An Experiment to Determine the Effect of Ethical Hacking on It Administrator's Patch and Vulnerability Management Attitudes, a Case of a Leading Telecommunications Company

Abstract

As the adoption of information processing and the integration of various information systems via the internet increases, so does the risk to information systems. Electronic attacks are likely via the exploitation of vulnerabilities in operating systems, web application services and applications. Consequently, vulnerability management ought to be an important and mandatory task for IT administrators. However, studies show the persistence unpatched systems. This demonstrates that vulnerability management is far from the behavioral mindset of IT administrators. While various measures like automated updates are able to contribute towards a solution, vulnerability management is a human concern. Tackling the matter thus requires a willingness to deal with it. Scientific studies have also shown that changing user attitudes and actions concerning computer security methods to be the most difficult facet of computer security management. (AUSCERT, 2006). The aim of this study was to determine the effect of simulated hacking on IT administrators’ attitudes towards patch and vulnerability management. Ethical hacking has successfully been used as a proactive information security strategy that unearths system vulnerabilities (Saleem, 2006). This research employs an experimental approach to evaluate the effectiveness of a simulated database attack to influence the attitudes of IT administrators towards patch and vulnerability management. The study found that IT administrators of the telecommunications organization had an unfavorable attitudes towards patch and vulnerability management with administrators overseeing outdated and insecure systems. The study also confirmed the ease with which unpatched systems can be exploited by hackers. However exposure to hacking had no significant effect on the IT administrators’ attitude towards patch and vulnerability management. The main reasons for this were that the IT administrators felt that patch and vulnerability management was not a strategic priority as it had not been articulated as such. Secondly, they felt that IT security was not their KPI, rather it was the responsibility of the cybersecurity team. Thirdly, they revealed that patching is not a priority as their domains have not suffered any notable attacks.