Introduction

Penetration testing is often viewed as a highly technical career, focused on finding software flaws and securing systems. However, this role is just as deeply rooted in the social sciences, requiring an understanding of human behavior, ethical decision-making, and societal systems. From simulating phishing attacks to navigating complex organizational structures, penetration testers rely on psychological and sociological insights to do their jobs effectively and responsibly. This paper explores how penetration testing depends on key social science concepts, and how those concepts apply in daily practice. It also examines the challenges marginalized individuals face in the field, revealing how power, culture, and inclusion directly shape the profession.

Ethics in Penetration Testing

Penetration testing, while rooted in cybersecurity, involves ethical decision-making that reflects key social science principles. Ethical neutrality is critical in guiding how tests are designed and executed. Unlike malicious hackers, professional penetration testers must operate with full consent, transparency, and respect for organizational and individual boundaries. “The penetration tester should act with integrity at all times. In his endeavours… he should strive to maintain a degree of separation between the criminal hacker and the security professional” (Pierce et al., 2006). These considerations are not just administrative, they influence every step of a test, from selecting targets to reporting results. For example, during a social engineering assessment, testers may need to simulate deception without causing undue harm or embarrassment to employees. This mirrors ethical standards in social science experiments, where protecting subjects from psychological harm is important. By applying these principles, penetration testers act as both cybersecurity professionals and social scientists, balancing the need to expose vulnerabilities with the obligation to do no harm.

Psychology and Social Engineering

A key area where penetration testing intersects deeply with psychology is in the practice of social engineering. Unlike technical exploits, social engineering targets the human mind by using persuasion, urgency, and authority to manipulate behavior. This highlights how cognitive biases, stress, and decision-making shortcuts make individuals vulnerable. “Experience suggests that social engineering is perhaps the most consistently successful tactic available to well practised computer hackers” (Barret, 2003) because humans are unpredictable, emotional, and prone to error. Penetration testers exploit these same human tendencies, but ethically and under controlled conditions, to evaluate an organization’s readiness. For example, a tester might pose as IT support and request credentials over the phone, a tactic that relies entirely on social trust and psychological manipulation. Understanding how and why individuals fall for such tactics requires a grounding in behavioral science.

Sociology and Representation in the Field

Beyond psychology, penetration testing also intersects with sociology, particularly when examining who participates in the field and how structural forces shape their experiences. Penetration testing, despite its increasing demand, remains largely inaccessible to many due to barriers in representation, mentorship, and community norms. Fulton et al. (2022) highlight how vulnerability discovery work is dominated by white and Asian men, while others, particularly women and people of color, face exclusion, gatekeeping, and subtle forms of discrimination. This lack of diversity isn’t just a demographic concern as it limits the range of perspectives applied to security assessments. Sociologically, the profession reflects broader inequalities, where access to skills, support networks, and recognition are unevenly distributed. The marginalization in this space mirrors larger trends in STEM, where underrepresented groups often have to work harder to gain legitimacy.

Challenges Faced by Marginalized Groups

Marginalized individuals pursuing penetration testing careers often face unique challenges that extend beyond technical skill. The first is gatekeeping, where legitimacy is often judged by conformity to a narrowly defined “hacker” culture: typically male, competitive, and exclusionary, highlighting subculture and insider norms, where those who don’t fit the mold are often questioned or sidelined. Second, there’s a persistent lack of access to mentorship and networking, which are crucial for growth in a self-taught, experience-driven profession. Fulton et al. (2022) found that many underrepresented participants entered the field without formal support, relying on personal effort to overcome a lack of guidance or inclusion. Discrimination remain prominent as individuals “mentioned experiencing sexism, racism, sexual assault, transphobia, and homophobia either directed at themselves or someone close to them” (Fulton et al., 2022). These experiences affect career progression, reduce retention, and deter new entrants. Without addressing these barriers, the field risks replicating the very power imbalances that good security practice aims to eliminate.

Relationship Between Society and Pen Testing

Penetration testing doesn’t just affect society, it’s also shaped by it. As more of our lives move online, the need for people who can find and fix security problems has grown. Pen testers help protect businesses, governments, and regular people by finding weaknesses before bad actors do. But at the same time, society influences who gets into this field. For example, the way hackers are shown in movies or the news can affect who gets hired and who feels welcome. Some people are discouraged from joining the field because they don’t fit the stereotype of a “typical hacker.” Laws and policies also affect how pen testers do their job by setting rules about what’s allowed and what isn’t. As such, society and this career constantly shape each other.

Conclusion

Penetration testing is more than exploiting software vulnerabilities. It’s about understanding people, systems, and ethics. This career relies on psychological insight to conduct effective social engineering assessments, and on ethical principles to avoid harm during testing. At the same time, the field reflects larger social structures that can exclude or discourage marginalized individuals from entering or thriving. The profession’s effectiveness depends not only on technical skill, but on expanding its cultural awareness and social responsibility. By integrating social science principles into both practice and community, penetration testing can become more inclusive, ethical, and ultimately more effective in securing our increasingly digital world.

References

Barrett, N. (2003). Penetration testing and social engineering: hacking the weakest link. Information Security Technical Report, 8(4).

Fulton, K. R., Katcher, S., Song, K., Chetty, M., Mazurek, M. L., Messdaghi, C., & Votipka, D. (2023). Vulnerability discovery for all: Experiences of marginalization in Vulnerability discovery. 2023 IEEE Symposium on Security and Privacy (SP), 1997–2014. https://doi.org/10.1109/sp46215.2023.10179478

Pierce, J. D., Jones, A. G., & Warren, M. J. (2006). 193 Australasian Journal of Information Systems Volume 13 Number 2 May 2006 PENETRATION TESTING PROFESSIONAL ETHICS: A CONCEPT