Ethics of red team security testing questioned in new report

Research finds employees are far more likely to put up with red team testing if it's not conducted on themselves

Workers in areas like HR and finance are more likely than IT or security professionals to object to internal security testing, a report has found, raising serious ethical questions around how far security teams should go in their work.

The process of red team security testing on colleagues and fellow workers may lead an organisation to identify gaps or lapses in its cyber security hygiene, but such actions could have an adverse effect on staff morale, research has suggested.

There are wide differences in the moral interpretation of social engineering attacks between IT and non-IT employees, according to findings by researchers Tarah Wheeler and Roy Iverson. For example, non-tech workers, in areas such as HR and legal, are nine times more likely to object to receiving a phishing email than staff in security-related jobs.

These employees are also three times more likely to object to security workers impersonating VIPs, and four times more likely to object to the red team targeting receptionists to gain entry into an organisation.

The team surveyed more than 500 workers about their stance on the moral acceptability of conducting internal security tests and presented their findings at the Washington-based tech conference ShmooCon 2020.

The type of testing that respondents were questioned on ranged from sending threatening emails to inciting bribery, and even planting files on employees’ devices.

These measures may or may not comprise offensive red team testing routinely conducted by teams within or external to organisations. One prominent case of penetration testing, for example, arose last September when two individuals hired by a US-based courthouse were caught trying to physically break into its premises.

Despite many workers holding moral objections to elements of red team testing, the research also found that employees were generally more comfortable being on the orchestration side than on the receiving end.

In some cases, those on the receiving side of red team testing are approximately four-and-a-half times more likely to morally object to certain tests being conducted than if they were organising these tests.

“What we found was surprising and counterintuitive,” Wheeler and Iverson said in their research paper.

“Respondents (even professional security experts) were reportedly 450% more likely to be morally fine with conducting certain often-used tests on other people than they are with having tests run against themselves.”

Related Resource

Testing for compliance just became easier

How you can use technology to ensure compliance in your organisation

Download now

The researchers added that the data collected allows them to start a discussion about the best practices with engaging in internal penetration testing within an organisation, and the impact of deceptive social engineering attacks on company morale.

Moreover, company boards should adopt a measured approach to overseeing cyber security policy in order to raise the overall level of hygiene among senior employees as well as across the wider workforce.

These measures include hearing a presentation about information security at least twice a year, demanding high-value targets like executives are within scope of testing and understanding the incentives for succeeding in compromising targets inside the company.

“Anecdotally, we have heard internal red teamers describing scoping for engagements that disinclude [sic] the most likely targets - executives,” Wheeler and Iverson added. “Because those same executives did not wish to have the potential interruption to their services that the discovery of poor security awareness would entail.

“This is unfortunate, as rapid, constant testing that perpetually integrates small changes leads to the strongest defence of any company.”

Featured Resources

Shining light on new 'cool' cloud technologies and their drawbacks

IONOS Cloud Up! Summit, Cloud Technology Session with Russell Barley

Watch now

Build mobile and web apps faster

Three proven tips to accelerate modern app development

Free download

Reduce the carbon footprint of IT operations up to 88%

A carbon reduction opportunity

Free Download

Comparing serverless and server-based technologies

Determining the total cost of ownership

Free download

Recommended

Senate report slams agencies for poor cyber security
cyber security

Senate report slams agencies for poor cyber security

3 Aug 2021
Most employees put their workplace at risk by taking cyber security shortcuts
cyber security

Most employees put their workplace at risk by taking cyber security shortcuts

27 Jul 2021
61% of organizations say improving security a top priority for 2021
cyber security

61% of organizations say improving security a top priority for 2021

29 Jun 2021
ProtectedBy.AI’s CodeLock blocks malware at source code level
software as a service (SaaS)

ProtectedBy.AI’s CodeLock blocks malware at source code level

9 Jun 2021

Most Popular

What should you really be asking about your remote access software?
Sponsored

What should you really be asking about your remote access software?

17 Nov 2021
How to move Microsoft's Windows 11 from a hard drive to an SSD
Microsoft Windows

How to move Microsoft's Windows 11 from a hard drive to an SSD

24 Nov 2021
Sabbath hackers are targeting US schools and hospitals
ransomware

Sabbath hackers are targeting US schools and hospitals

29 Nov 2021