Ethical Hacking in Information Security Curricula

Ethical Hacking in Information Security Curricula

Zouheir Trabelsi (College of Information Technology, United Arab Emirates University, Al Ain, United Arab Emirates) and Margaret McCoey (La Salle University, Philadelphia, PA, USA)
DOI: 10.4018/IJICTE.2016010101
OnDemand PDF Download:
$37.50

Abstract

Teaching offensive security (ethical hacking) is becoming a necessary component of information security curricula with a goal of developing better security professionals. The offensive security components extend curricula beyond system defense strategies. This paper identifies and discusses the learning outcomes achieved as a result of hands-on lab exercises which focus on attacking systems. The paper includes the ethical implications associated with including such labs. The discussion is informed by analyses of log data on student malicious activities, and student survey results. The examination of student behavior after acquiring these skills demonstrates that there is potentially a high risk of inappropriate and illegal behavior associated with this type learning. While acknowledging these risks and problems, the paper recommends that curricula should opt for a teaching approach that offers students both offensive and defensive hands-on lab exercises in conjunction with lecture material. The authors propose steps to minimize the risk of inappropriate behavior and reduce institutional liability.
Article Preview

1. Introduction

The importance of experimental learning has long been recognized in the learning theory literature (Denning, 2003; Du, Jayaraman, & Gaubatz, 2010). Despite this fact many graduate and undergraduate courses in information security still offer a limited number of hands-on laboratory exercises. The need for using a theory and practice-oriented approach in information security education is seen as paramount (Chiou Chen & Lin, 2007). A program that covers only the theoretical aspects of information security may not prepare students for overcoming the difficulties associated with the efficient protection of complex computer systems and information assets. Furthermore a learning environment that does not give the student an opportunity to experiment and practice with security technologies does not equip him/her with the skills and knowledge required for doing research and development in the computer security field.

So far most information security courses have supplemented content by adding a practice-oriented component which includes laboratory exercises (labs) based on defensive information security techniques (Hill, Carver, Humphries, & Pooch, 2001; Mullins et al., 2002; Vigna, 2003; Whitman, Mattord, & Green, 2014; Trabelsi, Hayawi, Al Braiki, & Mathew, 2013). However many academics and industry practitioners feel that to defend a system one needs a good knowledge of the attacks a system may face (Arce & McGraw, 2004). Students who understand how attacks are designed and launched will be better prepared for opportunities as security administrators rather than those without such skills (Logan and Clarkson, 2005). As a result, interest for including labs on offensive techniques originally developed by hackers has grown significantly. Teaching ethical hacking techniques has become a vital component of programs that aim to produce competent information security professionals (Brutus & Locasto, 2010; Damon, Dale, Land & Weiss, 2012; Dornseif, Gärtner, Holz & Mink, 2005; Ledin, 2011; Mink & Freiling, 2006; Trabelsi & Al Ketbi, 2013; Trabelsi, 2011; Yuan & Zhong, 2008; Trabelsi et al., 2013).

Adding hacking activities to the information security curriculum raises some variety of ethical and legal issues. By using log data as well as data gathered through a student survey, this paper investigates the ethical implications of offering hands-on lab exercises on attack techniques in information security education. The paper emphasizes teaching offensive techniques which are central to better understanding the hacker’s thinking and the ways in which security systems fail in these situations. Moreover, hands-on labs using attack techniques allow students to experiment with common attack techniques and consequently allow them to implement the appropriate security solutions and more efficiently protect the confidentiality, integrity, and availability of computer systems, networks, resources, and data. The paper proposes measures that schools and educators can take to develop successful and problem-free information security programs while reducing legal liabilities, preventing student misconduct, and teaching students responsible behavior.

The paper is organized as follows: Section 2 presents the case of teaching offensive techniques in hands-on lab exercises and the expected learning outcomes resulting from this approach. Sections 3 and 4 discuss the risks arising from teaching offensive techniques in an academic environment, the associated ethical concerns, and the emerging liability issues; along with practical steps to mitigate these risks. Finally, Section 5 summarizes the results and concludes the paper.

Complete Article List

Search this Journal:
Reset
Open Access Articles: Forthcoming
Volume 13: 4 Issues (2017)
Volume 12: 4 Issues (2016)
Volume 11: 4 Issues (2015)
Volume 10: 4 Issues (2014)
Volume 9: 4 Issues (2013)
Volume 8: 4 Issues (2012)
Volume 7: 4 Issues (2011)
Volume 6: 4 Issues (2010)
Volume 5: 4 Issues (2009)
Volume 4: 4 Issues (2008)
Volume 3: 4 Issues (2007)
Volume 2: 4 Issues (2006)
Volume 1: 4 Issues (2005)
View Complete Journal Contents Listing