AlienVault Blogs

Understanding the factors influencing cybercriminal behavior is essential for developing effective cybercrime prevention strategies. Rationality plays a significant role in shaping criminal decisions, particularly through the lens of the rational actor model and deterrence theory. This blog explores how rationality influences cybercriminal behavior, focusing on the rational actor model, the concepts of deterrence theory, their implications for understanding and preventing cybercrime activities, and how Bayesian theory can help overcome indeterministic human criminal behavior to provide risk management. Brief History of Deterrence Theory: Deterrence theory has its roots in classical criminology and the works of philosophers such as Cesare Beccaria and Jeremy Bentham, who introduced the concept of deterrence as a means of preventing crime through the application of punishment. This idea became further developed during the mid-20th century when the theory of nuclear deterrence emerged as a prominent concept in international relations. The understanding of deterrence broadened to be applied not only in preventing nuclear conflict but also in the context of criminal justice. It was John Nash through his work in game theory that contributed significantly to the understanding of strategic decision-making and the potential for deterrence in various competitive situations. His insights were crucial in shaping the modern understanding of deterrence theory, particularly when applied to criminal decision-making and cybersecurity.[1] Explanation of Deterministic, Non-Deterministic, and Indeterministic: Deterministic: In the context of decision-making, determinism refers to the philosophical concept that all events, including human actions, are the inevitable result of preceding causes. This perspective suggests that given the same initial conditions and knowledge, an individual's choices can be predicted with certainty. In other words, under deterministic assumptions, human behavior can be seen as fully predictable.[2] Non-Deterministic: Non-deterministic views reject the idea that every event, including human actions, can be precisely determined or predicted based on preceding causes. Instead, non-deterministic perspectives acknowledge the role of uncertainty, chance, and randomness in decision-making. From this standpoint, human behavior is seen as influenced by a combination of factors, including personal choice, external circumstances, and unpredictable elements.[3] Indeterministic: Indeterminism represents a specific form of non-determinism. In the context of decision-making, indeterministic views emphasize the idea that certain events or actions, particularly human choices, are not entirely determined by preceding causes or predictable factors. Instead, they are seen as influenced by random or unpredictable elements, such as personal spontaneity, free will, or external factors that defy precise prediction.[4] The Indeterministic Nature of Cybercriminal Behavior: The indeterministic nature of cybercriminal behavior suggests that not all cybercrimes are the result of rational choices. Some individuals may engage in cybercriminal behavior due to impulsive actions, vulnerabilities in systems, or external pressures that override rational decision-making processes. These factors highlight the limitations of solely relying on rationality as an explanatory framework for cybercriminal behavior. Rationality and the Rational Actor Model in Cybercrime: The rational actor model suggests that cybercriminals are rational decision-makers who engage in a cost-benefit analysis before committing a cybercrime.[5] According to this model, cybercriminals weigh the potential benefits and costs of engaging in cybercriminal behavior and make a rational choice based on their assessment. The rational actor model assumes that cybercriminals have the capability to accurately assess the potential outcomes of their cyber actions and aim to maximize their self-interest.[6] It suggests that cybercriminal behavior is a result of rational decision-making processes where the benefits of the cyber act outweigh the costs. As discussed in the AT&T Cybersecurity Blog titled: Attacker Motivations, there are 7 basic motivations that drive cybercrime. These include: ·

• Financial (extrinsic) – Theft of personally identifiable information (PII), that is then monetized is a classic example of financial motivation of cyberattacks. Primarily perpetrated by organized criminal groups, this motivation represents a large percentage of cyberattacks against retailers and health care providers.
• Social/Political “Hacktivism” (primarily intrinsic) - Social or Ideological issues create a motivation for some to attack organizations to make a statement. The hacking and defacement of a U.S. Government system in which the attackers post messages disparaging remarks about capitalism or democracy would be a solid example of hacktivism.
• Espionage (extrinsic) - Generally, we think of cyber espionage in terms of theft of intellectual property but it could also be focused upon the theft of confidential information related to acquisitions, marketing plans and other types of data. Nation State actors are considered the largest group of cyber espionage attackers but there have been examples of companies engaging in cyber espionage against competitors.
• Revenge (intrinsic) - Disgruntled employees or former employees are those that typically commit the lion’s share of revenge-based cyberattacks. The news is replete with stories of disgruntled former employees attacking their former employees.
• Nuisance/Destruction (intrinsic)- There are some that are intrinsically motivated to simply attack an organization or person for no other reason than to create chaos and destruction. It is unfortunate but true. A great example is that of the notorious bank robber “slick” Willy Sutton. There is an apocryphal story about why he robbed banks. When asked it was reported that he stated he robbed banks because “That is where the money is”. In reality he stated he “simply loved to rob banks”. Money was not a motivating factor.
• War/Defense (extrinsic)- In the 21st century it would be irresponsible to ignore the fact that nation states and even ‘patriot hackers’ play in either initiating or defending against adversaries. Disrupting supply chains, destroying centrifuges and other attacks can be classified as War/Defense driven. The Stuxnet Virus identified in 2010 that was used to destroy the Iranian centrifuges is but one relevant example of such a motivation.
• Facilitation (extrinsic)- Cyber attackers frequently use proxies and other systems to attack their final target. For this reason, it is important to note that some organizations and systems may simply be convenient targets which enable and facilitate attacker’s actions. Consider bot nets. Systems are compromised to enable them to then attack other systems. The compromise of a system that is within the bot net is simply used to facilitate another attack.

Deterrence Theory in the Context of Cybercrime: Deterrence theory is a key framework for understanding the influence of rationality on cybercriminal decision-making. It posits that cybercriminals are deterred from engaging in cybercrimes when the perceived costs outweigh the benefits. The theory operates on the assumption that cybercriminals are rational actors who can assess the potential consequences of their cyber actions and make decisions based on the expected utility.[7] Deterrence theory emphasizes three key elements in the context of cybercrime: severity, certainty, and swiftness of punishment. Severity refers to the harshness of the punishment imposed for cybercrimes. Certainty refers to the likelihood of being caught and punished for the offense, while swiftness refers to the promptness with which the punishment is administered. According to deterrence theory, an increase in the severity, certainty, or swiftness of punishment should deter cybercriminals from engaging in cybercrimes. The Impact of Deterrence on Cybercriminal Decision-Making: The concepts of deterrence theory have significant implications for cybercriminal decision-making. Efforts to enhance cybersecurity and the presence of effective law enforcement in the cyber realm can serve as deterrents, influencing cybercriminals to refrain from engaging in cybercriminal activities. The perceived certainty of being identified and caught acts as a deterrent, as cybercriminals are more likely to consider the potential costs and consequences of their cyber actions when they believe they will be caught.[8] Similarly, the severity of punishment plays a crucial role in deterring cybercrimes. Harsh legal penalties, significant fines, or other severe consequences increase the perceived costs of engaging in cybercriminal behavior, making it less likely for cybercriminals to choose such actions. Additionally, the swiftness of punishment is important, as delayed consequences may weaken the deterrent effect. Swift action in identifying and punishing cybercriminals ensures that they experience the connection between their cyber behavior and its consequences, reinforcing the deterrent effect. However, it is essential to recognize the limitations of deterrence theory and the rational actor model when explaining cybercriminal behavior. Human behavior, including cybercriminal behavior, is often influenced by factors beyond rational calculation. Emotions, psychological factors, social influences, and situational contexts can all impact decision-making, leading individuals to engage in cybercriminal behavior despite the rational assessment of costs and benefits.[9] The Role of Bayesian Theory in Overcoming Indeterministic Behavior for Risk Management: Bayesian theory offers a powerful tool for managing risk in the face of indeterministic human criminal behavior. By providing a framework for updating beliefs and probabilities in light of new evidence, Bayesian theory allows for a nuanced and dynamic understanding of risk. In the context of cybercrime, Bayesian methods can be employed to continuously assess and update the probability and impact of potential threats, enhancing the capacity to anticipate and mitigate criminal activities that may not conform to simple deterministic or rational models.[10] AT&T’s blog titled: “Quantifying CyberRisks to Solve the Riddle” provides an overview of how conditional probability theory can be used to more accurately gauge cyber risks. Conclusion: Rationality significantly influences cybercriminal behavior, particularly through the rational actor model and deterrence theory. The rational actor model posits that cybercriminals engage in cyber activities after considering the potential benefits and costs. Deterrence theory emphasizes the importance of perceived costs in deterring cybercrime, highlighting the significance of severity, certainty, and swiftness of punishment. However, it is crucial to acknowledge the inherent indeterministic aspects of cybercriminal behavior. Emotions, psychological factors, and situational contexts can impact cybercriminal decision-making, leading individuals to engage in cybercrime despite the rational assessment of costs and benefits. Acknowledging these complexities and leveraging flexible risk management models such as Bayesian theory is essential for a comprehensive understanding of cybercriminal behavior and the development of effective cybercrime prevention strategies. In overcoming indeterministic human criminal behavior, Bayesian theory provides an invaluable asset for risk management by allowing for the formulation of more flexible and adaptive strategies to cybercrime prevention. It offers a means to continuously update and refine risk assessments, particularly in scenarios where traditional rational and deterministic models may fall short in providing effective countermeasures. AT&T’s Risk Advisory Services can help clients understand and quantify or qualify risks, as appropriate to enable for the prioritization and addressing of risks in an efficient and cost-effective manner. From enterprise risk management solutions to compliance-based consulting and management, AT&T provides comprehensive risk management for organizations of all sizes. References: [1] Nash, J. (1950). Equilibrium points in n-person games. Proceedings of the National Academy of Sciences, 36(1), 48-49. [2] Tsementzis, D. (2011). Deterministic and stochastic models of AIDS epidemiology. Springer Science & Business Media. [3] Cartwright, N. (2010). The Dappled World: A Study of the Boundaries of Science. Cambridge University Press. [4] Broad, C. D. (2011). Determinism, indeterminism and libertarianism. Routledge. [5] Cornish, D. B., & Clarke, R. V. (Eds.). (2014). The reasoning criminal: Rational choice perspectives on offending. Routledge.  [6] Nagin, D. S., & Pogarsky, G. (2003). An experimental investigation of deterrence: Cheating, self-serving bias, and impulsivity. Criminology, 41(1), 167-194. [7] Cressey, D. R. (1960). Deterrence, rationality, and corruption. In J. Menell & P. Thompson (Eds.), White-Collar Crime: Theory and Research (pp. 25-36). Free Press. [8] Hollis, M. (2015). The philosophy of social science: An introduction. Cambridge University Press [9] Becker, G. S. (1968). Crime and punishment: An economic approach. Journal of Political Economy, 76(2), 169-217. [10] Lindley, D. V. (2006). Understanding uncertainty. John Wiley & Sons.