The International Information System Security Certification Consortium (ISC2) report on Women in Cybersecurity revealed women account for only 24 per cent of the overall cyber security workforce.
The fact women represent less than a quarter of cyber security personnel speaks volumes to the issue of low gender diversity in the profession.
A diverse workforce, with proportional representation of different genders and cultural backgrounds, is likely to be more innovative in solving cybersecurity challenges than a homogeneous one.
There are a plethora of reasons why women have unequal representation in the cybersecurity industry, but to what extent does some of the offensive terminology used within the security community play a role here?
The ethical hacking dictionary is riddled with misogynistic, gender-biased, violent, and culturally insensitive terms.
Hacking, penetration, sniffing, stealing, brute force, black hat, exploit, kill switch, master/slave and man in the middle are just a few examples, but there are countless others worth revisiting.
Here is sample of how some of these terms might be perceived as offensive, along with a suggested alternative:
Term |
Description |
Issue with term |
An alternative term |
Hacking |
Gaining unauthorised access to a system or a network to compromise security |
Hacking is cutting something with repeated blows. It can conjure the act of assailing someone with a knife or other implement |
Gaining unauthorised access |
Penetration |
Gaining authorised access to a system or network to assess vulnerabilities in order to improve security |
Penetration is entry by overcoming resistance. This term can be interpreted as having a sexual connotation |
Gaining authorised access |
Sniffing |
The process of intercepting network traffic to capture it and analyse it |
Sniffing is drawing air though the nose and can bring to mind the act of taking drugs |
Intercepting network traffic or packet capture |
Stealing |
The unauthorized acquisition of sensitive information |
Stealing is taking something illegally or without permission. It can evoke the image of breaking the law through an act of theft |
Data breach or unauthorized acquisition of data |
Brute Force |
The act of trying every possible password combination until the password one is discovered |
Brute Force implies a forceful and an aggressive attitude and can evoke images of violence |
Exhaustive password guessing |
Black Hat |
Engage in hacking for malicious or illegal purposes |
The use of colours to classify individuals, including hackers, can inevitably reinforce racial stereotypes |
Malicious, illegal, and cybercriminal |
Exploit |
Exploiting is taking advantage of a vulnerability in a system or a network |
Exploiting evokes an image of someone taking advantage of someone’s weakness and the use of this term can condone such behaviour |
Assess vulnerability or test security |
Kill Switch |
A kill switch is a mechanism for quickly shutting down or deactivating a system, application or process, in the event of an emergency or security breach. |
Kill sounds violent or aggressive because of its association with harm in everyday language
|
Emergency stop mechanism" or "shut-off switch |
Master/Slave |
Master/Slave describes the relationship between two devices or systems, where one device is in control of the other. |
Master/Slave carries connotations of oppression and historically the term has been used in both a racial and sexist way |
Primary/Secondary |
Man in the Middle |
A man-in-the-middle attack occurs when an intruder is located between two legitimate communicants, with the aim of stealing credentials and hijacking the communication |
The use of the male gender to describe this attack is sexist and should be replaced with gender-neutral language |
Person in the Middle |
The issue of offensive language within the ethical hacking community is significant. Is the use of such language professional?
The professionalism value of the Australian Computer Society (ACS) Code of Professional Conduct requires member computing professionals to respect each other, emphasising that “all people have a right to be treated with dignity and respect.”
What can we do as professionals to address this issue?
- If you’re an educator teaching a cyber security subject such as ethical hacking, you should review all teaching materials and replace terms like the above with appropriate alternatives. You can also play a role in raising your students’ awareness about the negative impact of such language on individuals and the overall cybersecurity industry
- If you’re a cybersecurity company, you should foster a culture that promotes respectful and inclusive language. Forbidding the use of offensive or inappropriate terms should be clearly outlined in your communication policy. A broader discussion may need to occur beforehand to discuss the implications of using terms like those highlighted above
- If you’re a cybersecurity professional and these or similar terms are used, you should use the experience as an opportunity to discuss the implications of this language in the context of ethical hacking
- If you’re a cybersecurity training or a content provider you should review your training materials and update your website contents, course contents, online exams, videos, etc, to ensure language is respectful, inclusive, and free from misogyny, gender bias, violence, and cultural insensitivity. Again, an education piece is likely to be needed here to make sure your viewers understand the approach you are taking, and why.
Cybersecurity educators, students, and professionals all over the world use terms such as hacking, penetration, sniffing, stealing, brute force, black hat, exploit, kill switch, master/slave and man-in-the-middle in their everyday speech.
It is crucial to use language in cybersecurity that is respectful, inclusive, and free from misogyny, gender bias, violence, and cultural insensitivity.
Doing this will not only foster a more welcoming, diverse and inclusive environment, but the use of respectful language can promote collaboration, innovation, and ethical conduct in the cybersecurity workplace.
If you are a cyber security professional, you have a responsibility to address this issue – so please be vigilant and proactive.
One place to start is the eSafety Commissioner website at https://www.esafety.gov.au, which has excellent resources for support.