Professional ethics of ethical hackers
This section explores the professional ethics of ethical hackers as stipulated/enriched in widely accepted and well established industry and professional certification bodies.
Topics covered in this section
Introduction
Professional ethics
Professionalism as grounded in university training
Professionalism as grounded in industry standards
The social science context
Introduction
Ethical hackers operate within a structured framework of professional codes of conduct, which define their responsibilities and ensure accountability. Several professional codes of conduct exist for information security professionals and ethical hackers, applicable to individuals who are members or certified professionals of the respective association. For example,
Industry certifications: CEH Code of Ethics (EC-Council), OSCP (Offensive Security Code of Conduct), (ISC)² Code of Ethics, ISACA Code of Professional Ethics
Regulatory/governmental standards/guidelines: NIST publications (e.g., NIST SP 800-12, SP 800-53) touch on broader security and privacy principles
Industry standards/guidelines: OSSTMM, ISO/IEC 27001, OWASP (Open Web Application Security Project) Testing Guide, PCI DSS Penetration Testing Guidance
Professional associations: ACM Code of Ethics (2018), IEEE standards/guidelines (IEEE Cybersecurity Initiative, IEEE Certified Ethical Hacker (CEH) resources), IEEE code of ethics, IEEE code of conduct
Professional licensing/accreditation bodies: Professional Engineers Ontario (PEO)/PEO code of ethics, CEAB, CIPS
While different organizations have their own codes, several underlying principles cut through them: protecting the public (or public safety), acting lawfully, acting with integrity, and maintaining trust.
This universality reinforces that ethical hacking is not a subjective practice but one grounded in well-established professional norms. By internalizing these codes, ethical hackers ensure their work enhances cybersecurity without veering into ethically questionable practices. Ultimately, professionalism in ethical hacking is what separates it from malicious hacking, making it a respected and legally defensible discipline.
Professional ethics
Professionalism as grounded in university training
Three Canadian university professors of computer science disciplines interviewed for a PhD thesis said professionalism, as in professional ethics or a professional code of conduct, guides the behavior of professional engineers and computer scientists (PPT11, PPT3, PPT10).
As a professional engineer, said a Canadian university professor of computer science and software engineering (PPT3), he is “bound by a number of codes of practice, of ethics.” “As a professional engineer, I’m bound by the PEO code of ethics … I’m also bound by the software engineering code of ethics, the ACM code of ethics, the IEEE code of ethics, because I’m members of multiple societies that have codes.” He says he teaches “five different codes of ethics. They are all broadly the same, but I teach about them to students.” PPT3 added:
That is in the course calendar descriptions and it’s also in our accreditation. We are accredited by CIPS, the Canadian Information Processing Society, and by the Canadian Engineering Accreditation Board, and both of those require us to teach students about ethics.
Accreditation bodies like the Canadian Engineering Accreditation Board (CEAB) and Canadian Information Processing Society (CIPS) require ethics education as part of degree programs. This means students learn not only technical penetration testing skills but also how to apply ethical decision-making in real-world scenarios. For example, coursework may include case studies on responsible disclosure dilemmas or discussions on legal consequences of unauthorized testing, reinforcing that ethical hacking is not just about technical skill but professional responsibility.
How Ethics is Taught in Academia:
Case-Based Learning: Analyzing past breaches (e.g., Equifax, SolarWinds) to discuss ethical failures.
Role-Playing Scenarios: Simulating situations where students must choose between profit and responsible reporting.
Guest Lectures from Industry: Professionals share real-world ethical challenges they’ve faced.
Interview Participants by Area of Expertise
Adhering to multiple overlapping ethical guidelines, all of which reinforce the same core values, ensures that ethical hackers do not merely rely on personal judgment but follow institutionalized best practices that have been refined over decades. University programs teaching ethical hacking incorporate these professional codes into their curricula to ensure graduates enter the field with a strong ethical foundation.
Key assumptions involved in this perspective is that university instruction equips students with ethical, scientific, and critical thinking skills necessary for professionalism on the job.
It’s kind of like when software engineering became an engineering discipline. There were a lot of coders that knew how to code, but they didn’t have the mindset to approach it as a systematic large problem. I think ethical hacking is a very similar thing. (PPT11)
PPT11 adds, ethical hacking “has become more of an engineering type of discipline now. There’s structure, there’s rigor, there’s tools out there that can be used for it … you need to systematically approach a problem, how to see if you can penetrate a system or not.” It is “that systematic nature that most of the underground ethical hackers, or the small people, don’t have because they’ve never had exposure to doing it in kind of an engineering mindset.”
Professionalism as grounded in industry standards
Professional ethical hackers operate under strict ethical guidelines to ensure their actions remain legal, responsible, and beneficial to cybersecurity. Unlike malicious hackers, they adhere to formalized codes of conduct, often outlined by organizations such as the EC-Council (International Council of E-Commerce Consultants), Offensive Security, and (ISC)². These frameworks emphasize principles like authorization, confidentiality, and non-maleficence (avoiding harm).
A Certified Ethical Hacker (EC-Council) is, “a skilled professional who understands and knows how to look for weaknesses and vulnerabilities in target systems and uses the same knowledge and tools as a malicious hacker, but in a lawful and legitimate manner to assess the security posture of the target system(s).” In contrast to a cracker, who is a malicious hacker, an ethical hacker “is someone who employs the same tools and techniques a criminal might use, with the customer’s full support and approval, to help secure a network or system” (Walker, 2017, p. 29).
Key Codes of Conduct for Information Security Professionals (Adapted from Thomas et al., 2018, pp. 5-6)
Code of conduct
Key directives
CREST Code of Conduct
CREST is a not for profit organization that originated in the UK. It has active chapters across Europe, the Middle East, Africa and India (EMEA), the Americas, Asia, and Australia, and New Zealand. CREST’s purpose is “to provide a level of assurance that organizations and their security staff have a level of competence and qualification in conducting security work such as penetration testing, threat intelligence or incident response (CREST, n.d.).” The CREST code of conduct “covers requirements such as ensuring regulatory obligations, adequate project management, competency, client interests, confidentiality, and ethics (CREST, 2016).”
EC-Council Code of Ethics
EC-Council is best known for its Certified Ethical Hacker (CEH) certification, which is recognized as a U.S. Department of Defence (DoD) 8570 cybersecurity certification. The EC-Council Code of Ethics requires “confidentiality of discovered information, ensuring that any process or software obtained is legal and ethical, ensuring proper authorization, adequate project management, continuing professional development, ethical conduct, and not being convicted of any crimes (EC-Council, n.d.).”
Global Information Assurance Certification (GIAC) Code of Ethics
GIAC provides several highly regarded certifications in the security industry which include penetration testing, security management, and digital forensic certifications. The GIAC Code of Ethics is comprised of four sections: Respect for the public, respect for the certification, respect for the employer, and respect for oneself. The code mandates that “professionals will take responsibility and act in the public’s best interests, ensure ethical and lawful conduct”; maintain confidentiality, competency, accurate representation of skills and certifications “and avoiding conflicts of interest (GIAC, n.d.).”
ISACA Code of Professional Ethics
ISACA was established in 1969 and focuses on IT governance. It has over 140,000 members worldwide (ISACA, n.d.). ISACA provides training and certification for information security and cybersecurity professionals. The ISACA Code of Professional Ethics mandates that compliance with standards and procedures, due diligence, legal conduct and confidentiality, competency, and continuing professional development are maintained (ISACA, n.d).
ISC2 Code of Ethics Code of Ethics Preamble: The safety and welfare of society and the common good, duty to our principals, and to each other, requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior.
The International Information System Security Certification Consortium or ISC2 – more correctly, (ISC)² – is an international, not for profit organization with over 125,000 members in the information security profession (ISC2, n.d.). ISC2’s Code of Ethics Canons consists of four directives: 1) Protect society, the common good, necessary public trust and confidence, and the infrastructure; 2) Act honorably, honestly, justly, responsibly, and legally; 3) Provide diligent and competent service to principals; and 4) Advance and protect the profession.
Key Codes Governing Ethical Hackers:
ACM Code of Ethics (2018): Prioritizes avoiding harm, respecting privacy, and honesty in disclosure.
IEEE Code of Ethics: Emphasizes transparency, accountability, and rejecting bribery or conflicts of interest.
CEH (Certified Ethical Hacker) Code of Conduct: Mandates legal authorization and confidentiality in testing.
Industry certifications like Certified Ethical Hacker (CEH) and Offensive Security Certified Professional (OSCP) include ethics modules to reinforce professional conduct.
Industry standards/guidelines such as OWASP (Open Web Application Security Project) provide guidelines for responsible vulnerability disclosure, ensuring ethical hackers contribute positively to the cybersecurity ecosystem.
The social science context
A discussion of the ethics underlying the behaviour of professional ethical hackers should include a discussion of social values, notably, sociopolitical, ethical, and scientific values. In other words, such discussion should contextualize technology in a social science context.
The STS research approach places technology in its historical and theoretical context. Social value influences are less formal and explicit than formal guidelines/standards but their effect on the behaviour of professional ethical hackers is profound and should not be ignored.
The key social values are liberalism (classical liberalism), pragmatic ethics (Bunge's technoethics), knowledge making (Weick’s constructivism), and scientific (pragmatic philosophy).
Discussion of pragmatic ethics: The technoethics of Mario Bunge. Bunge’s (1975) pragmatic technoethics serves as an overarching framework guiding the application of key societal normative ethical perspectives – deontology (duty), rights, virtue, and utilitarianism.
Discussion of scientific values: Scientific method in research. Canadian society can be defined by two key scientific values that define it as a secular and trusting society: critical rationalism and pragmatism.
Key takeaways
Professionalism (professional behaviour) of ethical hackers can be grounded in university training and industry standards
Social values underlying the behaviour of professional ethical hackers should be made explicit by grounding technology in its historical and theoretical context
Last updated