RESTRICTIVE DETERRENT EFFECTS OF A WARNING BANNER IN AN ATTACKED COMPUTER SYSTEM

• Author: MICHEL CUKIER,BERTRAND SOBESTO,MARIEL ALPER,DAVID MAIMON
• Published date: 01 February 2014
• Date: 01 February 2014
• DOI: http://doi.org/10.1111/1745-9125.12028

RESTRICTIVE DETERRENT EFFECTS OF A WARNING

BANNER IN AN ATTACKED COMPUTER SYSTEM∗

DAVID MAIMON,1MARIEL ALPER,1BERTRAND SOBESTO,2

and MICHEL CUKIER2

1Department of Criminology and Criminal Justice, University of Maryland

2A. James Clark School of Engineering, University of Maryland∗∗

KEYWORDS: cybercrime, deterrence, restrictive deterrence, honeypots, experiments

System trespassing by computer intruders is a growing concern among millions of

Internet users. However, little research has employed criminological insights to explore

the effectiveness of security means to deter unauthorized access to computer systems.

Drawing on the deterrence perspective, we employ a large set of target computers built

for the sole purpose of being attacked and conduct two independent experiments to in-

vestigate the influence of a warning banner on the progression, frequency, and duration

of system trespassing incidents. In both experiments, the target computers (86 comput-

ers in the first experiment and 502 computers in the second) were set either to display

or not to display a warning banner once intruders had successfully infiltrated the sys-

tems; 1,058 trespassing incidents were observed in the first experiment and 3,768 inci-

dents in the second. The findings reveal that although a warning banner does not lead

to an immediate termination or a reduction in the frequency of trespassing incidents,

it significantly reduces their duration. Moreover, we find that the effect of a warning

message on the duration of repeated trespassing incidents is attenuated in computers

with a large bandwidth capacity. These findings emphasize the relevance of restrictive

deterrence constructs in the study of system trespassing.

System trespassing, which is defined as “illegally gaining access to one or more com-

puter systems after exploiting security vulnerabilities or defeating a security barrier”

(McQuade, 2006: 83), is one of the fastest growing areas of cybercrime (Furnell, 2002).

According to a recent survey of more than 580 information technology (IT) practi-

tioners employed by large organizations and governmental agencies, 90 percent of U.S.

∗Additional supporting information can be found in the listing for this article in the Wiley Online

Library at http://onlinelibrary.wiley.com/doi/10.1111/crim.2014.52.issue-1/issuetoc.

This research was conducted with the support of the SANS Institute, the National Consortium

for the Study of Terrorism and Responses to Terrorism in the University of Maryland, and the

National Science Foundation Award 1223634. We thank Lawrence Sherman, Jean McGloin, Ray

Paternoster, and Theodore Wilson for their helpful comments throughout the project. We also

wish to thank Gerry Sneeringer and the Security Team of the Office of Information Technology at

the University of Maryland for their insights on this research. Finally, we thank Wayne Osgood and

the four anonymous reviewers for their helpful comments on this paper. Direct correspondence to

David Maimon, Department of Criminology and Criminal Justice, University of Maryland 2220

LeFrak Hall, College Park, MD 20742 (email: dmaimon@umd.edu).

∗∗ Correction added on 28 November 2013, after first online publication on 20 November 2013: The

affiliation of Bertrand Sobesto and Michel Cukier has been corrected.

C2013 American Society of Criminology doi: 10.1111/1745-9125.12028

CRIMINOLOGY Volume 52 Number 1 33–59 2014 33

34 MAIMON ET AL.

corporations, both private and public, experienced multiple incidents of system trespass-

ing during 2010 (Ponemon Institute, 2011; Whitman, 2003). These breaches are estimated

to result in billions of dollars of financial losses annually, as well as in serious invasion

of privacy for both customers and employees (Whitman, 2003). Nevertheless, despite the

growing public and legal awareness of system trespassing and its consequences for com-

mercial, governmental (Rantala, 2008), and individual computer users (Bossler and Holt,

2009), only scant attention has been given to this phenomenon in the criminological liter-

ature (Skinner and Fream, 1997).

Addressing this challenge, this work explores the effectiveness of sanction threats in

attacked computer systems in preventing the progression, reducing the frequency, and

shortening the duration of system trespassing incidents. Specifically, focusing on recent

extensions of deterrence theory (Gibbs, 1975; Jacobs, 2010), we seek to answer four re-

search questions. First, does a warning banner, displayed when a system trespasser in-

trudes on an information system for the first time, result in immediate termination of the

system trespassing session? Second, does this warning banner reduce the frequency of re-

peated system trespassing incidents on the target computer? Third, does a warning banner

affect the duration of first and repeated system trespassing incidents? And last, do vary-

ing computer configurations condition the effect of the warning banner on the duration

of system trespassing incidents? To answer these questions, we designed a randomized

trial using a large set of target computers built for the sole purpose of being attacked.

This research design allows experimental investigation of the role of deterring cues in the

development of first and repeated system trespassing incidents.

THEORETICAL BACKGROUND

SYSTEM TRESPASSING

Similar to trespassing in the physical world, system trespassing involves the violation of

a use restriction on property by someone who has no right to access the property (Bren-

ner, 2010). Overall, unauthorized users can access a computer either locally, by gaining

physical access to it, or remotely, by logging in via the Internet (Anderson, 1980; Stallings,

2005). Depending on the motivation of the intruder (e.g., revenge, monetary gain, ideol-

ogy, thrill, status, or addiction [McQuade, 2006; Wall, 2007; Yar, 2006]), the attacks could

be harmless (e.g., exploring the Internet) or dangerous (e.g., reading and modifying priv-

ileged data, disrupting the system, using the system to attack other computers, or all of

the above) for the target systems and their users (Stallings, 2005).

In an effort to gain remote unauthorized access to a system, system trespassers, who

also are referred to as hackers or crackers (Furnell, 2002; Wall, 2007), randomly scan

the Internet and look for open networked computer ports (Gadge and Patil, 2008). Once

they have identified open ports, trespassers may use special software cracking tools—

available for purchase and as open source software on the Internet—that systematically

check all possible keys to a system until the correct one is found and access to the system

is granted.1Once unauthorized access to a system is obtained, system trespassers may log

1. These powerful tools can generate millions of passwords in a short period of time using dictionary

wordlists and smart rule sets in an effort to guess the right password to an account (Florˆ

encio, Her-

ley, and Coskun, 2007; Knudsen and Robshaw, 2011). Several tools even try different combinations