Will Demarest
CYSE 201S – Cybersecurity and Social Science
Professor Yalpi
December 4, 2024
Penetration Tester
A penetration tester may be an outside consultant hired periodically by companies or
government agencies to test their systems for vulnerabilities. In a large corporation, they may be
a full-time employee and work as part of a red team. Either way, someone in this particular field
will depend on social science research and social science principles in their performance of their
day to day activities. As noted by the Cyber Security Education website, penetration testing
“…may involve using techniques such as social engineering, phishing, or network attacks”. The
ethics of white hat social engineering have been debated requiring ethical neutrality when
deciding on whether to use such practices. Determinism, specifically regarding why individuals
may ignore their trainings and protocols or share their passwords, is another important principle
in this field as a penetration tester is often trying to exploit those behaviors.
The methods used by penetration testers can also be similar to the scientific process. A
penetration tester starts with a theory about which systems may be vulnerable. Then the tester
will develop a hypothesis about the types of vulnerabilities that are likely to exist. Basically, they
then design an experiment to test for these vulnerabilities. Finally, they have to report their
findings to management. This involves gathering empirical data (Empiricism). In presenting
findings to management, it is important to remember that the managers are not necessarily
technical experts. So, parsimony is an important principal as well.
In presenting findings and making recommendations to management, economic
principals will be important. In particular, a penetration tester should be able to describe the costs
and benefits of any recommendations. The Cyber Security Education website highlights the need
to, “to demonstrate any potential losses in terms of lost work hours, recovery time, loss of
intellectual property, and other disruptions once you find a flawed system”. These potential
losses should then be compared with the costs of additional software, training of employees,
hours spent by IT personnel installing patches, etc. Risk assessment is another important
economic principal. Management will likely want to know which assets are vulnerable if a cyber
attack is experienced and what the likelihood of such an attack would be.
This career relates to marginalized groups and society as a whole because one of the
assets that is often compromised in a cyber attack is customer data. Also, when a penetration
tester uses social engineering tactics as part of their work, the individuals targeted may be low
level employees. While managers are likely to know that penetration testing is taking place, the
low level employees might not. Falling for a penetration tester’s scam could subject the
employee to disciplinary action or even being fired.
In conclusion, penetration testing is a career within the cybersecurity field that relies on
social science research and relates to social science principals. The daily routines of this
profession resemble the scientific process. This career can be of benefit to marginalized groups
by protecting their privacy. However, care should be taken to ensure that methods used do not
endanger low level employees who are more likely to be members of marginalized groups.
Works Cited
“Penetration Testing: How to Become a Pen Tester (Duties & Salary).” Cyber Security
Education, 10 Apr. 2024, www.cybersecurityeducation.org/careers/penetration-tester/.
Bhattacherjee, Anol. Social Science Research: Principles, Methods, and Practices. Anol
Bhattacherjee, 2012.
Joseph M. Hatfield, et al. “Virtuous Human Hacking: The Ethics of Social Engineering in
Penetration-Testing.” Computers & Security, Elsevier Advanced Technology, 28 Feb. 2019,
www.sciencedirect.com/science/article/abs/pii/S016740481831174X.