From Black to White Hat Hacker

Education in IT Security - Trends and Questions

Charif Bilal
MSc. Information Security (Year 1)

Lule University of Technology, Sweden

Abstract

Education, training and awareness have been connected to information security recently.
Although some companies started to implement awareness programs, user education is still
a questionable fact.

Electronic media such as TV, video and computer games can be of high influence on
children. Criminals are most of the time those exposed in their early stages to much
violence through such media.

This paper shows the importance of security education to computer users from one side, as
well as to the would-be criminals whom are affected by the surrounding violence from
another side.

It raises some issues about the internet which is connecting beginners, professionals,
organizations and hackers; and whether its possible for these parties to learn from each
other. It also questions the possibility of a hacker to become a useful resource in an
organization.
Introduction
The end of the 20th century has shown a tremendous change in the way people communicate. As the
requirements shifted from voice to video and data communication, questions of information security
starts to arise.

Computer viruses appeared in personal computers around 1980. (Bangia 2008) Since that time, people
have to take special precautions regarding their data and the risk of losing it. Yet until now some
people are not aware that they are infected and being victims of such viruses. (Parsons & Oja 2009)

Studies reveal that one of the big threats to information security is the human error or failure e.g.
accidental employee mistakes. (Whitman 2003)

Rainer & Cegielski (2010) focuses that employees Tailgating

enjoying access and privilege to corporate data and Shoulder surfing
information systems (high-level employees), sensitive Carelessness with laptops
personal information about all employees (human Carelessness with portable devices
resources and information systems employees) and Opening questionable e-mails
external or technically not employees (contract labor, Careless Internet surfing
consultants, and janitors and guards) pose great Poor password selection and use
threats to information security. Carelessness with one's office
Carelessness using unmanaged devices
Recently we have seen calls to integrate the IT Carelessness with discarded equipment
security education in schools curriculum; as studies
shows that any experienced hacker ethical or Table 1 - Human Mistakes (Rainer &
criminal will focus on people errors and poor Cegielski 2010)
security practices than trying to crack todays sophisticated technology solutions (McIlwraith 2006).

The main issue that people raise regarding education in information security is will user education
works? Can we influence people to use strong passwords, not to write down their passwords on sticky
notes, not to disclose their passwords over the phone, and not to click on strange links that arrive in
their emails or instant messages? Or we should look for more information security professionals to
recover from human mistakes?

Evers (2006) questions if security education will give positive results or users will still see security as a
secondary goal? Should we have it embedded in the process as phishing shield in web browsers, virus
filtering in email services and programs, and protection as part of instant messaging services such as
Microsoft's Windows Live Messenger?

Organizations should seek for security awareness for couple of reasons. Mainly it helps them to comply
with laws and regulations which is a requirement for companies. Besides, it can help reduce
unpredictable costs that might arise from data breaches. In addition, it gives advantage as a safe
environment over the less secured companies (Native Intelligence 2010).
Obstacles of security awareness programs
Russell (2002) mentions some of the obstacles which lead to failure of security awareness programs.
Among these obstacles is how organizations dont consider it as a top priority or as an objective of its
own. Moreover, it has been common that the message behind awareness programs doesnt last; users
return to their wrong behavior soon after the program. Bad habits which took months or years to
develop can hardly be changed through a simple awareness program. Aside from that, users dont share
responsibility of security and consider it as the role of IT security department. Furthermore, lack of
management support and resources are some of the complaints for these programs. One can argue that
its not the matter of awareness programs rather than the goal behind these programs which most of the
time cant be reached. Our purpose is to have an effective program which leads to a change in behavior
instead of educating about the desired behavior.
It is almost a mission which is hard to achieve with respect to the multi dimensional constraints that it
faces. The surrounding environment on the other hand which considers wrong behavior as normal
behavior can have a big influence on an individual opinion to adopt positive behavior. Besides, it is the
responsibility of organizations management to support positive behavior, in order for staff to adopt
such security behavior. Changing from negative to positive security behavior requires the change of
existing habits. This change would be resisted by the fear to change even if the purpose behind this
change can be seen towards the best.

Although public awareness is spreading, statistics shows that reported incidents are on increase
(Carnegie Mellon University 2009).

What makes a Hacker?

Whitman & Mattord (2005) classifies hackers into two skill levels. Expert or elite hacker is the
software scripts and program exploits developer, which are used by the novice or unskilled hacker.
Traditional hacker used to be a 13-18 aged male with limited parental supervision, while modern
hacker is 12-60 aged male or female internal or external to the organization with varying technological
skill levels.

Internet makes it easier for hackers to steal information starting from your PC all the way to the website
storing information about your record. There are many things that encourage a hacker to commit crimes
such as:

- Vulnerabilities in software which allows the cyber criminal to take advantage and use the
software in a malicious way (Maggio 2009).
- Professional hacking tools available
- Hard-to-trace cyber crimes
- The value of unsecured information that people hold
- Easy access for data that is subject to hack
- Huge amount of internet users increases the chance of a successful crime
- Companies without security protection
- Public WIFI which lacks security
- Variety of things that can be hacked
- Outdated protection software
 - Unattended laptops, mobiles or PDAs
- Lack of computer ethics education
- Ignorance of a lot of people in computer security matters
- Horror movies, violence games, social-family problems

It is very important to educate people about computer security awareness, and how to avoid being
victims. On the other hand, why dont we turn around and try to educate those committing crimes? If
we are able to reach those who commit cyber crimes, we could understand the reason behind that;
whether its social, economical, educational, or any other reason. The main issue that prevents us from
reaching our target is that cyber criminals would always be behind the scenes, and they will never try to
reveal their identity. Moreover, it is very hard to educate a criminal about ethical and moral issues.

Influence of media
Forehand & Long (2010) as well as Edelman & Mandle (2006) agreed on the major influence that
television, video, and computer games has on ideas and behavior of people. These electronic media can
have both positive and negative effects on children. In fact, Kail & Cavanaugh (2010) explains how
viewing much of TV violence in the early stages increases the chances of committing crimes at a later
time. Perse (2001) pinpoint that children adopt many stereotypes that are dominant on programs they
watch on TV.

Cox (2010) draw our attention that 39% of teens think hacking is cool, which is an alarm for
computer users to be aware of expected attacks, as well as for parents and schools to reconsider
educating the new generation about computer ethics.

From this point, it can be clear that people might accept certain behaviors through electronic media
much easier than lectures or campaigns; especially when it comes to ethics and morals which a person
might not accept and would have the fear to change as we mentioned earlier.

What I would like to focus on that the electronic media which promotes violence and develop such
stereotypes in children that can influence them to commit crimes; can be the same media that clarifies
the harmful effects of those crimes to the would-be criminals. We need to deliver awareness of
information security to everyone and sense the changes towards positive-security behavior on the long
run. This can occur only if the whole environment adopts such changes which will require a continuous
and group effort.

What is the solution?

Understanding the powerful influence of media, with the complicated myth of user education (Gorling
2006) can lead us to a simple yet powerful solution to our problem. It is a solution that facilitates the
aimed positive-security behavior to reach the targeted users. We are not aiming to have a one-time
program rather a regular one that can influence our daily way of living. It is not only the matter of
educating people how to secure themselves, but also to give the chance for those who commit cyber
crimes to use their knowledge for the best of mankind. Those who commit cyber crimes should know
that the cyber underground might not be the best place for them, and that their knowledge and
experience maybe evaluated somewhere else than underground. On the other side, organizations should
accept the fact that hackers can be a source of revenue for their business and not strictly a risk that
threatens it.

This scenario can be well illustrated by involving different parties e.g. hackers, new users,
professionals, and organizations in an interactive way. The goal is to understand the different
viewpoints and requirements of these parties. Organizations need to protect their business,
professionals need to secure their data, new users should change toward positive-security behavior, and
hackers need a chance to prove their abilities. Without revealing their identities, different parties can
learn from each other. Cases of information security breaches from real life situations can be the
common interest among the players. Hackers can illustrate vulnerabilities found in organizations to be
patched and to let professionals as well as new users open their eyes to see and figure the situation. It is
a link that gives the chance to communicate and improve the level of awareness as well as understand
the challenges of future threats.

Security and protection companies on the other side can be part of this scenario by providing details of
threats and viruses as well as different software and hardware solutions, which gives the sense of
trustworthy for such real life situations. It can test the knowledge of users for the different security
solutions and educate them about their best utilization. On the other side, it could be a solution for the
translation problems of scientific and technological terminologies of information security.

Conclusion

By promoting the risk of threats, possibility of getting infected, and solutions to get protected; this can
raise the importance of IT security for the next generation by sharing their respective knowledge and
experiences and to develop new ideas to improve the level of security in information technology.
Its not the protection software that only requires regular updates rather its the attitude of those
software users against the next generation of smart threats. It is the habits of those software users that
require regular updates with respect to information security.
Would it be possible one day for beginners, professionals, and hackers to communicate and try to learn
from each others; as well as to share information and deliver useful ideas? Will it happen that a hacker
becomes someone people can depend on seeking advice to protect their computers?
References
Bangia, R 2008, Computer Fundamentals and Information Technology, Firewall Media, Delhi.

Carnegie Mellon University 2009, CERT Statistics, Carnegie Mellon University, viewed 3 December
2010, <http://www.cert.org/stats/>.
Cox, M 2010, One in six teens hack -- and rarely get caught, media release, 18 April, eChannelLine,
viewed 3 December 2010, <http://www.echannelline.com/usa/story.cfm?item=25649>.
Edelman CL & Mandle CL 2006, Health promotion throughout the life span, 6th edn, Mosby Elsevier,
St. Louis, Missouri.

Evers, J 2006, Security expert: User education is pointless, media release, 12 October, CNET News,
viewed 2 December 2010, <http://news.cnet.com/Security-expert-User-education-is-pointless/2100-
7350_3-6125213.html>.
Forehand, R & Long N 2010, Parenting the Strong-Willed Child: The Clinically Proven Five-Week
Program for Parents of Two- to Six-Year-Olds, 3rd edn, McGraw-Hill, USA.
Grling, S 2006, The myth of user education, Virus Bulletin Conference October 2006, Virus Bulletin
Conference, Montreal, Canada, 11 October.

Kail, RV & Cavanaugh JC 2010, Human Development: A Life-Span View, 5th edn, Cengage Learning,
Wadsworth.
Maggio, EJ 2009, Private Security in the 21st Century: Concepts and Applications, Jones and Bartlett,
Sudbury, MA.

McIlwraith, A 2006, Information Security and Employee Behaviour: How to Reduce Risk Through
Employee Education, Training and Awareness, Gower, Burlington.
Native Intelligence 2010, Security Awareness: A Sound Business Strategy, Native Intelligence, viewed
4 December 2010, <http://www.nativeintelligence.com/ni-programs/whyaware.asp>.
Parsons, JJ & Oja, D 2009, Computer Concepts Illustrated Introductory, 7th edn, Course Technology,
Boston.

Perse, LE 2001, Media effects and society, L. Erlbaum Associates, USA.

Rainer, RK & Cegielski, CG 2010, Introduction to Information Systems: Enabling and Transforming
Business, 3rd edn, Wiley, USA.
Russell, C 2002, Security Awareness Implementing an Effective Strategy, SANS Institute, Maryland,
viewed 2 December 2010, <http://www.sans.org/reading_room/whitepapers/awareness/security-
awareness-implementing-effective-strategy_418>.

Whitman, ME 2003, 'Enemy at the gate: threats to information security', Communications of the ACM,
Vol. 46, No. 8, pp. 92-94.
Whitman ME & Mattord HJ 2005, Principles of Information Security, 2nd edn, Course Technology,
Boston.