetration testing as “a cybersecurity professional who tests computer vulnerabilities, networks, applications, and databases for vulnerabilities.” They also “ Simulate real-world attack scenarios to identify weaknesses” and “Document findings in penetration testing reports to advise clients on risk mitigation. (Simplilearn, 2024)” While the description of penetration testing has a very technical description, it is heavily involved in social sciences and uses its principles and research often. From understanding how humans interact in cyberspaces to doing social engineering attacks, penetration testers must use social science principles to understand how security can be compromised. Social science allows pentesters to create more effective tests, understand risks that could affect the system, and address concerns over equity, privacy, and inclusion.
The Role of Social Sciences in Penetration Testing
Penetration testers often use psychological principles when making social engineering attacks. They have to think of the societal context so that attacks such as phishing emails or vishing calls can work effectively (CISA, 2021). These attacks aim to exploit biases, trust, or even authority, all of which are principles grounded in social sciences. For example, pentesters might search through employees’ personal information, social media, work accounts, and other information to find what they like and dislike, how they interact with certain types of media, and what they use on a daily basis to mimic what actual attackers do.
Another use of social sciences is in behavioral analysis. Pentesters must analyze and predict how a company might respond to attacks and what is expected of the workers when these attacks occur. The U.S. National Institute of Standards and Technology (NIST) talks about how important it is to integrate human factors into security. It goes on to talk about how NIST recognizes that user behavior can be the most vulnerable target (NIST 2020).
Inclusion, Diversity, and Marginalized Communities
Pentesters also address issues concerning equity and accessibility. Professionals in this field must think about how technology impacts minority and marginalized groups, and how security gaps might affect them at a greater margin. According to the Association for Progressive Communications (APC), it talks about how women and minorities are affected by a wider margin by the use of hacking tools and blackmail, by extension of these tools. There are many cases where these tools are used in a discriminatory practice to gain illegal information and content from the victim. Pentesters have a prime position to advocate and teach others how to identify flaws and vulnerabilities of these groups to keep them more cyber safe.
Additionally, the underrepresentation of women and minorities in cybersecurity creates a challenge of opportunity. Organizations like Women in CyberSecurity (WiCyS), which we have on this campus, provide a grander perspective on many different challenges and threats in penetration testing. These organizations also help spread social awareness by giving perspectives for better and more in-depth attack simulations and cultivating better defenses.
Application in the Day-to-Day Life of a Pentester
In reality, pentesters apply social science principles daily. Red team engagements and even vulnerability assessments not only test but challenge what pentesters can do while putting these principles into practice. Pentesters not only test systems but also people within the system to see how far along employee awareness is. For example, pentesters might send phishing emails that create a sense of urgency or make it feel like they are obligated to follow due to a higher up telling them to do it.
Conclusion
In conclusion, penetration testing is a heavily technical career that integrates social science principles heavily into day-to-day tasks. These principles can help make attacks more realistic and can create a sense of understanding when it comes to attacks. These simulations are used to promote inclusivity, secure environments, and make assessments to help people and companies be more secure. As society becomes more reliant on technology, understanding the human element in cybersecurity will be just as vital as knowing the code behind it.
Sources
Simplilearn. (2024, June 13). Penetration Tester Job Description: Duties & Skills 2024! Simplilearn.com; Simplilearn. https://www.simplilearn.com/penetration-tester-job-description-article
Avoiding Social Engineering and Phishing Attacks | CISA. (2021, February). Cybersecurity and Infrastructure Security Agency CISA. https://www.cisa.gov/news-events/news/avoiding-social-engineering-and-phishing-attacks
Stine, K., Quinn, S., Witte, G., & Gardner, R. K. (2020). Integrating Cybersecurity and Enterprise Risk Management (ERM). https://doi.org/10.6028/nist.ir.8286
Gender approaches to cybersecurity: integrating policy, research and technical standards discussions. (2024, December 20). Association for Progressive Communications. https://www.apc.org/en/pubs/gender-approaches-cybersecurity-integrating-policy-research-and-technical-standards.
WiCyS – Women in Cybersecurity |. (2024). Wicys.org. https://www.wicys.org/
Madi, N. K. M., & Madi, M. (2020). Analysis of Downlink Scheduling to Bridge between Delay and Throughput in LTE Networks. 2020 7th International Conference on Electrical and Electronics Engineering (ICEEE), 243–247. https://doi.org/10.1109/iceee49618.2020.9102546