38 MAIMON ET AL.
and proximate organizations to display an approved system use notification message be- fore granting users access to the system. According to the guidelines, this notification should be implemented in the form of a warning banner that includes 1) the organiza- tional policies regarding unauthorized access and use of the system and 2) the criminal and civil penalties that are associated with trespassing. Our first goal in this work is to as- sess the effectiveness of this type of warning in determining the progression of a first sys- tem trespassing incident. Specifically, we explore whether the presentation of a warning banner during the first time a system trespasser accesses the system results in immediate cessation of the trespassing incident. However, because no prior research has studied the effect of warnings in cyberspace (Goodman, 2010) and because of the mixed results re- ported in the criminological literature regarding the effectiveness of warnings in prevent- ing illegitimate behaviors in the physical world (Ariel, 2012; Cusson, 1993; Green, 1985), we hypothesize that a warning banner in an attacked computer system could discourage, encourage, or have no effect on the progress of a first system trespassing incident.
Drawing on the restrictive deterrence literature (Gibbs, 1975; Jacobs, 2010), we also assess the impact of deterring messages in influencing the frequency of repeated system trespassing incidents on the target computer. Consistent with the discussion of “proba- bilistic deterrence” proposed by Gibbs (1975), we suspect that once encountering a de- terring message in an attacked computer system, system trespassers will attempt to avoid detection and punishment for their illegal acts by reducing the frequency of repeated tres- passing events on the compromised system. Therefore, we hypothesize that the presence of a sanction threat in an attacked computer system reduces the frequency of repeated tres- passing incidents on the target computer.
Similarly, adopting the assumption that offenders respond to sanction threats by re- stricting the scope of their criminal behaviors (Jacobs, 2010), we hypothesize that the presence of a warning banner in an attacked computer system shortens the duration of both first and repeated system trespassing incidents. Indeed, prior research has indicated that limiting the time of possessing a stolen vehicle is a common strategy that is used by au- tomobile thieves to avoid apprehension by the police (Jacobs and Cherbonneau, 2012). However, given the absence of relevant data, no previous study has investigated the re- lationship between the presence of deterring cues in the environment and the duration of a criminal incident. Consistent with prior findings indicating that computer attackers use various strategies, including limiting exposure on the system, to evade detection by IT personnel and intrusion detection systems (Wagner and Soto, 2002), we suspect that the presence of sanction threats on the target computer triggers conscious/unconscious wari- ness among perpetrators, which in turn attenuates their willingness to expose themselves on the attacked system and shortens the duration of a trespassing incident.
Finally, because system trespassing incidents take place in heterogeneous computing environments, we suspect that attributes of these environments convey different oppor- tunities and risks for detection, which in turn condition the effect of a warning on the duration of a system trespassing incident. Indeed, prior research has indicated that prop- erty offenders pick up important cues from the environment and rely on these cues before deciding to initiate a criminal act; Weaver and Carroll (1985), for instance, reported that shoplifters observe potential “facilitators of shoplifting,” such as store layout and acces- sibility of items, before making judgments about criminal opportunities in a store setting. Moreover, several studies have indicated that the effectiveness of posted instructions and warning signs in shaping the actions of individuals depends on the context in which these
RESTRICTIVE DETERRENT EFFECTS OF A WARNING 39
warnings are advertised (Ariel, 2012; Keizer, Lindenberg, and Steg, 2008; Slemrod, Blu- menthal, and Christian, 2001). However, no prior research has tested the interactive effect between deterring cues and characteristics of the environment on the duration of a crim- inal incident.
Acknowledging the role of computing environment in determining the functionality of a system, we suspect that the random access memory (RAM) size (i.e., the ability of a computer to process data quickly) and bandwidth capacity (i.e., the amount of data that can be carried from one computer to another per unit of time) of an attacked computer are important characteristics that facilitate varying opportunities for the development of a system trespassing incident. Specifically, systems with small RAM size access and process information more slowly than systems with large RAM size. Similarly, computers with low bandwidth capacity offer a slower communication and data transfer rate than computers with high-bandwidth-capacity connections (Tanenbaum, 2006). As a result, the execution of commands and transfer of information on small-RAM/low-bandwidth-capacity com- puters is slow and requires spending longer periods of time when working with these systems. Because limited functionality and longer processing time on a system introduce a greater probability of detection and fewer opportunities for subsequent operations, it is possible that when system trespassers encounter a deterring message on such comput- ers, they will be more likely to comply with it. Accordingly, our final research hypothesis suggests that large RAM size and high bandwidth capacity of the target computer system attenuate the effect of a warning banner on the duration of a system trespassing incident in such a way that the effect of a warning banner will be less pronounced on such computers than on low-RAM and low-bandwidth-capacity computers.
The goal of our first experiment was to determine the impact of a warning message in the target computer system on the progression, frequency, and duration of system tres- passing incidents. In line with the legal definition of system trespassing (McQuade, 2006) and prior conceptualizations of system trespassing incidents (Alata et al., 2006; Berthier and Cukier, 2009), we operationalize a system trespassing incident as any event in which an unauthorized person accesses and logs in to a computer system. To achieve our re- search goal, we designed a randomized experiment employing a series of targeted com- puters called “honeypots.”
A honeypot is a “security resource whose value lies in being probed, attacked or com- promised” (Spitzner, 2002: 40). This technical tool is a real computer that serves as a flexible decoy and permits the collection of information on intruders and “live” attacks. Because honeypots have no production value, any network activity that is sent their way or initiated by them means that system trespassers have successfully infiltrated the sys- tem, the system has been compromised, and the target computer is used for the malicious operations of intruders. Although information technology managers use production hon- eypots for detecting and mitigating attacks against their networks, cybersecurity scholars employ research honeypots to explore who the attackers are, what they are doing on the compromised systems, and what kind of tools they use (Spitzner, 2002).
Indeed, several previous studies have employed research honeypots to generate a bet- ter understanding of the etiology of system trespassing. Alata et al. (2006), for instance, collected 38 attack sessions (i.e., unique system trespassing incidents from start to end)
40 MAIMON ET AL.
over a period of 131 days and provided preliminary results about the skills and attack patterns of system trespassers. A more extensive study was conducted by Berthier and Cukier (2009), where the authors studied 1,171 attack sessions and analyzed 250 exam- ples of rogue software collected over a period of 8 months. Finally, Salles-Loustau et al. (2011) recorded a total of 211 system trespassing incidents over a period of 167 days and examined evidence at each stage of the trespassing sequence, from discovery to intrusion and exploitation of software. Like these studies, we use honeypots (which will be identi- fied as target computers in this work) to study the progress and development of system trespassing incidents. However, in contrast to past research that has focused solely on technical aspects of system trespassing, we draw on deterrence theory and design a ran- domized trial to assess the impact of an intervention (i.e., a warning) on the progress and development of system trespassing incidents.
In our first experiment, we used 80 public Internet Protocol (IP) addresses that were provided to us by the information technology team of a large American university and deployed identical target computers on the university network.2 These target computers were set up as computer systems with the Linux Ubuntu 10.04 operating system (Canon- ical Group Limited, London, U.K.). To gain access to the target computers, system tres- passers had to break into these systems successfully through frequently scanned and vul- nerable entry points. After infiltrating the target computers, trespassers were assigned to either a treatment or a control target computer, and a system trespassing incident was initiated. To allow the collection of meaningful data on system trespassing incidents, we monitored the different components of the system trespassing incident using specialized software (Sebek, gateway, and OpenVZ hosts and containers) that records the system trespassing sessions for later analysis. Our focus in this work is on the first and repeated system trespassing incidents recorded on the target computers.