Mich Kabay has published an update to his 2005 series on Hiring Hackers. In Hiring hackers (part 2), Mich reviews conclusions criminal psychologists reach following extensive research into computer criminal behavior and attitude. Computer criminals are described in the literature of exhibiting one or more of the following attributes: addictive or compulsive behavior, need for power or recognition, willing to rationalize negative, immoral or unethical actions, narcissism, entitlement, or vindictiveness.
Temptation to draw analogies to CEOs who've contributed to the economic crisis notwithstanding, these are *not* at the top of my list of folks whom I'd hire to clean my keyboard, much less administer systems hosting sensitive information, run networks, or (how could you even think of) developing software for security or defense systems. However, Mich takes a more forgiving attitude towards hiring hackers than I did in 2005 in an article entitled Security Hats: Black or White, no Grayscale. In that article, I emphasize that security professionals wear white hats, only and always.
Mich offers an interesting list of additional precautionary measures employers should add to their usual hiring scrutiny when considering candidates who have less than pure white hat track records. His methods involve challenging a candidate with hypothetic scenarios, asking a candidate to assess a case of criminal hacking, and self-appraisal ("tell me what you were thinking when you destroyed records of your previous employer"). Putting a positive assessment hat on, a candidate may reveal his true nature when answering questions of this kind. He may show remorse, better judgement, etc. Donning a negative assessment cap, he can also lie, and persuasively so. The latter is especially true if the candidate had a history of social engineering victims.
Some organizations may be willing to turn a cheek seven times seven times seven. A more interesting question is whether their colleagues, customers or shareholders are as charitable. An even more interesting question is whether their colleagues, customers or shareholders are entitled to know when an employer hires a hacker.
Full Disclosure? Expect Nothing Less
Are we entitled to full disclosure when organizations that have associations or influence on our business or communications hire hackers? If your bank informed you that they'd hired a convicted hacker, would you bank there?. If the school bus company informs me that they hire drivers with DUI convictions, would you let your child board any bus? Your answer may be yes or no, depending on what you know, and how you assess the risk. You can't assess risk accurately, however, with partial knowledge.
I'm willing to concede that hackers will likely be hired. I think Mich's precautionary measures are an interesting complement to customary measures. With a caveat...
Society has identified numerous areas where prior behavior and criminal acts must be disclosed by candidates seeking positions as teachers, coaches, bus drivers, physicians, lawyers, and more. If we are going to accept hackers into the work force (and I honestly think this is a hugely dangerous decision), let's provide all parties potentially affected by their actions with full disclosure so they can make informed decisions.