To read this content please select one of the options below:

A qualitative study of penetration testers and what they can tell us about information security in organisations

Stefano De Paoli (Division of Sociology, Abertay University, Dundee, UK)
Jason Johnstone (School of Criminology, University of Leicester, Leicester, UK)

Information Technology & People

ISSN: 0959-3845

Article publication date: 10 October 2023

186

Abstract

Purpose

This paper presents a qualitative study of penetration testing, the practice of attacking information systems to find security vulnerabilities and fixing them. The purpose of this paper is to understand whether and to what extent penetration testing can reveal various socio-organisational factors of information security in organisations. In doing so, the paper innovates theory by using Routine Activity Theory together with phenomenology of information systems concepts.

Design/methodology/approach

The articulation of Routine Activity Theory and phenomenology emerged inductively from the data analysis. The data consists of 24 qualitative interviews conducted with penetration testers, analysed with thematic analysis.

Findings

The starting assumption is that penetration testers are akin to offenders in a crime situation, dealing with targets and the absence of capable guardians. A key finding is that penetration testers described their targets as an installed base, highlighting how vulnerabilities, which make a target suitable, often emerge from properties of the existing built digital environments. This includes systems that are forgotten or lack ongoing maintenance. Moreover, penetration testers highlighted that although the testing is often predicated on planned methodologies, often they resort to serendipitous practices such as improvisation.

Originality/value

This paper contributes to theory, showing how Routine Activity Theory and phenomenological concepts can work together in the study of socio-organisational factors of information security. This contribution stems from considering that much research on information security focuses on the internal actions of organisations. The study of penetration testing as a proxy of real attacks allows novel insights into socio-organisational factors of information security in organisations.

Keywords

Acknowledgements

The authors would like to thank Abertay University, which has funded this research through the R-LINCS initiative. The authors are indebted to the people who gave their time to participate in the interviews for this research. The authors would like to thank all the reviewers who have seen and commented on this manuscript. Their comments made a significant contribution to the quality of this paper.

Citation

De Paoli, S. and Johnstone, J. (2023), "A qualitative study of penetration testers and what they can tell us about information security in organisations", Information Technology & People, Vol. ahead-of-print No. ahead-of-print. https://doi.org/10.1108/ITP-11-2021-0864

Publisher

:

Emerald Publishing Limited

Copyright © 2023, Emerald Publishing Limited

Related articles