Virtuous human hacking: The ethics of social engineering in penetration-testing

Abstract

This paper offers a virtue ethics analysis of social engineering in penetration-testing. It begins by considering previous research on this topic and argues that such attempts misconstrue or more often overlook this Aristotelian tradition. It articulates the core tenets of virtue ethics and applies them to an analysis of white hat social engineering. A virtue ethics analysis requires that individuals and the firms that initiate the penetration-test be placed within a larger communal context which obligates individuals who are potential human hacking victims to participate in the constitution and flourishing of larger communities. As such, for virtue ethics consent is not a necessary condition for the positive ethical status of white hat social engineering. If methods are consistent with moderation (i.e. the golden mean) manipulation at lower orders within the hierarchy of communities can be justified if it can reasonably be understood as part of an individual's participatory obligation and the results of this participation is essential to ensure the eudaimonia of the larger community. Nevertheless, the golden mean requires that robust mitigation strategies lessen the degree of harm inflicted on social engineering victims. Where possible, a degree of consent should be attained as part of this mitigation. Finally, penetration-testing firms must be able to demonstrate that a robust ethical training program governs its use of social engineering.