Illegal Roaming and File Manipulation on Target Computers
| Author | Bertrand Sobesto,Alexander Testa,Michel Cukier,David Maimon |
| Date | 01 August 2017 |
| Published date | 01 August 2017 |
| DOI | http://doi.org/10.1111/1745-9133.12312 |
RESEARCH ARTICLE
SANCTION THREATS ON ONLINE
BEHAVIORS
Illegal Roaming and File Manipulation
on Target Computers
Assessing the Effect of Sanction Threats on System
Trespassers’ Online Behaviors
Alexander Testa
David Maimon
Bertrand Sobesto
Michel Cukier
University of Maryland—College Park
Research Summary
The results of previous research indicate that the presentation of deterring situational
stimuli in an attacked computing environment shapes system trespassers’ avoiding
online behaviors during the progression of a system trespassing event. Nevertheless,
none of these studies comprised an investigation of whether the effect of deterring cues
influence system trespassers’ activities on the system. Moreover, no prior research has
been aimed at exploring whether the effect of deterring cues is consistent across different
types of system trespassers. We examine whether the effect of situational deterring
cues in an attacked computer system influenced the likelihood of system trespassers
engaging in active online behaviors on an attacked system, and whether this effect
varies based on different levels of administrative privileges taken by system trespassers.
This research was conducted with the support of the National Science Foundation Award 1223634 and
National Security Agency Lablet Award. We thank Adam Bossler, Jean McGloin, Ray Paternoster, and the
anonymous reviewers for their helpful comments. We also wish to thank Gerry Sneeringer and the Security
Team of the Office of Information Technology at the University of Maryland for their insight on this research.
Direct correspondence to Alexander Testa, Department of Criminology and Criminal Justice, University of
Maryland, 2220 LeFrak Hall, College Park, MD 20742 (e-mail: atesta@umd.edu).
DOI:10.1111/1745-9133.12312 C2017 American Society of Criminology 689
Criminology & Public Policy rVolume 16 rIssue 3
Research Article Sanction Threats on Online Behaviors
By using data from a randomized experiment, we find that a situational deterring
cue reduced the probability of system trespassers with fewer privileges on the attacked
computer system (nonadministrative users) to enter activity commands. In contrast,
the presence of these cues in the attacked system did not affect the probability of
system trespassers with the highest level of privileges (administrative users) to enter these
commands.
Policy Implications
In developing policies to curtail malicious online behavior committed by system tres-
passers, a “one-policy-fits-all” approach is often employed by information technology
(IT) teams to protect their organizations. Our results suggest that although the use of a
warning banner is effective in reducing the amount of harmful commands entered into
a computer system by nonadministrative users, such a policy is ineffective in deterring
trespassers who take over a network with administrative privileges. Accordingly, it is
important to recognize that the effectiveness of deterring stimuli in cyberspace is largely
dependent on the level of administrative privileges taken by the system trespasser when
breaking into the system. These findings present the need for the development and
implementation of flexible policies in deterring system trespassers.
Keywords
cybercrime, deterrence, restrictive deterrence, honeypots, randomized field experiment
System trespassing—the illegal access of a computer or computer network (Berthier
and Cukier, 2009; Brenner, 2010)—is one of the fastest growing, yet least under-
stood forms of cybercriminal activity. According to recent surveys, nearly half of
U.S. firms faced a data breach incident in 2014 (Ponemon Institute, 2014) and most
Americans are more fearful of falling victim to cybercrime than to all other serious violent
and property crimes (Riffkin, 2014). The concerns related to the potential harm caused by
system trespassers pose such a large threat that in April 2015, President Obama issued an
executive order authorizing a series of new legal sanctions intended to prevent individuals
from “engaging in significant malicious cyber-enabled activities.”1Still, despite growing
concerns regarding the threats posed by system trespassers, there is limited understanding
and empirical investigation into the use of sanction threats in deterring malicious online
behaviors initiated by system trespassers.
In addressing this issue, we explore the effectiveness of sanction threats presented to sys-
tem trespassers during the progression of a system trespassing event in dissuading trespassers
from navigating and manipulating files on the attacked computer. By drawing on restrictive
1. For more information, see whitehouse.gov/the-press-office/2015/04/01/executive-order-blocking-
property-certain-persons-engaging-significant-m.
690 Criminology & Public Policy
Testa et al.
deterrence theory (Gibbs, 1975; Jacobs,2010) and prior interdisciplinar y research(Maimon,
Alper, Sobesto, and Cukier, 2014; Wilson, Maimon, Sobesto, and Cukier,2015), the aim of
this work is to expand our understanding of system trespassers’ response to deterring stimuli
in two key ways. First, whereas the aim of prior research has been on the effects of a sanc-
tion threat on system trespassers’ passive attempts to avoid detection on the attacked system
(Maimon et al., 2014; Wilson et al., 2015), we examine the effect of a sanction threat on the
likelihood of system trespassers to engage in active online behaviors, including “roaming” the
attacked system and manipulating files permission on the attacked system. Second, although
the results of previous research have demonstrated the effectiveness of deterring cues in in-
fluencing all types of system trespassers (Maimon et al., 2014; Wilson et al., 2015), we first
examine whether the effect of such cues is conditional on the level of administrative privileges
imposed by the system trespasser in the attacked computer.To examine these questions, this
work employs data collected from a randomized field experiment, in which target computers
designed for the purposes of being infiltrated by system trespassers were deployed on the
Internet infrastructure of a large American university.Before describing our research design
and presenting the results, we begin by describing the nature of system trespassing and by
reviewing prior research examining restrictive deterrence in both cyberspace and the physical
world.
System Trespassing
System trespassing, alternatively referred to as computer hacking,computer cracking (Yar,
2006), or cyber-trespassing (Wall, 2001), refers to the illegitimate access into a computer
or computer network and to the redesign of the hardware or software configuration of
these systems in an effort to alter their intended function (Bachmann, 2010; Berthier
and Cukier, 2009; Brenner, 2010; the Computer Fraud and Abuse Act of 1986 [§ 1030
(a)(5)(c)]).2System trespassers gain illegitimate access to a computer or computer network
by seeking out computer vulnerabilities in either random (i.e., any computer system with
vulnerabilities) or specific targets (i.e., specific computers to which system trespassers are
trying to infiltrate) through a variety of techniques used to search for accessible entry
ports (Maimon, Wilson, Ren, and Berenblum, 2015). Once vulnerabilities are discovered,
trespassers exploit these security gaps and infiltrate the target computer system, often using
credentials of legitimate users or system administrators (Lee, Roedel, and Silenok, 2003).
After obtaining unauthorized access, and depending on their motivation (e.g., monetary
gain, revenge, exploration, risk seeking, obsession, and ideology [McQuade, 2006; Xu, Hu,
and Zhang, 2013]), personality traits (e.g., rationality level and self-control [Bachmann,
2. Although there are definitional debates on what is considered
system trespassing
and
computer
hacking
(Bachmann, 2010; Holt, 2007; Jordan, 2016; Jordan and Taylor, 1998; Schell and Dodge, 2002),
our use of the term
system trespassing
is consistent with the interpretation of the term put forth in the
Computer Fraud and Abuse Act of 1986 [§ 1030 (a)(5)(c)] as we believe it more accurately describes the
scope of illegal behavior that is the focus of the current study.
Volume 16 rIssue 3 691
To continue reading
Request your trial