“Excel and keep quiet”: The silent ethics of ethical hackers

By Patrice CAILLEBA
Professor, PSB-Paris School of Business
& Nicolas DUFOUR
Affiliate Professor, PSB-Paris School of Business

The increasing significance of cyber threats has given rise to a new figure within organizations: the ethical hacker. The ethical hacker operates both post-threat and, more importantly, pre-threat, working diligently to prevent malicious intrusions into computer systems. The various tests they conduct ensure the security of the concerned organizations while safeguarding their data.
In this article, we delve into the silence surrounding this profession, from their training to the post-mission phase. Through a research-intervention conducted between 2020 and 2023 with 40 cybersecurity experts in the financial services sector (insurance and banking, penetration testing companies), we identified the distinct forms of organizational silence that defines their activity and influences their success.

Introduction

“Despite the secret dread this man initially inspired in me,
I was keen to question him about the unusual profession he had chosen…”
Mémoires de Vidocq, Vidocq(1848, p.127)[1]

[1] Translated from French. Eugène-François Vidocq (1775-1857) became head of the Paris Prefecture security brigade after a life of delinquency and crime before setting up a private detective agency. Both his exploits and his Memoirs (Vidocq, 1828), which are more or less true, have made him the archetypal figure of the repentant criminal who in turn became a criminal hunter.

In their essay on “The Pirate Organization”, Durand and Vergne (2010) adopt the perspective of pirates to tell the story of capitalism. Far from dismissing them as mere historical anomalies, they instead characterize them as fundamental forces shaping capitalist economy. The pirate emerges as an aggressive capitalist, much as the juvenile delinquent stands as a budding entrepreneur (Gould, 1969).

Today’s pirates include hackers, who are considered to be both pirates and privateers (de Freminville, 2021), or even cowboys (Auray, 2001). In short, they are talented individuals displaying morally ambivalent behavior, as Loveluck and Holeindre (2021) point out. Hackers constitute an emic community, that is to say a group of actors who have identified themselves as hackers, a practice that involves repurposing technical objects and devices from their everyday use (Levy, 1984). However, the broad spectrum of their actions makes it difficult to categorise them, due to their inherent diversity and sometimes contradictory activities (Loveluck and Holeindre, 2021).

In his pioneering work on hackers in France, Auray (2000) defines hackers as “collectors of tricks to eliminate and bypass the normalization of use defined in the object” (p.15). In this paper, we will not examine the dual nature of hackers, whose activity, by definition situated on the fringes of legality, can be both criminal and vigilante. This ambivalence has already been studied in detail elsewhere by the authors presented earlier, who readily emphasize the darker sides of these ‘heroes’ (Levy, 1984), as well as the significant impact of the criminal activity of some of them.

In this article, we look at a particular type of hacker: namely, the ethical hacker. The emergence of ethical hackers is linked to the development of information technology and the resolution of the problems that go with it (Del-Real & Rodriguez Mesa, 2022). According to the HackerOne[1] community website, which counts over 600,000 ethical hackers worldwide, the first scheme to reward hackers for identifying problems with a computer program or operating system (known as a bug bounty program) dates back to 1983. Since then, bug bounty programs have proliferated. In 2022 alone, Chris Evans, HackerOne’s Chief Hacking Officer, claimed that the platform’s ethical hackers had resolved more than 300,000 computer flaws and vulnerabilities (Evans, 2022), while receiving more than $200 million in bounties in 2020 alone (Haehnsen, 2020).

The use of any sort of ruse is not done in broad daylight or with much fanfare (Detienne & Vernant, 1974). This is the case for the ethical hackers who fight online against the wrongdoings of cybercriminals. Silence is a necessary condition for the success of ethical hackers, but it is not the essential condition. However, this silence has not yet been addressed in the academic literature. Our aim is therefore to explore in this article what constitutes a truly silent ethic for ethical hackers.

In the first part, we will discuss the importance of cybersecurity and the silent figure of the ethical hacker. We will then present the methodology of our study, which involves a qualitative survey of 40 cybersecurity experts (ethical hackers, cyber-risk managers, etc.) before analyzing and discussing the silence of ethical hackers through their training and their work. Finally, we conclude with the managerial implications and limitations of our study.

The ethical hacker in support of organizational cybersecurity

Secrecy and the protection of strategic information were initially the concern of states before becoming that of organizations (Bronk, 2008). The advent of the telegraph in the 19th century enabled those States (primarily England) which had mastered this « Victorian internet » to establish their domination over part of the world (Standage, 1999). The emergence and development of the internet in the second half of the 20th century made this rivalry between states more complex and intense. They are now engaged in an ongoing, more or less covert war over the encoding and decoding of electronic military, political and economic information (Février, 2021). Shifting from state and quasi-public organizations to the private organizations of the market economy, the protection and security of strategic information have become necessary because of the steady increase in attacks and repeated penetrations into computer systems. There has been a twofold horizontal and vertical evolution: firstly, States have extended their concern for their own security to that of all their national stakeholders (all organizations, in general); secondly, they have extended security issues from the tangible domain to the intangible. Cybersecurity then developed (Warner, 2012) around the figure of the hacker considered as a potential threat.

Cybersecurity of organizations

Just as there is no such thing as an insurmountable wall, there is no unbreachable information system (IS) (Evans, 2001). In fact, the complexity of IS means that as the shields are strengthened, the sword becomes sharper (and vice versa). By extension, the complexity of coding systems inevitably generates design flaws or malfunctions (bugs) that can be exploited by more or less ill-intentioned individuals. Added to this is the competitive pressure that forces organizations to bring to market quickly (time-to-market survival) software programs and tools that are not always sufficiently tested. Finally, the situation of oligopolies (Microsoft, SAP and Oracle share a large part of the ERP market[2]) as well as the development of remote working (which allows employees and managers to work from home) multiply the risks on a large scale. This explains why, according to Lejeune (2022, p.320), “a cyber-attack occurs every 39 seconds in the world”. The emergence of an open-source artificial intelligence such as ChatGPT in December 2022 poses an even greater threat to the volume of these attacks. Some, such as (Cornevin, 2023) speak of a “digital Everest” to describe certain events that are conducive to the exponential growth of these attacks (the Olympic Games, for example).

Estimates regarding the global cost of cyberattacks on the world economy vary among institutes and national agencies, but the figures remain staggering (Freyssinet, 2022). In France, ANSSI estimates the annual global damage at $6 trillion in its latest overview of cyber threats[3]. In the U.S., Cybercrime Magazine projects the cost to businesses in 2025 to be $10.5 trillion[4].

As a reminder, the ANSSI (French National Agency for Security and Information Systems glossary) defines cybersecurity as “the desired condition for an information system enabling it to withstand events originating in cyberspace likely to compromise the availability, integrity or confidentiality of the data stored, processed or transmitted and the related services that these systems offer or make accessible[5]”.

Cyberattacks are distinguished by two primary characteristics (Lejeune, 2022, p.324): the “simplicity of implementation” due to the automation facilitated by computing, and the “universality of the impact on populations” through potentially affected entities, be they public or private organizations, or public or anonymous individuals.

As far as organizations are concerned, cybersecurity requires us to distinguish between two concrete dimensions of risk (Février, 2020: 84): firstly, a risk “as a vector (email, social networks, websites, etc.)”, and secondly, a risk “as a tool forming the basis of the organization’s activity (ERP, database, or Big Data)”. Without claiming to be exhaustive, Février (2020: 87) distinguishes two types of attack

Firstly, “thefts of strategic information”. These represent the most obvious and established threat. The DGSI[6] regularly releases updates on the latest developments to date. We propose a simplified typology of these thefts (Appendix 1).
Secondly, “destabilizing attacks.” Building on Février’s concept of destabilizing attacks, we propose a new typology for these, which can target intangibles (R&D), procedures, tangible assets (the products themselves or the infrastructure), data, and/or individuals (Appendix 1).

Given these risks, testing the resilience and protection of information systems becomes imperative for any organization concerned with its long-term sustainability. To achieve this, organizations engage professional hackers tasked with defending them, known as ethical hackers.

From hacker to ethical hacker

The concept of the hacker has its origins in a student club set up between 1946 and 1947 at MIT (Massachusetts Institute of Technology): the Tech Model Railroad Club (Levy, 1984). The students who made up the club were keen to develop the automation of scale trains. Creativity was the key to circumventing existing technical limitations, while remaining efficient and fast. From the 1950s and 1960s onwards, computing became the essential tool for automation and programming. The idea of hacking, which had emerged in a student club with a passion for the railways, then spread to the telephone sector (Lapsley, 2013) at the same time as computing (Leeson & Coyne, 2005). But the idea of ingenuity (Loveluck & Holeindre, 2021) has remained attached to the image of the hacker, referring back to a long tradition of practical intellect already present among the ancient Greeks (Detienne & Vernant, 1974), namely the mètis, which supplements knowledge with know-how.

Yet, over time, the initial technical aspiration associated with enhancing processes at a lower cost for the greater benefit of many was altered by certain hackers for financial reasons, soon morphing into criminal intentions (Choi et al., 2019). Although the term “crackers” was coined to distinguish these individuals from the more cooperative and well-intentioned original hackers, the pejorative connotations of “crackers” eventually overshadowed the term “hacker” in the media, equating it with cybercriminal activity (Del-Real & Rodriguez Mesa, 2022).

Subsequently, given that the term hacker has gradually come to associate the notions of « tinkering » and « hacking » with that of » IT penetration « , some authors have chosen to describe the activity of hackers using color codes (Prasad, 2014; Trainor, 2006), i.e. white, grey, black and blue. White hackers are the ‘good’ hackers who carry out penetration tests on computer systems with the prior agreement of the organizations concerned; black hackers are the historical crackers, i.e. cybercriminals who exploit computer flaws for economic and/or political reasons; grey hackers are hackers who fall somewhere in between, i.e. those who work without the consent of the target organizations but without engaging in cybercrime either; finally, blue hackers are hackers who work for companies that recognize and pay them as such (Microsoft being the first to officially commit to this approach and remains the organization that officially promotes these blue hackers). This new classification does not, however, hide the permeability of the categories. Examples abound of hackers considered to be white who have become cybercriminals; or, having been cybercriminals from the outset, some end up repenting after going to prison (such as Florent Curtet, Kevin Mitnick, Kevin Poulsen, etc.).

Another classification exists based on the economic significance of the inflicted damage or the ransom demanded. Major General Boget, commander of the cyber space[7] gendarmerie, identifies three categories of cybercriminals (Cornevin, 2023: 2):

“Those at the high end of the spectrum engage in “big hunting”, ultimately demanding ransoms that can reach up to 50 million dollars.
Those at the low end of the spectrum lean towards mass delinquency, targeting the highest number of victims but with a minimal charge.
Between these two, the mid-spectrum consists of versatile criminals who source tools from the hardcore hackers before launching an attack”.

Beyond these various attempts at classification, the last few decades have seen the emergence of a new type of hacker that goes beyond the simple figure of the white hacker, namely the ethical hacker.

An ethical hacker is recognized as an expert in combating cybercrime. They specialize in penetration testing for consenting companies to identify vulnerabilities and, if necessary, suggest corrective measures (Kubitschko, 2015). By definition, hacking implies unauthorized access to a system but with the prior consent of the targeted organization and under pre-established conditions. Consequently, this practice raises numerous ethical questions, which we must now address.

Ethical hacker and silence

As Dequiré and Danvers (2021) point out, “language cannot do everything” (p.4). It is not the sole medium for conveying knowledge or skills. On the contrary, the “articulation of silence”[8] gives rise to action, whether in the workplace (Thévenet, 2008) or in school (Miennee, 2021), particularly in artistic and creative domains, as is the case with hacking. The purpose of this article is to demonstrate how silence is the very essence of the activity of ethical hackers, both in training and in the field. However, the literature remains largely silent on this dimension. The specific technical culture of this activity (Février, 2021), combined with the recent emergence and recognition of the profession (Levy, 1984), does not alone account for this gap in the literature. The reason lies elsewhere.

Until the late 20^th century, silence was primarily studied from an individual perspective. For instance, in Exit, Voice & Loyalty, Hirschman (1970) explored the mechanisms and implications of silence. When confronted with a problem, silence offers the individual two options: exit or loyalty. Later, Noelle-Neumann (1974) broadened this focus to include a collective dimension with her concept of the ‘spiral of silence.’ According to Noelle-Neumann, individuals may choose to remain silent when their opinions diverge from the majority view in a given social context. This silence can unintentionally lead others to remain silent as well, thereby reinforcing and amplifying the overall silence.

Although it has only been an area of study in management science for a few decades, silence has mostly been examined from a negative perspective. Morrison & Milliken (2000), who first coined the term “organizational silence”, described it as: “Most employees know the truth about certain issues and problems within the organization but hesitate to speak up to their superiors” (p. 706). Subsequent studies have echoed this sentiment, perceiving organizational silence as fearful, individualistic, prosocial or even opportunistic (Greenberg & Edwards, 2009; Jacquinot & Pellissier-Tanon, 2021).

However, within organizations, silence shows a strong “potential for constructive ambiguity” (Anteby, 2015, p. 151). Indeed, there exists a socializing silence that is an indispensable condition for the training, integration, and even the success, of an employee in their profession and/or within a company. This positive dimension is acknowledged in the literature (Thévenet, 2012; Dubar, 2015) but is not clearly defined. In fact, it has only recently been linked to organizational silence (Cailleba, 2017). Anteby (2015) describes it as: “a routine that necessitates decisive decision-making from individuals even when they receive few direct instructions from their hierarchy, despite a context rich in normative cues” (p. 156). This routine ethic conveys the company’s practices as a set of professional values to be disseminated and implemented. It can also be acquired and transmitted outside the company, either upstream in schools or outside in a third place where a community meets (Aubouin & Capdevila, 2019).

In the case of ethical hackers, organizational silence simultaneously ensures the transmission of knowledge, the training and acquisition of skills, socialization within a community and profession, and the promotion of their experience and reputation. All these dimensions are intertwined with silence and can be broken down into three moments: before, during, and after the ethical hacking operation.

Before the assignment:

First of all, ethical hackers need to acquire and develop the technical skills to become genuine ethical hackers, i.e. qualified and legitimate professionals. However, their training often begins in adolescence, in isolation, well before they enter higher education. Thereafter, access to training as an ethical hacker is still very limited, even though the number of such courses has grown considerably and gained in visibility in recent years in France and especially in the United States. It is the same as for security and defense training: specific selection tests on entry, requests for details of any previous criminal record, concern for secrecy and confidentiality, etc. In fact, simulating penetration tests, even during training, requires precautions to be taken.
When a company seeks the services of ethical hackers, it does so discreetly. There are not many public tenders in this field, even if competition exists. Specialized American platforms, such as HackerOne put companies in touch with volunteer hackers, but the contracts are not made public: neither the details of the work, the financial terms, nor the results…
The terms of the contract are by definition covered by professional secrecy: before carrying out a penetration test, it is important to obtain the consent of the system owners as to what can or cannot be done. Going beyond the boundaries of the contract may be considered an illegal penetration.

During the assignment:

During penetration tests, i.e., when they break into an IT system, ethical hackers have access to sensitive or confidential information about the organization (IT, financial, logistics, etc., not forgetting patents) and its employees (tax data, civil status, etc.). Professional secrecy regarding information collected directly or indirectly is essential to a successful relationship with the employer and to the continuity of the ethical hacker’s activity.
Similarly, any vulnerabilities and flaws discovered during the operation must be reported to the client. The clear and precise communication of this information must be carried out in a responsible manner, i.e., only to the company concerned, without making it public or using it for subsequent purposes.
Ethical hacking does not have the same legal framework from country to country: local laws and regulations rarely match, even in Europe or within federal states (such as India or the USA). It is not uncommon for ethical hackers to have to work for companies operating in different countries. The changing legal framework requires hackers to be as discreet as possible, at the request and for the good of their employer.

After the assignment:

At the end of an assignment, the ethical hacker’s obligations do not stop. Contractually, they no longer have the right to access the client organization’s system and must cease all forms of testing. At the same time, they must erase all traces of their presence and activity.
In addition, the ethical hacker must not divulge what has been viewed (strategic information, private data, faults and vulnerabilities identified, etc.), nor what action has been taken, nor store the data collected. Nor must they sell the data collected. Professional secrecy is de rigueur, just as it is necessary to ensure that good relations are maintained with customers.
Nevertheless, with each new assignment, the ethical hacker’s expertise and reputation grow, as a result of their work, the type of customer they work with or the problems they have encountered and helped to resolve. The difficulty then lies in using this experience discreetly for future assignments with likely clients, i.e., in compliance with the rules of confidentiality and without being identified in turn as a target by potential competitors, or above all by criminal hackers.

At every stage of the mission, the rules of confidentiality associated with professional secrecy are strictly observed. Defined by the French Penal Code as the prohibition against disclosing information entrusted to an individual by virtue of their status, profession, mission, or role (see below), professional secrecy places significant responsibilities on those bound by it. The following sections will explore its implications for ethical hackers.

Methodology

By definition, conducting research into what is concealed and illegal is both difficult in terms of accessing the data and problematic in terms of approaching the people involved (whether victims, perpetrators or ‘guardians’, in this case ethical hackers). The concern for confidentiality (Gueno, 2016) is then layered on top of the concern for professional secrecy. As investigators faced with secrecy, our approach enhances the limited number of studies conducted in France on the subject of hackers (Février, 2020; De Freminville, 2021).

Our study is part of an action research project involving a longitudinal investigation of the banking sector between 2020 and 2023. The aim was to help the companies concerned (Royer & Zarlowski, 2014) deal with a cybercrime problem, while ensuring confidentiality. During this assignment, we were able to conduct interviews with 40 cyber-security experts (see details of the profiles in Appendix 3), totaling more than 48 hours of recording and 112 pages of transcripts.

Each session lasted 1 hour and a total of 40 employees from a French financial services company took part over a six-month period in 2023/24. Our role in the interview process was to supervise the discussion sessions with each of the experts we met. The panel was selected on the basis of experts who had worked or were working as ethical hackers or directly with ethical hackers in the course of their duties:

Internal teams of the entity under study;
External ethical hacking teams engaged by the company under study.

A semi-structured interview questionnaire was designed, addressing several knowledge-based items:

The role of the ethical hacker, their missions, responsibilities, and scope of intervention.
The involvement of the ethical hacker and their feedback on their intervention: what is made visible and what is not.
The challenges faced by ethical hackers in carrying out their duties and the factors facilitating their intervention.

Lastly, the final phase of interviews was open-ended and aimed to collect feedback from employees on cases they had encountered in the context of ethical hacking. This anonymous method enabled effective sharing of real practices. We illustrate each ‘silent’ moment (before, during and after of the assignment) with examples taken from our field study. Once the data had been collected, it was transcribed, resulting in over 96 pages of compiled responses. These transcriptions needed to be analyzed before being analyzed using NVIVO© content analysis software. The thematic analysis was carried out using a deductive approach based on this grid.

Loveluck & Holeindre’s (2021) recent review of the literature on this topic highlights a world of hackers dominated by the male gender, who tend to be young and middle class, which « in part favors the construction of a hacker identity based on exploration, internal competition and transgression » (Ensmenger, 2015, p. 55). Our study was no exception. Indeed, most of the ethical hackers on our panel were male, with initial professional experience in technical IT fields.

Analysis and discussions

Beyond the justifiable emphasis on confidentiality, complemented by the imperative of professional secrecy, the unspoken ethic is central to the training and socialization of ethical hackers, as well as to the execution of their tasks and the enhancement of their reputation.

Silence during training and before the assignment

The literature currently provides limited firsthand accounts of ethical hackers regarding their early formative years. Among them, Ankit Fadia (Trainor, 2006) stands out as a pioneer, having published a book on the subject in his teens (Fadia, 2007). Nonetheless, the literature is more extensive when discussing the early years of hackers in general (Larribeau, 2019), and especially of criminal hackers (Mitnick, 2011; Curtet, 2023) who later transitioned to ethical hacking after being imprisoned. Looking back on their early years, they corroborate Auray’s analysis on the emergence of hackers, who in the early 2000s classified hackers into “three distinct user groups” (Auray, 2001: 80):

“Passionate, evangelistic self-taught users socialized within micro-computing ‘clubs’.
Telematics[9] enthusiasts around clandestine electronic servers.
Programmers, most of whom are self-taught, who [reject] the rules of intellectual property practiced by software publishers”.

Among the ethical hackers interviewed in our study, most began their professional journey during adolescence as isolated, passionate amateurs who gravitated towards programming. Half of our panel began their expertise in IT and cyber security even before officially starting a career in the world of ethical hacking. As this interview with M.A., a hacker for a penetration audit company, illustrates (interview 1): “Before I became an ethical hacker, I was simply a hacker, doing it for fun at first, what some people call ‘script kiddies’. Then I realized that with a few qualifications and training, you could make a career out of it and give meaning to what I loved doing. So, I joined a firm specializing in penetration audits”.

More so than in other professional apprenticeships, the silence that puts ethical hackers to the test during their training “calls into play the categories of what is permitted and what is forbidden” (Déquiré & Danvers, 2021, p.4). M.T (interview 2), a computer penetration researcher for a security audit firm, confirms this aspect: “My training focused on what is known as ‘pentesting’, short for ‘penetration testing’, which consists of being trained to find flaws in companies’ security systems by applying technical penetration protocols or by applying social engineering techniques in which the targets under attack themselves give us the means to break into their systems, provided we ask them the right questions. We are trained to comply with an ethical framework and to remain alert, always with a laudable objective in mind: to help our customers progress by closing off entry points and alerting them to the steps they need to take to improve their security. The training places a great deal of emphasis on these safeguards, so as not to train attackers who might drift into criminal practices”.

What these budding ethical hackers also have in common is a desire to share source code, while retaining a do-it-yourself spirit and rejecting the market economy through greater cooperation (Lallement, 2015). Hence the importance of keeping their activities discreet via the networks they maintain and through relationships based on recognition for the initial work accomplished and commitment to these values.

This point is emphasized by M.G. (interview 3), an expert in social engineering techniques in a consultancy firm: “We do a lot in the background, but we’re also part of a community. We do a lot of sharing of tips and tricks, because there’s always a good idea for a phishing email that someone else has thought of and that we can use again in a test exercise requested by a customer. Also, the profession is evolving a lot and we have to keep up to date with the latest techniques, the security and controls implemented, and the loopholes yet to be exploited. This gives credibility to our work as ethical hackers, because that’s also what malicious attackers do: look for loopholes and how to exploit them in companies. We do it as ‘white knights’, they do it for less honest reasons, but we sometimes use similar methods to obtain information”.

One of the few French studies (Larribeau, 2019) on the socialization of hackers[10] places very little emphasis on their formal university education, which, although it exists, is often overlooked. In any case, “adolescence seems to be the turning point (…) for ‘practical learning’ (…) in ‘self-training’” (Larribeau, 2019, p.62-63), for an individual who is a “valiant hacker” (Cornalba, 2013). The democratization of computing with the development of the Internet is encouraging the emergence of the figure of the professional amateur (Flichy, 2010). In addition, the importance placed on self-learning helps to guarantee the ability to adapt to ever new and increasingly complex technical problems.

However, since the beginning of the 21st century, the socialization and training of ethical hackers and cybersecurity professionals has become highly vocational, with state-approved diplomas and recognized certifications. In the United States, there are now several hundred Bachelors and Masters degrees in this field[11]. Similarly, in France, rankings of the best masters’ degrees specializing in cybersecurity have been published for some years now[12]. In Sociologie du numérique (“Sociology of the Digital Age”), Boullier (2019) emphasizes the two pedagogical models developed in these digital schools, which combine traditional teaching with teaching based on projects, context and action. Here, silence does not mean absence or withdrawal, but socialization, the creation of links and preparation for learning (Miennee, 2021). This also happens at the recruitment stage in these schools, where professionals from the public or military spheres come to select young profiles on condition of anonymity.

In our study, most of the people we spoke to had attended schools specializing in cyber security, as well as specialist certification courses. As M.T. explains (interview 2): “I went to an engineering school with an integrated preparatory course. Then, after my Master’s and my internship in a digital services company, I decided to specialize by taking a certification course in cyber security. After my certification, I was offered 5 permanent jobs as an ethical hacker. I started with a small firm because you get to work on broader assignments and you can also benefit from more technical certifications in ethical hacking”. This point is backed up by M.H, a system hacker (interview 4): “Being an ethical hacker is a vast field; there are 70 different professions. Some people have a broad vision, others are pure technicians. You never have the training for everything you need to test, but there are a lot of short courses and specialist certifications. So, we see all kinds of training”. These comments are completed by those of M.L (interview 5), an ethical hacker working for a specialist firm: “I trained primarily as a network and systems administrator. It’s a technical background, but also an organizational one, which some would describe as engineering. But I don’t claim to be an engineer. Above all, you need to have an understanding of what an information system is and understand that it is infinitely more cross-functional and wide-ranging than what many people trivially summarize as ‘IT’« .

While discretion and silence are a prerequisite for the learning and training of hackers, the same applies to companies. Using the services of ethical hackers is not something you do with a lot of fuss. In fact, there is a real risk of inappropriately focusing attention on a system that is judged to be flawed and perfectible and, in any case, hackable. M.U-D, Risk Manager (interview 26) in charge of cyber security risks in a financial services company, agrees: “We never say that we are calling in computer attackers, so as not to create moral uncertainty and, above all, so as not to give rise to a temptation to over-accident, where everyone would want to attack us in order to make themselves known and sell their services. We therefore use companies that are listed and certified by the Agence Nationale de Sécurité Informatique [National IT Security Agency] on a confidential basis, because we know that this is a guarantee of trust. We also avoid giving out too many details at the outset, even to our cyber insurer or to our partners who audit us in this area. We do, of course, have penetration reports and audit trails, but they operate in the shadows and are revealed in a restricted circle of confidentiality including governance and our partners’ specialist auditors”.

This can take the form of a call for tender or more direct consultation for shorter assignments. As an Information and Data Security Manager explains (interview 27): “For a long time, we put out annual invitations to tender to choose penetration audit firms. Then we decided to change our approach and look for ethical hackers who were more motivated to carry out continuous testing. We use a ‘cyber security researcher’ platform. Yes, that’s what we call them! There are several thousand of them listed on the platform, and there’s a ‘wallet’ that we top up with bonuses paid out that we release if a hacker has found a vulnerability in our sites, applications or systems. The bounty can range from €300 to €3,000, depending on the gravity of what they have found. Our position is that without this, there will always be malicious hackers ready to attack us and sell the information about our vulnerabilities to criminals. It will cost more if we are held to ransom or our business is interrupted. So, we might as well pay less to continuously correct vulnerabilities! Of course, we check that cybersecurity researchers have found real flaws and we even pay for them to attack ex-post the implementation of patches to check that our patch management is sufficiently robust”.

Some tender processes are vague about the tasks involved and the final cost of the service. It is only once the service providers have been selected and discussions/negotiations have begun that the ethical hackers selected can begin to consider the complexity and detail of the task. The risk manager (interview 28) interviewed during our research said: “We don’t detail the flaws we expect to be exposed, the calls for tender remain generic and we give them carte blanche to find things, without, however, going into everything from a system point of view. Even with short-listed, referenced companies, we don’t want to reveal elements in the event that those responding to the call for tenders are a little disappointed and decide to show that they have found loopholes better than the others. Which would of course lead to a serious situation”.

Some more transparent matchmaking platforms do exist, but they are mainly used by large companies in France. The previously mentioned risk manager (interview 28) regrets this: “Yes, we have the critical mass, as a medium-sized company with over 5,000 employees, to use these platforms. It depends on the scope, what we want and the level of depth. But it’s not uncommon to have a budget of €150,000 for penetration audits and to choose several companies to compete for different assignments or even penetration ‘challenges’. The aim, of course, is to uncover something in the context of an IT project, for a new application, or for applications that are being upgraded, that would not have been seen during the acceptance and associated security testing phases. We wait for the go-ahead at the end of the penetration assignment before going into production. This requires time, resources and a common understanding of the benefits of these procedures. While this can be time-consuming for some projects, even the marketing department understands that this is better than closing down an application that has recently been put into production because of security flaws”.

As one of the interviewees, Mr. EG, explains: « We remain discreet about our needs and work exclusively with organizations approved by ANSSI, the French National Agency for Information Systems Security, which publishes a catalog of companies it considers trustworthy. Naturally, caution is paramount, but we go further: we request detailed profiles of the individuals involved in the testing, even if anonymized. This allows us to ensure they have the required expertise to prevent any errors, as we are operating in a real-world environment, rather than a test setting. Relationships are built on this foundation, and we also leverage our own network of trusted providers from this list. Additionally, the cybersecurity community, particularly the network of CISOs, enables us to share key information about who can be trusted and who cannot. »

Similarly, as Mr. J recounts: « On one occasion, we had reservations about a consultant who was undeniably skilled but completely unknown to anyone. This individual had recently set up their own company and had just been added to the approved list. We requested a few professional references, which took some time to verify. Initially, we chose not to work with them. Understandably they were disappointed, but accepted our decision. Two years later, we brought them on board as one of our external testers, and they turned out to be far more effective than some of the more established professionals. They uncovered issues no one else had considered, such as a real-life incident where an employee was leaking confidential data bit by bit by embedding small-format files in email signature attachments. Each signature was just a few kilobytes larger than standard email signatures. Once we noticed it, the anomaly was glaringly obvious, but it required someone to think to look for it. None of our tools or previous tests had flagged this issue, even though it involved a clear case of data leakage.

This example highlights the importance of obtaining references, exercising caution, and occasionally taking risks. Had we engaged this tester two years earlier, we might have mitigated this internal data leak, which continued for more than three years. After such an experience, you naturally develop greater trust and become more inclined to give a chance to someone from a smaller, lesser-known company. »

While discretion is the rule when choosing or even using penetration audit service providers, the same applies during the assignment to ensure effective detection and the ability of the teams to respond quickly.

Silence during the assignment

The literature (Alsharaa et al., 2023) identifies five distinct stages in hacking. Some authors (Hertzog et al., 2017) agree that the methods used by hackers may vary around these five stages, even though the majority of ethical hackers follow them. In our study, the ethical hackers interviewed followed these stages in sequence. By way of illustration, we provide an example of a typical hacking report outline (Appendix 2) and the main software used[13]. We structure this section around these stages, which structure the progress of the ethical hacking assignment insofar as silence determines the success of each stage and the transition to the next.

Reconnaissance: the hacker collects information about the targeted IT system. A cybersecurity analyst working for an auditing firm describes this stage in more detail (interview 6): “Before attacking, as the media say, we start by finding out about the company, gathering a lot of information by doing what we call OSINT (Open-Source Intelligence) research. It’s always striking to see how much free data and information you can find on companies. This ranges from corporate communications about major projects or the company’s organization chart, to major events or small everyday meetings posted on professional or personal social networks but in a public profile. Sometimes there are even confidential internal documents such as PowerPoints or meeting minutes that employees have put on a cloud archive in a public profile, thinking they were only sharing with colleagues. Even before attacking, we sometimes have alerts to raise. We include this in the report and indicate how it was used to prepare for a penetration test! This enables us to raise the awareness of the teams, and not just on the technical side. 80% of my job consists of identifying the possibilities provided by the customers themselves; for the rest, the technical side comes into play”.

Scanning: The hacker evaluates and scans the network (identifying open or closed ports) to find vulnerabilities that allow penetration into the system. A cybersecurity engineer at a specialized firm explained this stage (interview 7): “We conduct vulnerability scans, which allow us to discreetly identify potential entry points. We assess how these vulnerabilities could be exploited. Sometimes it’s straightforward; they’ve spent lots of time securing the main entrance but overlooked other doors. At times, it requires more effort due to numerous defenses, but none are truly insurmountable. We ensure our actions remain covert to prevent raising any suspicions, as it would terminate our mission and put the response teams on high alert.”

Gaining Control: The aim here is to penetrate the system and take control. An information systems auditor detailed this stage (interview number 8): “After running my vulnerability scanning software on the applications. I found to be most critical from web and dark web research on a target company, I employ various attack methods. These can range from ‘credential stuffing’, where I generate thousands of password combinations to access a user profile, to classic ‘phishing’ or ‘vishing’ techniques which still prove very effective. Sometimes, a simple protocol attack suffices. Many clients have open spaces without realizing it. All you need is the right URL and you’re into the SAAS (Software As A Service) tools! It’s always surprising, but companies are often cyber-targeted due to configuration errors or mistakenly deploying incorrect versions of their applications. ‘Versioning’ is a significant risk in projects: when an application has been modified 18 times using an agile method, errors can occur at this stage, especially when management rushes to meet their production deadline. We capitalize on such oversights. It’s our job to identify these.”

Maintaining Access: The hacker ensures that no one else can penetrate or alter the system. This is referred to as a “zombie system”. This is explained by M.F (interview 9), a cybersecurity consultant for a cyber crisis analysis firm: “Once inside the victim company’s systems, we attempt lateral movements from one machine to another. The goal is to remain undetected and avoid leaving any indicators of compromise, to use the industry term. At least, we stay silent until we’ve achieved what we call privilege escalation, which involves transitioning from an ordinary user to an administrator machine. This allows us to disable standard security measures like antiviruses and alerts and deploy the ‘malware’ we can then easily download to encrypt servers and workstations.” M.H, a system hacker (interview 4), confirms this: “It goes even further; I try to go unnoticed even after the system is under control and encrypted. I continue to work my magic to see how long it takes for the client to detect my presence, encrypting more and more data and workstations. My only indication of presence in these tests is to leave an executable file with a ransom note in exchange for a decryption key. While this technique is well-known, we also apply it in our testing environment (a reconstituted real-world setting) to gauge how far we can go and if the client’s operators notice before it’s too late. Silence is our guiding principle, much like malicious hackers who only reveal their hand when certain they won’t receive a ransom. This makes our tests credible.”

Clearing: once the attack has been carried out, the hacker erases all IT traces so as not to be followed or identified. M.K, a cyber attacker and forensic analyst for a specialist firm (interview 10), helps to clarify this crucial stage: “My job involves detecting the traces of attackers in penetration tests, but also in real cyber crises where companies have been caught out. When I do a forensic investigation, I put myself in the shoes of my former career as a hacker and say to myself ‘what would I have done to be sure of two things’: not to be detected and, if detected, not to be found. These two approaches consist on the one hand of making yourself invisible once you have entered a system. Making as little noise as possible means only accessing strategic or economic data, without seeking to exfiltrate mass data, which will be detected. The technique consists of scanning the files and identifying the most interesting one, the one that will be valuable for ransom or for competitors and third parties. A small Excel-type file containing a list of customers and their contact details is more interesting than a database of thousands of customer records, which would take an hour to extract. So we prefer to take our time, even if it means spending 3 to 6 weeks quietly trespassing, just long enough to do our homework. As for making ourselves invisible once the attack is over, it’s quite simple: we attack from a pool of machines on private virtual networks, hosted outside Europe, and we’re sure that we’re sending out false leads, what we call a ‘honey pot’, a kind of virtual machine that tries to make you think you’re in Poland or Germany, for example, when in fact you’re in France. If I were to use an image, I’d say that once I’m in the castle, I don’t leave with the king’s chest but just with a few valuable rubies so that I can leave quickly and silently, without being seen even once I’m out of the castle!”.

If silence during and at the end of the penetration is crucial, it remains equally paramount afterward, as observed in our interviews.

Such observations are reinforced by Mr. UT, who explains: « In our profession, it is widely understood that those who boast never last long. Platforms listing hackers are extremely selective, and, ultimately, our livelihood depends on working in the shadows. It is also crucial to remember that our activities are closely monitored by authorities. I recall a case involving a young ethical hacker who decided to post tutorials on social media, demonstrating how to perform penetration testing, or even create phishing campaigns and ransomware. Needless to say, despite attempts within the community to dissuade him, his actions set a ‘precedent’ when he became the subject of a police investigation, resulting in his work being confiscated or taken down. Discretion is therefore essential, as our primarily role is to defend organizations and companies and to protect client data. There are, of course, some well-known hackers, such as the late Kevin Mitnick, who became famous for hacking the FBI. However, such cases are dated, and today, high-profile figures of this kind typically work for companies without disclosing the details of their missions or clients, precisely to safeguard mutual interests. »

Silence after the assignment

Generally speaking, once their work is done, self-employed entrepreneurs, employees and managers consider it normal to give value to what they have achieved. Both internally and externally, employees seek to strengthen their reputation and enhance their curriculum vitae. This ‘personal branding’ consists of promoting one’s skills and achievements with a view to becoming a « recognized brand » in the eyes of future clients or employers. The success of a project, whether tangible or intangible, must be seen and recognized by as many people as possible, especially when the tasks carried out contribute to the common good and civil society.

In the case of an ethical hacker, this is made difficult, if not impossible, by the professional secrecy that has imperfectly regulated the profession to date. As a reminder, article 226-13 of the French Criminal Code states that a person is subject to professional secrecy “either by virtue of their status or profession, or by virtue of a position or temporary assignment”[14]: violating this secrecy carries a penalty of one year’s imprisonment and a €15,000 fine. In these four situations (status, profession, position and assignment), a regulatory or legislative text (decree or order) must indicate that professional secrecy applies by law:

A 2004 circular[15] pertaining to various religious faiths outlines the duties and obligations “by status” concerning priests, rabbis, imams, pastors, etc.
A regularly updated list of “professions” identifies those subjects to these obligations. These are mainly in the healthcare sector, internal (police and gendarmerie) and external (military) security, accounting, etc.
In the context of certain “assignments” or “functions”, specific professions are concerned. These include civil servants and some healthcare professions, as well as other jobs involving work with vulnerable populations (children, disabled people, etc.), people on the margins of society (social rehabilitation, etc.) or at-risk individuals (prisoners, etc.).

In practical terms, an ethical hacker may be bound to professional secrecy by virtue of their assignment (as a service provider for a public health body, for example) or by virtue of their function (as a civil servant). For the time being, however, they are not subject to professional secrecy as a profession[16]. In practice, the same ethical hacker may work under contract for an organization with a public mission, which will oblige them to observe professional secrecy, and then for a profit-making organization with no public-interest mission, and therefore no obligation to observe professional secrecy. But given that the private client will have the same requirements as the public client in terms of security and data protection, the ethical hacker will have to offer the same guarantees of secrecy. However, in this case, professional secrecy is more a matter of practice and contractual agreement than a professional obligation.

This was explained by M.V, cyber security risk manager at a bank (interview 29): “We never reveal to the risk committee or the board of directors which firm or which hacker has found which sources. There are three reasons for this: firstly, we want to be able to continue working with the right people in the future; secondly, this is one of the reasons that motivates our ethical hackers to perform well, because sometimes they find flaws that are so significant that online banking or ATMs may have to be shut down for several days, and we don’t want them to be worried by the management of their penetration audit firm because they were too good and the bank, which is a major client for them, changes the firm; thirdly, we know that discretion is the order of the day when it comes to where the information comes from. We don’t want the risk and cybersecurity department to be undermined because it has done its job. Businesses (project managers, marketing managers, operational managers) don’t always like it when we find flaws in what they’ve been putting in place for months or years (…). We sometimes throw a spanner in the works with our penetration audits. Our audits sometimes detect real penetrations resulting in data breaches for our customers. So, we don’t want anyone to know who found what when, even after an assignment has been completed”.

These remarks are further elaborated by Mr. IG, who explains: « When clients engage ethical hackers like us, it is usually for testing or hacking demonstrations designed to create a ‘wow’ effect. The goal is to show employees what a remote takeover of a messaging system or a low-noise attack might look like—for example, extracting information without leaving a trace. Employees generally remember such demonstrations and become more vigilant. As a result, we are often involved in training sessions and workshops during ‘Cybersecurity Awareness Month’ […].

We do not reveal our names or provide details beyond the company we work for, and we commit to refraining from having professional social media profiles that mention our employer. This makes it difficult to trace us. We introduce ourselves only by our first names, which are often changed for the mission or awareness session. A colleague of mine, a hacker renowned for his skills, once told me quite plainly that he avoids seeking recognition in this profession, at least not while he is actively engaged in operational work. »

In detail, Mr. KJ explains: « I exercise great discretion when working onsite with clients, even though many assignments are conducted remotely. This heightened caution stems from the risks involved: our equipment could be stolen, and we may encounter situations that put us in compromising positions. Once, following a cybersecurity awareness session, an employee offered me a bribe to help him retrieve sensitive data. I had to report this to my management, as it constituted an attempt to corrupt me and exploit my expertise. My manager informed the client company, which understood the situation and appreciated our vigilance. They even thanked us for our diligence and did not hold it against us. Unfortunately, I was no longer allowed to work with that company, which was disappointing. Being a cybersecurity consultant is just a temporary phase, and I could have seen myself transitioning into a role there. This incident, however, highlights how isolating our profession can be when we are committed to upholding its ethical standards. »

Furthermore, ethical hackers are not allowed to keep records of what they have done, nor are they allowed to sell it. Nor is there any “information sharing” (Verdier, 2007) as is possible in some professions. There is also the danger of having strategic information stolen by malicious hackers. Finally, keeping certain records makes it possible for them to be seized by “an investigating judge, or even a judicial police officer at the preliminary or flagrante investigation stage (…) [in] the search for the truth” (Verdier, 2007, p.13). M.Y., Cyber Security Manager in an insurance company (interview 30), confirmed an instance when an ethical hacking firm was compromised: “We’ve already had to deal with a case where even the ethical hacking firm had been hacked by a fake client who issued a false call for tenders to recover penetration test data from companies that had called on this firm regarding possible data breaches. They even managed to copy the hacking tools used by the company providing the services. Since this kind of industry scandal, even if we’ve not had any impact, we make sure that we only work with firms that purge the test result data and send us the report in secure format, keeping no trace of what they’ve revealed once the test period itself is over”.

As we have shown, the obligation of professional secrecy requires the ethical hacker to commit on multiple levels: morally and contractually to their clients, ethically to their profession, and legally, both in civil terms (damages and compensation) and criminal terms (fines and imprisonment). However, this secrecy differs from organizational silence, in that it represents only one aspect of it, as demonstrated through these three stages. Professional secrecy involves a commitment to specific stakeholders, whereas organizational silence reflects a broader ethos, a shared practice common to all ethical hackers. In this sense, the silence of hackers encompasses professional secrecy while extending to a wider obligation of discretion.

However, ethical hackers still need to promote their success and experience. Official reports, such as the press conferences held by certain organizations following computer system breaches, can help to highlight their activities while maintaining their duty of silence. These reports are all the more necessary as they expose the work of ethical hackers and make shareholders and civil society more aware of cyber threats (Chen et al., 2022). The testimony of Mr Ti, a partner in a cyber security firm (interview 10), confirms this: “There’s no glory in our profession. People will never say ‘thank you, you’ve found something major’. We generally only report bad news and that’s what we get paid for. Our penetration reports are confidential, often technical reports, intended for IT security managers, who rework them before their conclusions are shared in a language that can be understood by risk managers and the governance of client companies. Our work is therefore not visible, and their ‘internal’ versions often don’t even mention what our firm has found. I even once had a client ask me to formalize the penetration report by talking about a supposed competitor company, to really cover up the flaws they were expecting to find. It was so touchy that we removed all traces suggesting an exchange with them and the contacts were even made to an email address not related to their brand. This may seem surprising, but when you’re talking about a company of this critical size, you can’t afford for flaws to be revealed, even after they’ve been corrected. Cyber-attacks get a lot of media coverage, so we don’t take any risks”.

The visibility of ethical hackers’ work operates at multiple levels, as revealed in our interviews. For instance, in discussing the delivery of test reports, which serve as auditable evidence, M.O. observes: “My tests are not always returned to me in detail regarding their outcomes. However, I know that cyber insurers require precise formalization as part of their conditions for insuring a company. Test reports must be documented and made visible to governance bodies and operational teams, who either accept or reject a risk and must demonstrate that they have acknowledged the incidents or vulnerabilities I identified during the tests. On one occasion, I was called in to support the risk management functions during an audit because no one could explain how I managed to detect in a single day a vulnerability that had existed for years but had never been identified. There is, therefore, real recognition of my work, and it often involves a pedagogical dimension. Of course, we do not disclose all our tips and techniques, as these form part of the services we provide. However, once a vulnerability is found, we share extensive details. Significant attention is given to our formalized reports, which are shared with IT and security teams, auditors, risk management teams, and sometimes even with internal decision-makers at our clients’ organizations”.

These comments are further elaborated by M.F., who states: “When assisting a corporate client during a cyber crisis or an IT outage, the first instinct is to request access to the ethical penetration testing reports that were conducted. In four out of five cases, we find that the ethical hackers were correct in their assessments, having identified vulnerabilities and flaws, and often explicitly warning about the urgency of addressing these issues. It is somewhat frustrating, however, as we also notice that the distribution list for these reports is often too limited for them to be properly used. Another challenge arises when there are too many tests, and even a brilliant report gets lost among a sea of less relevant reports, which undermines the value of the work performed. Additionally, a common issue is that the detailed results of the tests are not always communicated clearly and are instead buried in aggregated reports from CISOs and Risk Managers. These reports often share the overall outcome of the campaign but may not necessarily highlight the key findings or the most important points. Some argue that this is too technical, but it’s not necessarily so—it simply requires a willingness to understand the stakes! Ethical hackers may be seen as working behind the scenes, but the foundation of their work is to leave behind a report that clearly outlines what they identified, how they identified it, and whether or not it was addressed‘”.

The European DORA[17] regulation also mandates the precise formalization of test results and requires that these tests be communicated to sectoral supervisory authorities, who approve their relevance. Thus, within the European institutionalization of ethical hacking through DORA, there is a stronger emphasis on increasing the visibility of ethical hackers’ roles, albeit within a controlled and highly specific regulatory environment.

Finally, the ethical hackers we interviewed emphasized the importance of staying connected with one another and being part of a community. As M.HF explains: “I am never alone in my job. Sure, when I’m conducting tests, I need to focus, but I work within an organization. Even when I was a freelancer subcontracting for a well-known ethical hacking platform, I was part of an ecosystem—I learned from experts and built up my network, both in terms of skills and clients. The profession evolves rapidly, so staying isolated can mean missing out on new techniques, best practices, or even clients’ evolving testing needs”.

Similarly, M.TH notes: “I have never felt alone in my profession. It’s a job that involves interaction; we work on successive missions for clients across a variety of industries. Sometimes, a significant amount of time is spent explaining what we’ve done, often to IT teams. And the initial intrusion is just the beginning. We are frequently called back by the same client to ensure their IT teams have successfully addressed the vulnerabilities we identified. Occasionally, we manage to bypass their newly implemented security measures; other times, we see that they’ve done an excellent job, and it’s satisfying to be able to acknowledge that. Therefore, it’s not a profession confined entirely to the shadows”.

These accounts confirm the dynamic of socialization emphasized by M.GF, a manager: “I always ensure that my teams of ethical hackers work within a group dynamic, as it’s easy to fall into tunnel vision. For example, during a mission, a consultant may become fixated on finding a vulnerability in a client’s information system, convinced that there must be one to discover. While this is often true, there are occasions when nothing is found. In such cases, we receive a flat fee but not necessarily a bonus. This can be frustrating, but we strive to prevent hackers from losing perspective in their pursuit of perfection. We also take the opportunity to work collaboratively on complex missions, alternating between awareness-raising assignments and intrusion testing to maintain contact with the client’s employees. This is particularly important because, behind the information systems, there are always people, and hackers need regular reminders of this to stay grounded”.

Implications and conclusions

Cybersecurity is gradually taking over security issues, whether internal or external, public or private (Freyssinet, 2022). It is no longer just a question of observing a “blurring of the boundaries” (Lejeune, 2022) between national defense and the fight against crime, or between public and private organizations that have fallen victim to hackers. In practice, cybersecurity is gradually becoming an integral part of all security issues, whether in terms of perpetuating malicious actions, containing them, resolving them or, in any case, having them managed by professionals (police, ethical hackers, etc.). It is no longer a matter of working on operational synergies between departments within organizations, but rather of systemic integration of the cyber threat and its management for the entire organization and its stakeholders (employees, customers, suppliers and civil society in general).

A number of researchers (Auray, 2000; Bronk, 2008; Evans, 2001) have long been warning of the strategic and cross-functional role of the Information Systems Department (ISD) within organizations. The IS Department is no longer just a support function which, through digitization (Février, 2020), opens up economic, commercial and logistical opportunities in terms of communication (email, websites, etc.) and electronic infrastructure (ERP, databases, etc.). It necessarily includes the inclusion of the protection and security of electronic data, which nolens volens is – after the economic challenge – the major challenge facing organizations.

In our study, we have focused on the silent ethics of ethical hackers, who are already at the heart of this type of protection. Silence is a reservoir of meaning (Dequiré, 2021) that produces action. In the course of a research-intervention approach that enabled us to work with thirty ethical hackers between 2020 and 2023 (lecturers in companies providing IT security audits), we confirmed our initial theoretical proposition that silence is the fundamental element in their training (before the assignment), their socialization (before and during the assignment) and their reputation (after the assignment). Ethical hackers thus display a « construction of identity in ‘retreat' », as Larribeau (2019, p.66) emphasizes, which is founded on silence. This silence transmits and enjoins, socializes and promotes, but also protects those who have to protect everyone’s data ».

Effective protection can only be achieved over the long term. The scale of the challenges and threats ahead (ANSSI, 2023) means that we need to consider the problem of the human resources of ethical hackers, i.e., their training and also their retention, as Lejeune (2022) has emphasized in the case of France. Unfortunately, the economic (all-out threats to organizations) and geopolitical (war in Ukraine, renewed international tensions, etc.) environment has led to competition for recruitment between the private and public sectors for several years (Bronk, 2008). Aside from the fact that the pool of ethical hackers in France is small, it is still too early to identify all the HR issues involved in a profession that is still in its infancy and whose legal status is currently being consolidated at French level and soon at European level via the Digital Operational Resilience Act (DORA).

Indeed, the European DORA Regulation (EU) 2022/2254 of December 14, 2022, applicable as of January 2025, stipulates in Article 24 that digital operational resilience tests must be conducted using various types of tests and associated competencies. Similarly, Articles 25 and 27 of DORA outline the expected types of tests, the preference for testers to be external wherever possible to ensure independence, as well as the prerequisites for these testers and the conditions of their intervention. Furthermore, Article 27[18] establishes a compliance framework for penetration tests, including their subsequent archiving and deletion processes, rendering any failure to adhere to these rules non-compliant. This regulation thus institutionalizes ethical hacking practices and their conditions of intervention within the financial services sector.

However, it appears that there is already a distinct ethical code for ethical hackers in particular and hackers in general which has permeated the world of work (Bureau, 2019). In Appendix 1, we present a code of conduct for ethical hackers that amalgamates previous proposals. The emphasis on ‘doing’, whatever one’s academic, ethnic or professional background, has become increasingly important (Lallement, 2015) as relationships based on cooperation and creative reciprocity are revalued (Dagnaud, 2017). In addition, the desire to break free from certain rules or to circumvent them while trying to improve systems in a creative and open way has been described for several years as an essential component of the information age. In essence, being an ethical hacker entails a civic, if not political, commitment compelling public and private organizations to better align strategy with ethics, lest they endanger themselves.

“… and what drew me ever closer to him was the ever-present hope
that he might provide me with a means of escape.”
Mémoires de Vidocq, Vidocq(1848, p.127)

[1]The community formed around HackerOne (www.hackerone.com) has led to the creation of one of the largest platforms for collaboration and engagement between ethical hackers and businesses. Annually, the platform releases a ‘Hacker-Powered Security Report’, which can be accessed online at: https://www.hackerone.com/reports/6th-annual-hacker-powered-security-report.
[2] According to ERP Market Share, Size and Trends Report for 2022 (22 June 2022), the 5 major players have more than 50% of worldwide ERP market share (https://softwareconnect.com/erp/erp-market/).
[3] Retrieved on 12 August 2024 from https://www.cert.ssi.gouv.fr/cti/CERTFR-2023-CTI-001/.
[4] For a comprehensive and referenced overview of cybersecurity statistics, we refer readers to the website of Cobalt, an American cybersecurity company (https://www.cobalt.io/blog/cybersecurity-statistics-2023).
[5] Translated from ANSSI website on May 24, 2023 (https://www.ssi.gouv.fr/particulier/glossaire/c/).
[6] La direction générale de la Sécurité Intérieure.
[7] Established by decree on 25 February 2021, and operationally launched in August 2021, the cyber gendarmerie, or COMCyberGEND, is reported to have, by 2023, 9,000 military personnel and 400 reservists in France (Cornevin, 2023, p.2). As of August 2021, there were officially 6,700 digital investigators. Retrieved on 24 May 2023, from https://www.gendarmerie.interieur.gouv.fr/gendinfo/actualites/2022/neuf-mois-apres-sa-creation-quel-bilan-pour-le-comcybergend.
[8] We borrow this expression from the title of issue 67 (1) of the journal ‘Spirale’, an educational research journal published in 2021.
[9] In the last century, the emerging field of telematics combined the techniques and services of computer science with those of telecommunications. Today, the two are intrinsically linked.
[10] This ethnographic and exploratory study was conducted in the late 2010s with half a dozen hackers from the Rhône-Alpes and Nouvelle Aquitaine regions. Most of the individuals interviewed had undergone formal university training in so-called “hard” sciences: biochemistry, computer science, physics, etc.
[11] See https://cybersecurityguide.org/programs/cybersecurity-bachelors-degree/#Schools and https://www.mastersportal.com/search/master/cyber-security/united-states.
[12] See the online ranking of the top master’s programs recognized by the French Federation of ‘Grandes Ecoles’ from Le Figaro Étudiant in March 2023 or the 2024 ranking by EdUniversal, which lists the 20 best programs at the national level, as well as regionally (14 in 2023).
[13] See the Ethical Hackers Academy (https://www.linkedin.com/company/ethical-hackers-academy/).
[14] Criminal Code of 1992, which came into effect on 1 March 1994 and has since been amended by 6 laws. The cited article is sourced from the official Legifrance website, the French public service for the dissemination of law. Retrieved 12 August 2024 from: https://www.legifrance.gouv.fr/codes/article_lc/LEGIARTI000006417945#:~:text=La%20r%C3%A9v%C3%A9lation%20d’une%20information,15%20000%20euros%20d’amende.
[15] Official Bulletin of the Ministry of Justice, No. 95 (1 July – 30 September 2004): Circulars from the Directorate of Criminal Affairs and Pardons, notification of circulars from 1 July to 30 September 2004.” Retrieved 12 August 2024 from: http://www.gip-recherche-justice.fr/conferenceconsensus/textes.justice_subdomain/bulletin-officiel-10085/bulletin-officiel-n-95-du-1er-juillet-au-30-septembre-2004-11062/
[16] Job contacts with ethical hackers include Non-Disclosure Agreement (NDA) in addition to confidentiality agreements.
[17] Voir le site officiel européen du texte définitif : https://www.eiopa.europa.eu/digital-operational-resilience-act-dora_en (consulté le 28/10/2024).
[18] See above official reference.

References

Alsharaa, B., Thuneibat, S., Masadeh, R., & Alqaisi, M. (2023). Selected advanced themes in ethical hacking and penetration testing”. Computer Science and Information Technologies, 4(1), 69-75.
ANSSI (2023). Panorama de la cybermenace en France, Janvier 2023. Retrieved March 17, 2023 from https://www.cert.ssi.gouv.fr/uploads/CERTFR-2023-CTI-001.pdf
Anteby, M. (2015). L’école des patrons. Silence et morales d’entreprise à la Business School de Harvard. Editions Rue d’Ulm. Paris.
Aubouin N. & Capdevila I. (2019). « La gestion des communautés de connaissances au sein des espaces de créativité et innovation : une variété de logiques de collaboration ». Innovations, 58, 105-134.
Auray, N. (2000). Politique de l’informatique et de l’information. Les pionniers de la nouvelle frontière électronique. Thèse de doctorat de sociologie, EHESS, Paris.
Auray, N. (2001). Figures politiques des hackers. Chimères. Revue des schizoanalyses, 44, 179-186.
Boullier, D. (2019). Sociologie du numérique. 2e édition, Paris, Armand Colin.
Bronk, C. (2008). Hacking the nation-state: Security, information technology and policies of assurance. Information Security Journal: A Global Perspective, 17(3), 132-142.
Bureau, M. (2019). L’éthique hacker infuse-t-elle le cœur de nos sociétés ?, Nectart, 9, 126-134.
Cailleba, P. (2017). Lanceur d’alerte et silence organisationnel. Revue internationale de psychosociologie et de gestion des comportements organisationnels, RIPCO, XXIII, 309-334.
Chen, J., Henry, E., & Jiang, X. (2022). Is cybersecurity risk factor disclosure informative? Evidence from disclosures following a data breach. Journal of Business Ethics, 1-26.
Choi, K. S., Lee, C. S., & Louderback, E. R. (2020). Historical evolutions of cybercrime: From computer crime to cybercrime. The Palgrave handbook of international cybercrime and cyberdeviance, 27-43.
Cornalba, V. (2013). Hacker vaillant: Prince de l’impossible. Adolescence, 312, 377-391.
Cornevin, C. (2023). Cyberattaques: plongée au Coeur d’une traque planétaire. Le Figaro, samedi 20 mai, p.2.
Curtet, F. (2023). Hacke-moi si tu peux – Mémoires d’un cyberpirate repenti. Paris, Cherche Midi.
Dagnaud, M. (2017). La réciprocité créatrice, mode de solidarité à l’ère numérique. In Michel Wieviorka (Ed.), Les Solidarités (pp. 103-123), Auxerre: Éditions Sciences Humaines.
de Freminville M. (2021). Pirates et corsaires : cyberespace et sécurité. Sécurité globale, 28, 133-140.
Del Real, C., & Rodriguez Mesa, M.J. (2022). From black to white: the regulation of ethical hacking in Spain. Information & Communications Technology Law, 1-33.
Dequiré, A. (2021). Quand les minutes de silence au collège font grand bruit. Spirale – Revue de recherches en éducation, 67, 127-140.
Dequiré, A. & Danvers, F. (2021). Présentation. Spirale – Revue de recherches en éducation, 67, 3-7.
Detienne, M., & Vernant, J. P. (1974). Les ruses de l’intelligence la Mètis des Grecs. Flammarion, Paris.
Dubar, C. (2015). La socialisation. Construction des identités sociales et professionnelles. Collection U, 5^ème édition, Paris, Armand Colin.
Durand R., Vergne, J.-P. (2010). L’Organisation pirate. Essai sur l’évolution du capitalisme. Lormont, Le Bord de l’eau.
Ensmenger, N. (2015). “Beards, sandals, and other signs of rugged individualism”: masculine culture within the computing professions. Osiris, 30(1), 38-65.
Evans, B. (2001). The Sorry State of Software. Information Week, June 4, 112.
Evans, C. (2022, October). A Thank You to the Hacker Community, From HackerOne, Ethical Hacker, Community Blog, [Web log comment]. Retrieved 26^th May 2023 from https://www.hackerone.com/ethical-hacker/thank-you-hacker-community-hackerone
Fadia, A. (2007). Network intrusion alert: an ethical hacking guide to intrusion detection. Course Technology Press.
Février, R. (2020). Covid-19 et cyberattaques – Vers une nécessaire évolution du paradigme dominant en management stratégique ?. Revue française de gestion, 46(293), 81-94.
Février, R. (2021). Sécurité des Systèmes d’Information de E-Démocratie : une obligation préalable ?. Management & Avenir, 126, 15-37.
Freyssinet E. (2022), « Perspectives de la cybercriminalité des dix à vingt prochaines années », Enjeux numériques, n°20, pp. 63-67.
Gould, L. C. (1969). Juvenile entrepreneurs. American Journal of Sociology, 74(6), 710-719.
Greenberg, J., Brinsfield, C. T., & Edwards, M. S. (2007). Silence as deviant work behavior: The peril of words unspoken. Symposium presented at the Annual Meeting of the Society for Industrial and Organizational Psychology, New York, 27–29 April.
Haehnsen, E. (2020). Quand les cybercriminels passent de l’autre côté de la force. Les Echos, 26 Mars, Retrieved 26 May 2023 from https://www.lesechos.fr/thema/cybersecurite-pme/quand-les-cybercriminels-passent-de-lautre-cote-de-la-force-1189080
Hertzog, R., O’Gorman, J., & Aharoni, M. (2017). Kali linux revealed. Mastering the Penetration Testing Distribution, Offsec Press.
Hirschman, A.O. (1970). Exit, voice, and loyalty: Responses to decline in firms, organizations, and states. Boston: Harvard university press.
Jacquinot, P. & Pellissier-Tanon, A. (2021). Du silence organisationnel à la colère déontique, Gérer & Comprendre, n°146, décembre, 27-38.
Kubitschko, S. (2015). The role of hackers in countering surveillance and promoting democracy. Media and Communication, 3(2), 77-87.
Lallement, M. (2015). L’Âge du faire. Hacking, travail, anarchie. Seuil, Paris.
Lapsley, P. (2013). Exploding the phone: The untold story of the teenagers and outlaws who hacked Ma Bell. New York, Grove Press.
Larribeau, A. (2019). Du bidouilleur amateur à l’informaticien, apprendre le détournement: une étude de la socialisation au hacking informatique. Sociologies pratiques, (1), 59-70.
Leeson, P. T. & Coyne, C. J. (2005). The Economics of Computer Hacking. Journal of Law, Economics & Policy, 1, 511.
Lejeune, K. (2022). La contribution du nouveau ComCyberGend à l’aune du triptyque compétition-contestation-affrontement dans le cyberespace. Revue Défense Nationale, H-, 320-334.
Levy, S. (1984). Hackers: Heroes of the computer revolution (Vol. 14). Garden City, Anchor Press/Doubleday, New York.
Loveluck, B., & Holeindre, J.-V. (2021). Politiques du hacking : enquête sur les ruses numériques. Quaderni [En ligne], 103, Printemps 2021, Retrieved May 17, 2023 from : http://journals.openedition.org/quaderni/1970
Miennee, J. (2021). Éléments pour une réflexion sur la place du silence dans l’organisation scolaire et la transmission des savoirs à l’école. Spirale – Revue de recherches en éducation, 67, 23-34.
Mitnick, K. (2011). Ghost in the wires: My adventures as the world’s most wanted hacker. Hachette UK.
Morrison, E. W. & Milliken, F. J. (2000). Organizational silence: A barrier to change and development in a pluralistic world. Academy of Management Review. 25: 706–725.
Noelle‐Neumann, E. (1974), The spiral of silence a theory of public opinion, Journal of communication, 24(2), 43-51.
Prasad, S.T. (2014). Ethical hacking and types of hackers. International Journal of Emerging Technology in Computer Science & Electronics, 11(2), 24-27.
Royer, I. & Zarlowski, P. (2014). Le design de la recherche (ch. 6.). In Raymond-Alain Thiétart (Ed.), Méthodes de recherche en management, Dunod, Paris, 168-196.
Standage, T. (1999). The Victorian Internet: The remarkable story of the telegraph and the nineteenth century’s on-line pioneers. New York: Berkley Publishers Group.
Thévenet, M. (2008). Les talents: des étoiles brillantes aux étoiles filantes. Paris, Editions Eyrolles.
Thévenet, M. (2012). Le travail, ça s’apprend. Revue internationale de psychosociologie et de gestion des comportements organisationnels 2012/45 (Vol. XVIII), p. 301-308.
Trainor, R. (2006). Ankit Fadia: the ethical hacker. Anthill Magazine, #18, Oct. 1, 42-46.
Vidocq, F.E. (1828). Mémoires de Vidocq. Tome I, Gallica-BNF, Paris, Tenon.
Verdier, P. (2007). Secret professionnel et partage des informations. Journal du droit des jeunes, 269, 8-21.
Warner, M. (2012). Cybersecurity: A pre-history. Intelligence and National Security, 27(5), 781-799.

Appendix 1: Information theft and destabilizing attacks

Simplified Typology of Strategic Information Theft

Location	Exact place	Type of theft
Company	Head Office	Private and professional data from various departments (IT, Finance, Human Resources, Operations, etc.)
	Research laboratory	Patents, prototypes, data, etc.
	Subsidiary	Drawings, manufacturing secrets, SCADA configuration…
Partner organizations	Subcontractors	Specifications, manufacturing secrets, technical specifications…
	IT service providers	Data on the cloud, hosting providers…
	Consultants	Strategic plans and data (financial, HR, marketing, logistics)…
	Administrative services	Tax and administrative data
Third places	Airports[1], restaurants… Open space, conferences and seminars… Public transport…	All types of private and professional data

[1] Refer to the December 2022 issue on the risks of accessing electronic devices during airport security checks (https://www.dgsi.interieur.gouv.fr/la-dgsi-a-vos-cotes/contre-espionnage/conseils-aux-entreprises-flash-ingerence/conseils-aux-1).

Simplified Typology of Destabilizing attacks

Objectives	For example…	Targets	Damage	Consequences
Intangibles and processes	Services	Research & Development	Theft of patents, processes, etc.	Theft of intellectual property Loss of income
	Supply chain	Production	SCADA[1] attack	Supply chain disruption Loss of income
		Storage and Logistics	Data encryption
			Data encryption
Hardware	Products	Research & Development, Marketing Production	Creation of rumors: -non-compliance with CSR standards -dangerous nature of the product -quality shortcomings	Spreading rumors to the general public, the media and activists (or other hacktivists)
Data	Financial data	E.R.P.	Data breaches	Fall in revenues and profitability. Weakening of structure (reputation)
		General Management, Administrative and Financial Department	Dissemination of data (competitors, media, WikiLeaks)
Individuals	Senior management	CEO, chairman, managing director, founder, entrepreneur, directors, etc.	Account hacking (e-mail, social networks, etc.)	Dissemination to the general public and the media Loss of credibility and legitimacy
			Device hacking (smartphones, PCs, etc.)
			Interception of communications

Source: Both adapted from Février (2020, p.88)

[1] SCADA (Supervisory Control And Data Acquisition) systems, also known as ICS (Industrial Control Systems), control tool machines and automation systems in industry. They may be responsible for managing energy distribution (electricity, water, gas), overseeing complex industrial processes, and generally driving production.”

Appendix 2: Standard content of hacking report

Aims of the report:

To quickly formalize and understand the attack modus operandi used and to identify the vulnerabilities exploited by the attackers (understanding and detection rationale).
To immediately identify a two-speed MACRO action plan (short & medium term) to avoid a similar attack perpetrated by unethical hackers in a real situation this time (prevention and protection logic).

The report includes the following sections:

A timeline of the investigations and tools employed.
A list of the evidence collected from the attacked company’s information system with associated methods, extraction dates, and cryptographic checksums.
A list of limitations related to items of evidence that might be missing or deleted by the attacker.
A timeline in the form of a table detailing dates, machines, and events in chronological order.
A list of affected/encrypted assets presented in a table format with IP address, host name, date of initial compromise, and impact.
A list of compromised accounts in a table format detailing domain, account name, privilege level, and impact.
Event log excerpts that precisely delineate the penetration vector, privilege escalation methods, and propagation within the information system.
A list of malwares deposited on the attacked company’s information system / attacker’s tools in table format with date, installation directory, malware cryptographic checksums, and description.
A list of connections from the attacked company’s information system to the attacker’s infrastructure, noting the volume of exchanged data.
A preliminary assessment of impacts at the internal level (attacked company) and peripheral level (potential spread to interconnected systems of partners, suppliers, and customers).

Appendix 3: Details of interview panel

Interview number	Profiles / functions	Experience in the domain
1	Mr. A: hacker for a penetration audit company	4 years as an unofficial hacker, 5 years as a registered ethical hacker; no degree training, only ethical hacker certifications.
2	Mr. T: computer penetration researcher for a security audit firm	Trained as an engineer, 4 years as a network analyst, 3 years as an IT manager, 2 years as a penetration researcher, ISO 27001 and ISO 27005 certification and penetration testing training.
3	Mr. G: expert in social engineering techniques in a consultancy firm	Trained as an engineer, 3 years as an unofficial hacker, further training as an engineer, 2 years as an information consultant in an IT company, 5 years as a cybersecurity expert in a consultancy firm.
4	Mr. H: systems hacker	BTS (2-year technical diploma) in IT, 3 years as an unofficial hacker, 6 years as an ethical hacker in various firms.
5	Mr. L: ethical hacker at a specialist firm	Degree training in IT engineering, two courses in penetration audits, audit certification, internal auditor in a bank for 2 years on Information Systems Security assignments, 3 years as an ethical hacker for a specialist firm.
6	Mr. KJ: cybersecurity analyst working for an audit firm	Engineer by training, 4 years in internal audit and IT risk in 2 financial services companies, 2 specialist IS security training courses, 8 years in an audit firm in the cyber security consultancy practice.
7	Mr. Da: cybersecurity engineer for a specialist company	IT engineer, training in cybersecurity, master’s degree in cybersecurity management, 4 years in network control, 2 years in a security company working for a major telephone operator, 3 years as a cybersecurity engineer for a specialist consultancy firm.
8	Mr. D: information systems auditor	Training in information systems management, 4 years as a functional network administrator, 4 years as an internal auditor for a CAC 40 company, 6 years as an information systems auditor for a specialist firm.
9	Mr. F: cyber security consultant for a cyber crisis analysis firm	Training in organizational management (master’s degree), master’s degree in IT, ISO 27001 and ISO 22301 certifications, 5 years as a risk manager in a bank, 4 years as an IT audit consultant, 7 years as a consultant in a cyber crisis management consultancy.
10	Mr. K: cyber attacker and investigative analyst for a specialist firm	General engineering training (master’s degree), IT security audit training (specialized master’s degree), 3 years as an IT auditor, 7 years as an IT infrastructure manager, 6 years as an IT investigation analyst.
11	Mr. Fe: IT auditor	Master’s degree in IT engineering, 3 years as a systems security engineer, 2 years as an IT auditor.
12	Miss T: cyber investigation auditor	Master’s degree in IT engineering, 3 years as a security analyst auditor, 1 year as a cyber investigation auditor.
13	Miss G: data protection officer	Master’s degree in private law, 4 years as a barrister dealing with data breach issues, data protection officer for the last 4 years.
14	Mr. R: ethical hacker for a specialist firm	BTS (2-year technical diploma) in IT, 1 year as an unofficial hacker, 3 years as an ethical hacker for a specialist firm.
15	Mr. L: ethical hacker	No training, hacker for 8 years, ethical hacker in a specialist firm for 1 year.
16	Mr. O: ethical hacker	Degree in digital computing, 6 years as an IT project consultant, 3 years as an ethical hacker.
17	Mr. Ot: IT consultant	Master’s degree in management, IT degree, 5 years as an organizational consultant, 3 years as an organizational project manager, 2 years as a cybersecurity consultant.
18	Mr. L: ethical hacker	Master’s degree in IT auditing, Master’s degree in cyber security, 3 years as an IT auditor, 2 years as an ethical hacker.
19	Mr. S: IT penetration auditor	Master’s degree in engineering, 8 years in IT audit in 2 major companies, 3 years in penetration auditing for a specialist firm.
20	Mr. M: penetration auditor for a specialist firm	Master’s degree in IT auditing, 12 years of security auditing.
21	Mr. A: ethical hacker at a company specializing in IT security	Degree in security and digital infrastructure, 3 years as an IT administrator, 6 years as an ethical hacker.
22	Mr. L: Risk Manager in a bank	Master’s degree in organizational auditing, 12 years’ experience in banking and insurance.
23	Mr. H: Head of IT	Master’s degree in IT, 13 years in IT management.
24	Miss K: internal controller for an insurance company	Master’s degree in management control, 6 years as cross-functional internal controller, 2 years as IS security internal controller in an insurance company.
25	Mr. L: internal controller at a bank	Master’s degree in accounting and auditing, 2 years as a general auditor, 1 year as an IT auditor.
26	Mr. U-D: Risk Manager	Master’s degree in financial audit, specialization leading to certification in internal audit, 4 years as an accounting and financial auditor, 3 years in internal audit for a major audit firm, 4 years as an internal control manager in a bank, 5 years as a risk manager in a diversified financial institution.
27	Mr. E: Information and Data Security Manager	Master’s degree in engineering, 8 years as IT infrastructure manager in 2 companies, 9 years as information security manager, 2 years as information and data security manager.
28	Mr. J: Risk Director	Master’s degree from a business school, specializing in internal audit, 8 years as internal auditor in two financial institutions, 3 years as risk manager in a credit institution, 9 years as director of banking risks.
29	Mr. V: Cyber security risk manager at a bank	Master’s degree in intellectual property law, Master’s degree in organization and information systems management, 2 years as an internal IT auditor, 2 years as an information systems security manager, 4 years as a data protection officer, 4 years as a cyber security risk manager in a bank.
30	Mr. Y: Cyber security manager in an insurance company	Master’s degree from an engineering school, 2 years as an information systems analyst, 2 years as a network engineer, 3 years as an IT manager in an SME, 3 years as an IT security manager in a medium-sized company, 4 years as a cyber security manager in an insurance company.