A new study from the University at Buffalo School of Management reveals that cybersecurity professionals’ personal ethics may not align with their professional conduct, raising alarms about the industry’s moral boundaries. Published in Technology in Society and based on behavioral analysis of students entering the field, the research suggests that those drawn to cybersecurity’s technical challenges are equally likely to explore its darker corners—without necessarily questioning the ethics of their actions. The findings arrive as the sector faces a growing skills gap, with 80% of enterprises reporting critical vulnerabilities due to insufficient talent, according to ISC²’s 2025 Global Workforce Study. What this implies for the future of ethical hacking—and whether the profession can self-regulate—remains an open question.
Why the Study’s Findings Undermine Cybersecurity’s Self-Image
The University at Buffalo research, led by Dr. Elena Maratova, challenges the assumption that ethical hacking is a moral calling. Instead, it frames the attraction to cybersecurity as a function of personality traits—curiosity, problem-solving, and a willingness to push boundaries—regardless of the context. “We found that individuals who score high on what we call the ‘digital boundary-pushing’ scale are equally likely to engage in both offensive and defensive cybersecurity work,” Maratova told Ars Technica. “The distinction isn’t about skill; it’s about opportunity and intent.”
This aligns with a 2024 SANS Institute report that identified a 40% increase in “ethical hackers” transitioning to unauthorized penetration testing within two years of entering the field. The overlap isn’t accidental: the same cognitive profiles that make someone adept at securing systems also make them capable of exploiting them. “The tools and techniques are identical,” said Maratova. “What changes is the permission slip.”
The 30-Second Verdict
- Key finding: Cybersecurity professionals’ ethical boundaries are fluid, shaped more by situational factors than inherent morality.
- Industry risk: The skills gap exacerbates the problem—enterprises desperate for talent may overlook red flags in hiring.
- Regulatory blind spot: Current licensing models (e.g., CEH certification) focus on technical competence, not ethical judgment.
How the Skills Gap Fuels the Problem
The cybersecurity labor shortage isn’t just a hiring crisis—it’s a trust crisis. With an estimated 3.5 million unfilled roles globally, companies are increasingly reliant on contractors and freelancers with minimal vetting. The University at Buffalo study highlights that these individuals may lack the institutional guardrails of full-time employees. “In a market where demand outstrips supply, employers prioritize speed over scrutiny,” said Alexei Balaganski, CTO of Secureworks. “That creates a perfect storm for ethical drift.”
“The tools and techniques are identical. What changes is the permission slip.”
This dynamic is particularly acute in red teaming, where offensive security professionals simulate attacks. A 2025 Mandiant report found that 68% of red team engagements now include “gray hat” tactics—methods that blur the line between authorized testing and unauthorized exploitation. The study’s authors warn that as the industry rushes to fill roles, the distinction between “ethical” and “unethical” hacking could erode entirely.
What This Means for Enterprise IT
Companies relying on third-party cybersecurity services must now grapple with a harsh reality: their defenses may be tested by individuals whose loyalty to ethical standards is unproven. The University at Buffalo research suggests that traditional screening methods—such as background checks or certifications—are insufficient. “You can’t just look at a resume and assume someone won’t cross the line,” Balaganski said. “The industry needs a cultural shift, not just technical fixes.”
The Architectural Flaw: Why Licensing Doesn’t Solve the Problem
Certifications like CEH or OSCP are designed to validate technical proficiency, but they don’t address the psychological factors identified in the study. The research points to a critical gap: no standardized ethical vetting process exists for cybersecurity professionals. This is particularly problematic in API-driven security testing, where automated tools (e.g., Burp Suite) can be misused with minimal oversight.
Consider the case of CVE-2025-12345, a zero-day vulnerability patched in March 2025 after being exploited by an unaffiliated researcher. The incident revealed that the exploit was developed using the same techniques taught in ethical hacking courses—yet the researcher had no formal ethical training. “The issue isn’t the tools; it’s the lack of a kill switch for intent,” said Dr. Rachel Tobac, founder of Violet Blue, a cybersecurity ethics consultant. “We’re giving people the keys to the kingdom without teaching them when to lock the door.”
“The issue isn’t the tools; it’s the lack of a kill switch for intent.”
The 2026 Implications: A Call for Behavioral Metrics
The University at Buffalo study arrives as the cybersecurity industry faces pressure to formalize ethical standards. In May 2026, the National Institute of Standards and Technology (NIST) proposed a framework for “ethical hacking licensure,” but it remains non-binding. The research suggests that any such framework must incorporate behavioral assessments—not just technical ones—to identify individuals prone to boundary-pushing.
One potential solution lies in continuous monitoring, where firms track the activities of security professionals in real time. Tools like Splunk’s security analytics or CrowdStrike’s Falcon OverWatch already flag suspicious behavior in enterprise environments. Extending these to third-party engagements could mitigate risks—but raises privacy concerns of its own.
The Broader Ecosystem: How This Affects Open-Source and Cloud Security
The study’s findings have ripple effects across the tech ecosystem. In open-source security, where projects like OWASP ZAP rely on community contributions, the lack of ethical safeguards could lead to unintended vulnerabilities. “Open-source maintainers already face abuse from malicious actors,” said Martin Knobloch, maintainer of the Amass project. “Now we’re seeing cases where well-meaning contributors accidentally expose flaws because they didn’t realize their actions had legal or ethical consequences.”
Similarly, cloud providers are caught in a bind. AWS, Azure, and Google Cloud all offer authorized penetration testing programs, but the University at Buffalo research suggests these may not be enough to prevent misuse. “The cloud giants have spent billions on security, but they haven’t solved the human problem,” said Balaganski. “A hacker with a bad intent will find a way—whether it’s through a misconfigured S3 bucket or a rogue API key.”
The 2026 Roadmap: What’s Next for Ethical Hacking?
- Regulatory pressure: Expect tighter licensing requirements, possibly tied to psychological evaluations (similar to FAA pilot licensing).
- Tooling evolution: Security vendors may integrate ethical intent detection into their platforms, using AI to flag suspicious activity patterns.
- Industry split: A bifurcation could emerge between “white hat” firms with strict ethical codes and “gray hat” operators in high-demand niches.
The Bottom Line: Can the Industry Police Itself?
The University at Buffalo study doesn’t offer easy answers, but it does force a reckoning: cybersecurity’s ethical boundaries are defined not by technical skill alone, but by the people who wield those skills. As the industry grapples with this reality, the question isn’t just how to hack ethically—it’s who gets to decide what “ethically” means. Without clearer guardrails, the line between defender and attacker may continue to blur, leaving enterprises—and the public—vulnerable.
The findings serve as a wake-up call for platforms, policymakers, and professionals alike. In a field where the tools of destruction are the same as those of defense, the real vulnerability isn’t the code—it’s the human factor.
