Article Preview
TopIntroduction
On February 18, 2014, the University of Maryland was the victim of a computer security attack that exposed records containing personally identifiable information (PII). A week later, Indiana University announced that a staff error had exposed information on 146,000 students for 11 months. And a week after that, the North Dakota University System reported that a server containing names and Social Security numbers for more than 290,000 current and former students and about 780 faculty and staff had been hacked. (Burrell, 2015)
Educational institutions maintain databases of personal information about faculty, staff, and students. These databases represent an appealing target to cyber criminals who sell stolen personal information on the black market to other criminals (Burrell, 2015). The threat of cyber-attacks on information assets in the private and public sectors is a growing and evolving threat, warns Public Safety Canada (2013A, 2013B, 2013C). “There is no doubt that the frequency and severity of the cyber threat is accelerating. Protecting Canadians in cyberspace will be a constantly evolving challenge” (2013A). Canadians are increasingly reliant on the Internet. The federal government, for example, offers more than 130 commonly used services online, including tax returns, student loan applications, and employment insurance forms. Identity theft costs Canadians nearly $1.9 billion each year (2013A). Over two-thirds of Canadian adults were subject to cyber-crime in 2012 (2013B).
Cyber-attacks include the unintentional or unauthorized access, use, manipulation, interruption or destruction (via electronic means) of electronic information and/or the electronic and physical infrastructure used to process, communicate and/or store that information. The severity of the cyber-attack determines the appropriate level of response and/or mitigation measures: i.e., cyber security. (Public Safety Canada, 2013A)
In the computer security context, a hacker is someone who seeks and exploits weaknesses in a computer system or network (Engebretson, 2011; Sterling, 1993). Hackers pose a security risk in that they can compromise the confidentiality, integrity, or availability (CIA) of information. Cyber-security is a defensive measure against cyber-attacks. It can be understood as a process of applying information security measures to protect information CIA (Dhillon, 2007; Reynolds, 2012; Stamp, 2011). The frequency of hacking attacks increases year after year. And every year “those seeking to infiltrate, exploit or attack our cyber systems are more sophisticated and better resourced than the year before” (Public Safety Canada, 2013A, Introduction, para. 5). Ethical hacking is one important information security (cyber-security) risk management strategy organizations in the public and private sectors use.
A review of literature finds the majority of published books on ethical hacking are either application oriented or certification oriented, emphasizing the use of ethical hacking as a risk assessment process (Engebretson, 2011; Graves, 2010; Harper et al., 2011; Harris, Harper, Eagle, & Ness, 2007; Landoll & Landoll, 2005; Simpson, Backman, & Corley, 2010). Application type books typically serve as manuals or how-to guides. Certification oriented texts prepare IT security professionals for several information security related certifications set at various levels of competencies and skills. The texts typically outline the relevant laws and regulations. However, little attention is given to non-technical and non-legal aspects of ethical hacking implementation within organizations. The important contribution to knowledge of this study lies in filling in a gap in the literature that results from the scarcity of research on the communicative and sociocultural considerations involved in the implementation of ethical hacking within organizations, while the dominant scholarship is application and certification oriented (focusing on technical and legal aspects).