AlienVault Blogs
Understanding how Rationality, Deterrence Theory, and Indeterminism Influence Cybercrime.
Understanding the factors influencing cybercriminal behavior is essential for developing effective cybercrime prevention strategies. Rationality plays a significant role in shaping criminal decisions, particularly through the lens of the rational actor model and deterrence theory. This blog explores how rationality influences cybercriminal behavior, focusing on the rational actor model, the concepts of deterrence theory, their implications for understanding and preventing cybercrime activities, and how Bayesian theory can help overcome indeterministic human criminal behavior to provide risk management.
Brief History of Deterrence Theory:
Deterrence theory has its roots in classical criminology and the works of philosophers such as Cesare Beccaria and Jeremy Bentham, who introduced the concept of deterrence as a means of preventing crime through the application of punishment. This idea became further developed during the mid-20th century when the theory of nuclear deterrence emerged as a prominent concept in international relations. The understanding of deterrence broadened to be applied not only in preventing nuclear conflict but also in the context of criminal justice.
It was John Nash through his work in game theory that contributed significantly to the understanding of strategic decision-making and the potential for deterrence in various competitive situations. His insights were crucial in shaping the modern understanding of deterrence theory, particularly when applied to criminal decision-making and cybersecurity.[1]
Explanation of Deterministic, Non-Deterministic, and Indeterministic:
Deterministic: In the context of decision-making, determinism refers to the philosophical concept that all events, including human actions, are the inevitable result of preceding causes. This perspective suggests that given the same initial conditions and knowledge, an individual's choices can be predicted with certainty. In other words, under deterministic assumptions, human behavior can be seen as fully predictable.[2]
Non-Deterministic: Non-deterministic views reject the idea that every event, including human actions, can be precisely determined or predicted based on preceding causes. Instead, non-deterministic perspectives acknowledge the role of uncertainty, chance, and randomness in decision-making. From this standpoint, human behavior is seen as influenced by a combination of factors, including personal choice, external circumstances, and unpredictable elements.[3]
Indeterministic: Indeterminism represents a specific form of non-determinism. In the context of decision-making, indeterministic views emphasize the idea that certain events or actions, particularly human choices, are not entirely determined by preceding causes or predictable factors. Instead, they are seen as influenced by random or unpredictable elements, such as personal spontaneity, free will, or external factors that defy precise prediction.[4]
The Indeterministic Nature of Cybercriminal Behavior:
The indeterministic nature of cybercriminal behavior suggests that not all cybercrimes are the result of rational choices. Some individuals may engage in cybercriminal behavior due to impulsive actions, vulnerabilities in systems, or external pressures that override rational decision-making processes. These factors highlight the limitations of solely relying on rationality as an explanatory framework for cybercriminal behavior.
Rationality and the Rational Actor Model in Cybercrime:
The rational actor model suggests that cybercriminals are rational decision-makers who engage in a cost-benefit analysis before committing a cybercrime.[5] According to this model, cybercriminals weigh the potential benefits and costs of engaging in cybercriminal behavior and make a rational choice based on their assessment.
The rational actor model assumes that cybercriminals have the capability to accurately assess the potential outcomes of their cyber actions and aim to maximize their self-interest.[6] It suggests that cybercriminal behavior is a result of rational decision-making processes where the benefits of the cyber act outweigh the costs.
As discussed in the AT&T Cybersecurity Blog titled: Attacker Motivations, there are 7 basic motivations that drive cybercrime. These include: ·
- Financial (extrinsic) – Theft of personally identifiable information (PII), that is then monetized is a classic example of financial motivation of cyberattacks. Primarily perpetrated by organized criminal groups, this motivation represents a large percentage of cyberattacks against retailers and health care providers.
- Social/Political “Hacktivism” (primarily intrinsic) - Social or Ideological issues create a motivation for some to attack organizations to make a statement. The hacking and defacement of a U.S. Government system in which the attackers post messages disparaging remarks about capitalism or democracy would be a solid example of hacktivism.
- Espionage (extrinsic) - Generally, we think of cyber espionage in terms of theft of intellectual property but it could also be focused upon the theft of confidential information related to acquisitions, marketing plans and other types of data. Nation State actors are considered the largest group of cyber espionage attackers but there have been examples of companies engaging in cyber espionage against competitors.
- Revenge (intrinsic) - Disgruntled employees or former employees are those that typically commit the lion’s share of revenge-based cyberattacks. The news is replete with stories of disgruntled former employees attacking their former employees.
- Nuisance/Destruction (intrinsic)- There are some that are intrinsically motivated to simply attack an organization or person for no other reason than to create chaos and destruction. It is unfortunate but true. A great example is that of the notorious bank robber “slick” Willy Sutton. There is an apocryphal story about why he robbed banks. When asked it was reported that he stated he robbed banks because “That is where the money is”. In reality he stated he “simply loved to rob banks”. Money was not a motivating factor.
- War/Defense (extrinsic)- In the 21st century it would be irresponsible to ignore the fact that nation states and even ‘patriot hackers’ play in either initiating or defending against adversaries. Disrupting supply chains, destroying centrifuges and other attacks can be classified as War/Defense driven. The Stuxnet Virus identified in 2010 that was used to destroy the Iranian centrifuges is but one relevant example of such a motivation.
- Facilitation (extrinsic)- Cyber attackers frequently use proxies and other systems to attack their final target. For this reason, it is important to note that some organizations and systems may simply be convenient targets which enable and facilitate attacker’s actions. Consider bot nets. Systems are compromised to enable them to then attack other systems. The compromise of a system that is within the bot net is simply used to facilitate another attack.
Categories: Security Posts