08/01/2024

When observing the cybersecurity field and how social science research and principles relate to each other, one could see the distinction between cybersecurity and social science and how they are applied to the different careers offered in cybersecurity. To put this into perspective, Penetration Testers fall within this realm and exemplifies how social sciences are needed within the career in order to succeed.

From an outside perspective it may not even seem as though penetration testers would need to use social science research or principles. In order to better understand how, what penetration testers do must be described. Penetration testers are professionals that are hired by different organizations in order to test or assess network security with different tools. When testers use these tools, they are able to pinpoint various vulnerabilities that can be found within the system and allow for the organization to make the necessary changes to improve their security efforts to protect themselves and clients from data breaches. The methodology during the research is what truly brings social science principles into the field as different methods of testing can require different approaches to expose vulnerabilities. Social engineering becomes a main proponent in penetrating a network as gaining access to a network can be as easy as manipulating administrative personnel that have access to sensitive information.

Social engineering, in general, plays a huge role in any testing and research for penetration testers as they begin their ventures into testing network security. They must research the behavior of the users on the network and how they perform on a daily basis in order to test appropriately. If the research methods used do not coincide with the project, many opportunities can be missed and the vulnerabilities would still be accessible for threats to use in order to breach their network.

For example, a penetration tester can use the idea of social engineering and befriend an administrative assistant or upper level personnel by befriending them and providing different social ideals that could garner trust and build a relationship. These ideas could then stem further into the organization as training and education may not be well received by employees and show that there is a whole, allowing for the penetration tester to use more tools in order to continue the breach into the system. Phishing emails and social media leaks can provide a massive quantity of information that can be exploited to gain access. When these behaviors are monitored and recorded, penetration testers are able to utilize these tools because they are able to see that the social concepts of people and their behavior drastically affect how they practice proper internet hygiene.

The social science aspect of a penetration tester can be very specific, but, just like any other cybersecurity related career, there is a sense of depth that is needed in order to see how social science truly relates. Even after post-testing, the testers need to know how to provide logical solutions to fixing the vulnerabilities that were found and formulate a plan to implement new policy to mitigate security risks. Knowing this, upper management must be consulted in order to develop an appropriate strategy that must be used. The concept would then further perpetuate social sciences in order to explain why these vulnerabilities exist and how to persuade users to change their behaviors.
Investigations afterward would entail for surveys to be conducted or focus group interviews. This would allow for data to be collected from the source of potential risks and allow for the problems to be dealt with face-to-face. As more behaviors are studied and built upon, the data can be used to govern other systems to see if there are behavioral patterns that exist in other locations. As a whole, penetration testers can provide testing for one organization, but that data can be used globally as findings provide useful information on recurring trends.

As technology grows, Artificial Intelligence is becoming more prominent and can provide fraudulent information anywhere. Regarding penetration testing, these programs can be used to simulate real people, even though they are not, and could still pander to the behavior of users in order to gain unauthorized access. With this rapid development, the importance of social science and study of behavior becomes greater as software can change and be used without the assistance of an actual person.

Cybersecurity relies heavily on social science in order to perform at the highest level. Even though the cyber field is viewed digitally with very little person-to-person interaction, it is imperative that behaviors and personnel are studied so that appropriate security measures can be developed. Patterns of behavior and vulnerabilities exist because of these patterns and in order to develop an effective security posture for an organization, more than just the technical aspect of a cyber network should be inspected. Utilizing the appropriate research methods would help to mitigate the spread of the patterns and trends and increase security measures not just for one organization, but multiple organizations globally. The research obtained by penetration testers can be shared to all group formats in order to assist with the ever developing digital world and how to combat vulnerabilities that can be found on any system, albeit users or hardware exploits. As more research becomes available from studies, the importance of studying human behavior within the cyber field will become more apparen

References
A. Fatima et al., “Impact and Research Challenges of Penetrating Testing and Vulnerability Assessment on Network Threat,” 2023 International Conference on Business Analytics for Technology and Security (ICBATS), Dubai, United Arab Emirates, 2023, pp. 1-8, doi: 10.1109/ICBATS57792.2023.10111168.

Awati, R. (2024, May 6). What is social engineering penetration testing?: Definition from TechTarget. WhatIs. https://www.techtarget.com/whatis/definition/social-engineering-penetration-testing#:~:text=Social%20engineering%20penetration%20test%20process&text=They%20first%20gather%20information%20about,and%20tools%20real%20attackers%20use.
BasuMallick, C. (2022, July 29). Penetration tester job role, skills, and salary. Spiceworks Inc. https://www.spiceworks.com/it-security/network-security/articles/penetration-tester/

E. B. Blancaflor, C. Yuan D. Vicedor, J. C. M. Ramos, J. K. D. Recena and J. K. F. De Luna, “A Comprehensive Case Study on MaxPhisher: Investigating the Features and Impact of Phishing Toolkits,” 2024 3rd International Conference on Computer Technologies (ICCTech), Bali, Indonesia, 2024, pp. 94-98, doi: 10.1109/ICCTech61708.2024.00017.

Firch, J. (2023, February 25). What are the different types of penetration testing?. PurpleSec. https://purplesec.us/types-penetration-testing/
Greco, C., Fortino, G., Crispo, B., & Choo, K. K. R. (2022). AI-enabled IoT penetration testing: state-of-the-art and research challenges. Enterprise Information Systems, 17(9). https://doi.org/10.1080/17517575.2022.2130014