To hack or not to hack, that is the ethical question

By Kevin Manne

BUFFALO, N.Y. —  Long before a hacker ever touches a keyboard, their personal moral outlook helps predict if they will use their skills in ethical or unethical ways, according to new research led by the University at Buffalo School of Management.

Forthcoming in Technology in Society, the study found that students drawn to legitimate, authorized cybersecurity work also tend to be attracted to its illegal side, a pattern the authors warn could quietly erode ethical boundaries in the profession.

“As people refine their hacking skills in authorized settings, those actions can become routine, gradually blurring the line between legitimate and illegitimate use — a phenomenon known as ethical fading,” says study co-author Lawrence Sanders, PhD, professor emeritus of management science and systems in the UB School of Management. “Pressures such as peer norms that excuse shortcuts, along with a psychological tendency to feel that past good behavior justifies future lapses, can slowly push cybersecurity experts toward illegal hacking.”

The researchers surveyed more than 500 undergraduate college students to measure their ethical orientation, interest in different types of hacking, and how they think about right and wrong. To determine each student’s beliefs and interests, the results were analyzed using a technique called partial least squares structural equation modeling, which finds patterns in responses across multiple questions.

The study examined three ethical orientations of the participants: 

• Idealism - The belief that right actions never harm others
• Relativism - Skepticism toward universal moral rules, favoring case-by-case judgment
• Deontology - Treating rights, permissions and laws as binding

Which were tested against three hacking types: 

• Authorized, legal and ethical hacking to find and fix vulnerabilities
• An ambiguous middle ground, often ideologically driven activism through hacking
• Illegal exploitation, typically motivated by money, revenge, thrill or status

Their most notable finding was that interest in legitimate hacking was strongly linked to interest in the other two types of hacking, indicating that those who are attracted to “doing it the right way” also tend to be drawn to the riskier, less ethical side. 

They also found that men were more interested in all three types of hacking than women, and that both men and women were less interested in hacking when they believed they were likely to get caught, even for legal work.

As organizations race to fill a growing need for cybersecurity professionals, the researchers say educators and employers should be mindful to focus on more than just technical skills. 

“Techniques learned in the cybersecurity field are inherently dual-use because the same skills can be used to protect or exploit systems,” says Sanders. “Conducting screening tests is essential for identifying the ethical hackers who are critical to the cybersecurity community.”

Sanders collaborated on the study with UB School of Management colleagues Laura Amo, PhD, associate professor of management science and systems; Dianna Cichocki, clinical associate professor of management science and systems; Joana Gaia, PhD, clinical assistant professor of management science and systems; David Murray, clinical professor of management science and systems; and Yuhui Zhang, PhD in management candidate; along with Shambhu Upadhyaya, PhD, professor of computer science and engineering in the UB School of Engineering and Applied Sciences; Charles Border, PhD, associate professor in the Rochester Institute of Technology Golisano College of Computing and Information Sciences; and Sean Sanders, PhD, assistant professor of cybersecurity in the Illinois State University College of Applied Science and Technology.