Social science refers to the scientific study of human society. It is the science of people or the collections of people and their individual or collective behaviors. Social science can be classified into different scientific disciplines such as anthropology, criminology, economics, geography, political science, psychology, and sociology, just to name a few. Cybersecurity, also known as computer security and information technology security, is defined as the protection of computer systems, networks, and devices from attack from malicious criminals that may result in unauthorized disclosure of information, information theft, hardware and software damage, or disruption/denial of the services that are provided. Generally, cybersecurity professionals are required to have technical skills such as programming, network and system administration, risk analysis, operating systems, network security control, troubleshooting, and data analysis just to name a few. Although cybersecurity is a career field that is very broad and complex, it really boils down to one simple statement. Cybersecurity is about understanding and studying how humans commit cybercrimes, why they do so, and how to prevent them. In the field of cybersecurity, there are many different job roles and titles that can be found. These include chief information security officer, cybersecurity consultant, cybersecurity engineer, digital forensics investigator, information security analyst, malware analyst, penetration tester, risk manager, security architect, and security manager. One role that is going to be focused on in this paper is the penetration tester. A penetration tester, or in short pentester, is a person that identifies security flaws and vulnerabilities within a computer network or system. Most often, they are not in-house and come into a company as an external consultant. The company authorizes them to perform security audits on the IT infrastructure and identify any potential risks. In essence, penetration testing is where a cyber-attack is simulated and discovered vulnerabilities are reported. At times, penetration testing is synonymous with ethical hacking. This is logical because, in penetration testing, an organization is ethically hacked to discover security issues. Security issues and vulnerabilities that penetration testers look for include missing data encryption, operating system command injection, SQL injection, buffer overflows, missing authentication, and so forth. Penetration testers are required to use a variety of methodologies and tools in their work such as network mapper (nmap), Metasploit, Wireshark, Hashcat, Hydra, Invicti, and John the Ripper just to name a few. It isn’t often thought of, but penetration testers use a lot of social science research methods in their work. One research method example that penetration testers use is experiments. Penetration testers must be extremely careful and meticulous while conducting tests within an organization. If they aren’t, they can destroy the whole network and cause a lot of problems for the IT department. Most penetration testers have something that is called a home lab. A home lab is a safe computer environment that mimics a real-world environment. Penetration testers use this environment to practice and experiment with ethical hacking tools and software that they might use on the job. It also helps them to understand the consequences and results that come from performing a certain action. Another research method example that penetration testers use is archival research. Penetration testers love to look at the content that other penetration testers produce. Usually, they will look at writeups and articles that have been written by other professionals that explain things such as how a certain tool works, what happens when that tool is used, how to use a certain exploit, how different vulnerabilities work, and so on. One last research method example that penetration testers use is surveys. Penetration testers require feedback from their clients. There are many times where they will need to understand what services their clients are expecting and what they are authorized to do within the system. Penetration testers will often spend the bulk of their time in meetings talking with clients. The information that they gather from the clients about their IT infrastructure will be of key importance in helping them to do their job correctly. In their roles, penetration testers do a lot of report writing to discuss the findings, discovered vulnerabilities, and security recommendations that the company needs to take into consideration. When doing this, penetration testers are required to use the social science principle of parsimony. Parsimony is the social science principle that suggests that there should be more simple explanations and solutions than complex ones. Explanations should be as simple as possible. Penetration testers should write detailed reports that inform the clients of what they found, but it should still be as simple as possible so that the clients can have a clear understanding of what is being conveyed. Another social science principle that penetration testers use is objectivity. This social science principle states that topics should be studied in a value free manner. In other words, this would mean that there is no bias in the research. Penetration testers are required to do their jobs without bias. They only have one job. They must perform the test to see if there are any vulnerabilities and let the company know if any are found. They can only make recommendations based on what is found in the pentest. They cannot inform their clients based on their own preferences or bias. Another social science principle that penetration testers use is ethical neutrality. This refers to the fact that ethical standards must be adhered to when research is being conducted. Penetration testers are required to use their hacking skills in an ethical way. They are given permission and authorization from the company to hack into their systems and infrastructure. They are required to look at sensitive and confidential information as part of their daily routine. So, they need to use their ethical standards and not do anything malicious. If this is not done, the company suffers, and the penetration tester will lose his job and even face criminal prosecution. These are only a few examples of the ways in which penetration testers use social science research methods and principles, but there are many other examples that can be explained. Penetration testers are very important to the cybersecurity world. Without them, the IT systems and infrastructure of different organizations would become a playground for hackers. Cybercrime would be rampant. Society doesn’t often think about penetration testers because they are often overshadowed by other affluent cybersecurity professionals and leaders. However, they need to be given more attention and respect by those that work in the industry because they are extremely important. There are currently over 3 million cybersecurity jobs open around the world. The cybersecurity field is in desperate need of penetration testers that have the skills and knowledge to succeed in these roles. However, there is one negative trend that is found in the penetration testing realm of cybersecurity. There is an extreme lack of ethnic and gender diversity. There are not too many African Americans, Hispanics, or females that work as penetration testers. The sad thing is that this is true for the whole world of cybersecurity, in general. There is not a lot of diversity and marginalized groups are not represented enough in the career field. I think that cybersecurity is a field that is in great need of new people, but, on the other hand, is restrictive of those that lack experience. New people need a job to get experience but also need experience to get a job. This is the whole chicken and egg paradox. Penetration testing is a realm in cybersecurity that will keep on growing, but with the current standards and qualifications that are found in the industry, those jobs will only continue to increase and not be filled. Penetration testing is a unique, challenging, and fun cybersecurity career. After analyzing what penetration testers do, it is easier to understand how the principles and research methods correlate to what penetration testers do on a daily basis. It is true that social science involves the study of people. However, when coupled with the context of cybersecurity, it helps us to demystify and peel back the layers of the career field and see what the industry is really about.
Works Cited
12 Must-Have Cybersecurity Skills (And How To Improve Them) | Indeed.com