Final thoughts on our Ethics Review

One of the most valuable parts of this project has been the feedback form the U of R Research Ethics Board (REB). In our initial plan, we had failed to do everything we could to protect the interests, reputation, and employment status of the research subjects. We had not taken into account various legal and ethical issues, assuming only that nothing bad would happen because the director had signed off on the project. We had not fully taken into account that there were three parties to this project, the researchers, the target organization, AND the University of Regina.

One of the main problems with our plan was the simple fact there were three parties to the proposed penetration test (pen-test).  According to Chan Tuck Wai in his report Conducting a Penetration Test on an Organization you have to be very careful about how you conduct penetration tests on a network. Since such tests often involve what would otherwise be illegal activities, prior, proper legal preparation is essential. Normally, only the pen-testing company and the client company are parties to these agreements. Together they can hammer together all the legal protections needed. If employees are upset about the pen-testing, their legal actions are restricted to their employer and the pen-testing company - both are risks that can be mitigated through careful planning. However, in our case the U of R was also involved which would give an aggrieved employee another party to sue. Unfortunately, the U of R’s reputation may not be able to survive the publicity of “teaching a class on how to break into networks”. For this simple reason, our proposed project was rightly killed by Enterprise Risk Management.

The REB reported a large number of problems regarding our initial research plan. The major issues came to protecting employees from any repercussions of their actions during these tests. Despite assurances from management that no actions would be taken against employees who “failed” a test, the REB pointed out that while it is possible that no entries may be made in an employee file, management is human, and could remember who made mistakes during the pen-test. Since our initial plan was to present a very open and honest in-service with the cooperating organization, naming names would have been a problem, even if the names would never be mentioned in presentations outside of the organization.

The Interagency Advisory Panel on Research Ethics has issued the Ethical Conduct for Research Involving Humans. This document acknowledges the need for deception in research, particularly in the field of psychology. According to the Advisory Panel, “it is the responsibility of researchers to justify the need for such a departure” (p. 37) from fully informed consent. Further, given that we are undergraduates and not formally trained in research techniques, we should only be engaged in Minimum Risk research. Regardless of how much we anonymize the data by cutting out names, the use of edited transcripts, or disguising audio, the simple fact is that we cannot stop employees from talking to others about what we had done. This factor, regardless of anything we do, prevents this research from being Minimum Risk. There is simply no way we can enforce a “no-repercussions” policy from being applied, which again opens the U of R to a legal risk it cannot reasonably expect to take.

As a result of the feedback form the REB, we will not be conducting a real Social Engineering based penetration test. Instead, we will demonstrate Social Engineering attacks using actors, and will provide strategies for combating the threat of Social Engineering in your organization. As for what we really think about the REB, there is only two words we can say. Merci beaucoup! Your input was valuable and it is something we will take with us in our future endeavors in the world of IT.