Black and White…and a Little Gray in Between

By Shawn Dougherty July 28, 2014

Shawn DoughertyWhen I was growing up, I was mesmerized by any Western-themed television show or movie — Rawhide, The Rifleman, Maverick, The Big Valley, The Wild Wild West, Bonanza, Gunsmoke, Butch Cassidy and the Sundance Kid, John Wayne Westerns and, of course, all those spaghetti Westerns starring Clint Eastwood. I loved them all and couldn’t get enough of them. I can still remember daydreaming about what it would have been like to live back then in the Wild West.

In those shows it was pretty easy to tell who were the good guys and who were the bad guys simply by the hats they wore: white for good and black for, well, not so good.

Jump ahead these many years later and I find myself wondering if my childhood fascination is one of the reasons I’m now so drawn to and intrigued by cyber insurance. After all, when it comes to underwriting and pricing, cyber insurance has been compared with the Wild West — where almost anything goes.

And what is it with hats — this time with hackers? Why do hackers wear “hats”? And why does it seem those hats are always white or black or even gray?

First, it must be stated up front that many hackers don’t just wear one hat. They can wear many hats, depending on their situation.

White hat hackers are software and network security professionals who use their skills to benefit others. White hat hackers are typically hired to test the security systems and procedures of a particular enterprise. One of the more common services performed by white hat hackers is the penetration test: They try a variety of actions to attempt to break or hack into the enterprise to find possible gaps in its security.

A white hat hacker may also be an individual who finds a security flaw in software on his or her own and reports that flaw to the respective enterprise, often for a bounty or reward. There are quite a few companies and groups that actively support those bounty programs, which have improved cyber security across the industry and provided a great training ground for security professionals around the world. You can learn about some of those white hat hacks here.

Black hat hackers are people who use their skills only for personal gain. Their goal may be to steal or extort money or simply to cause mischief. Most data breaches that make the news are the work of black hat hackers.

As with almost everything, there’s the space in between that’s difficult to define. This is where the gray hat hacker comes into play. A gray hat hacker is truly a blend of both white and black hats — someone who actively seeks out and exploits cyber vulnerabilities for fun, practice, and experience. The gray hats may then notify affected network administrators of the vulnerability they found and exploited.

In my life, I’m proud to say that I wear many hats — but they’re just to keep the sun off my head.

To learn about ISO’s various cyber offerings, visit the ISO Cyber Risk Solutions website, www.verisk.com/cyber, or e-mail me at sdougherty@iso.com. You can also follow me on Twitter @doughertyshawn.


Shawn Dougherty

Shawn Dougherty is the assistant vice president of ISO's Specialty Commercial Lines Division. He is responsible for providing the overall direction, leadership, and client service for ISO's cyber liability (e-commerce), D&O (management protection), businessowners, crime and fidelity, financial institutions, employment-related practices liability, and professional liability (other than medical) insurance programs. He is also the ISO product manager for the Lloyd's Wordings Repository, an electronic database of policy wordings and clauses regularly used within the London market. Mr. Dougherty has worked at ISO since 1988.