Why we should not teach hacking to IT bachelor students

SCIENCE NEWS FROM KRISTIANIA: Toktam Ramezanifarkhani on teaching cyber security

A recurrent topic in many cybersecurity curriculums is an "Ethical Hacking" course, often introduced in the early years of a bachelor's program. Ethical hacking is a type of “hacking” by considering ethical rules.  

Introducing ethical hacking at an early stage of a bachelor program begs the question: How appropriate is it to introduce students to the hacking concept, especially at such an early stage?  

To answer briefly: Students at this stage lack fundamental knowledge and experience and might misunderstand ethics. Instead of promoting genuine ethical hacking, the course could end up encouraging a risky hacking mindset, and embolden them, resulting in unforeseen risks in the future.  

To discuss the question in more detail, let’s review the ethical hacking concept in cybersecurity and the study programs.  

There are various definitions for hacking and hackers. Here are some commonly accepted ones:  

• Hacking refers to exploiting system vulnerabilities and compromising security controls to gain unauthorized or inappropriate access to a system’s resources.
• A hacker is a person who breaks into a system or network without authorization in order to destroy, steal sensitive data, or perform other malicious attacks.

What is ethical hacking? 

Hackers are categorized on a spectrum, from white hat to black hat, based on their malicious intent and the ethical nature of their actions. 

Ethical hackers require an advanced understanding of software, hardware, computer systems, and networks. Additionally, they should possess intermediate to advanced expertise in Operating Systems (OS), databases, IoT, AI, cryptography, and security protocols. 

Bachelors in cybersecurity may on an “Ethical Hacking” course lack basic knowledge and maturity in the complicated area of information security. This may, unfortunately, open some unwanted gates in the near future. 

Hacking needs a special mindset  

Hacking needs a special mindset and experts continue to debate the definition of “ethics”.

Ethical hackers are not necessarily employed in any organization or affiliated with hacktivist groups like Anonymous, they can potentially target any organization.

Although they may report vulnerabilities to these organizations, the definition of "ethics" remains subjective. Human understanding of "ethics" is constantly evolving due to the nature of social development, a large number of social factors and human aspects in cybersecurity resulting in changes in security standards, rules and regulations. 

Ethics is and will be debatable  

Ethics is and will be debatable. Hacking and hackers’ mindset is unique and could be acceptable for a specific and limited number of experts with maturity and knowledge. With a hacking mindset the hacker, the ethical hacker, must sit in a position against systems. Unfortunately, such a mindset can influence students’ thinking, feelings, behavior and actions.   

Moreover, the number of bachelor students in cybersecurity is ever-increasing. And thus, growing the hacking mindset for these students who will graduate in the next years, can create a high risk.  

So, is there any suitable replacement for ethical hackers that can also grow the protective mindset?  

Ethical hackers and penetration testers 

Compared to the general perception of the ethical hacking concept, we have the concept of penetration test or pen-test and penetration testers, who play a distinct role. These professionals are specifically hired by organizations to probe and evaluate the system's security.   

Penetration testers’ objective is not just to pinpoint vulnerabilities, but also to devise strategies to thwart potential future attacks and risks. They then relay these insights back to the organization.  The goal is to test, analyze, monitor, and revise the security features and implement robust security protocols in the organization.   

– What is the difference between "ethical hacking" and "penetration testing”? I asked a group of bachelor students in cybersecurity in a close communication in a gathering.  

– Hacking is cool, the students answered.   

This is exactly what the educational system should not foster!  

The mindsets behind "hacking" and "testing" differ significantly.

While we aim to discourage the former, we actively seek to cultivate the latter. 

The mindsets behind "hacking" and "testing" differ significantly. While we aim to discourage the former, we actively seek to cultivate the latter. A significant distinction between "ethical hacking" and "penetration testing" lies in their core objectives: one focuses on "hacking," while the other emphasizes "testing". Each fosters its own mindset.  

Just as the need for surgeons in societies will not be satisfied by teaching “surgery” in the first years of education, in cybersecurity, the need for experts in ethical hacking will not be satisfied by teaching such a course to the bachelor students who are not even ready to learn it. And a significant number of them might not pursue such competence in the future.  

Author: Toktam Ramezanifarkhani, Associate Professor, School of Economics, Innovation and Technology 

This opinion piece was first published at Khrono.no on the 23rd of September 2023 titled "Why we should not teach hacking to the IT students"

References : 

Chang, L. Y. C., & Whitehead, J. (2022). What the Hack: Reconsidering Responses to Hacking. Asian Journal of Criminology, 1-14.  

Del-Real, C., & Rodriguez Mesa, M. J. (2023). From black to white: the regulation of ethical hacking in Spain. Information & Communications Technology Law, 32(2), 207-239.  

Hartley, R. D. (2015). Ethical hacking pedagogy: An analysis and overview of teaching students to hack. Journal of International Technology and Information Management, 24(4), 6.  

Pradeep, I., & Sakthivel, G. (2021, March). Ethical hacking and penetration testing for securing us form Hackers. In Journal of Physics: Conference Series (Vol. 1831, No. 1, p. 012004). IOP Publishing.  

EC-Council, “EC-Council: penetration test”, “Ethical Hacker (CEH v11)”, EC-Council International Ltd.  

We love hearing from you:

Send your comments and questions regarding this article by e-mail to kunnskap@kristiania.no.