44 MAIMON ET AL.
Table 1. System Trespassing Incident Duration Regressed over Warning Configuration (Experiment 1)
Variables Model 1 Model 2
First Observed Incidents All Observed Incidents
(Cox Regression, n = 86) (Frailty Model, N = 971)
Coefficient Hazard Coefficient Hazard (SE) Ratio (SE) Ratio
Warning .97∗∗∗ 2.62 .26∗ 1.29 (.26) (.13)
Theta — — .23∗∗∗ — Log likelihood −233.08∗∗∗ −4,601.05∗∗
ABBREVIATION: SE = standard error. ∗p < .05 (two-tailed); ∗∗p < .01 (two-tailed); ∗∗∗p < .001 (two-tailed).
measure indicates that a warning banner more than doubles the rate of first system tres- passing incident termination, and results in shorter duration of first trespassing incidents.6
All Trespassing Incidents Recorded
Turning to an investigation of the effect of a warning banner on the volume of repeated trespassing incidents, we employ information from the entire poll of trespassing incidents recorded against our target computers (i.e., 971 incidents), and we estimate whether the mean number of repeated trespassing incidents recorded on the warning computers is significantly different than the mean number of repeated trespassing incidents observed on the no-warning computers. The results from a t test for comparing the means of two groups reveal an insignificant difference between the averages of these groups (t = –1.11, p > .05). Accordingly, although the average number of trespassing incidents is higher on the warning than on the no-warning computers (12 on the warning target computers vs. 10 on the no-warning computers), this difference is insignificant. This finding reveals no support to our assumption that a warning banner reduces the frequency of repeated system trespassing incidents on the target computers.
Next, we compare the survival distributions of all system trespassing incidents recorded on the warning and no-warning computers.7 Figure 1b presents results from this compar- ison. Similar to the pattern observed for the first trespassing incidents, this comparison reveals that the proportion of trespassing incidents that survived longer periods of time is smaller on the treatment (warning) than on the control (no-warning) target computers. To estimate the effect of a warning banner on the hazard of system trespassing incident cessa- tion, we employ shared-frailty models (or random-effect models). Overall, these models
6. This finding is consistent with results obtained from a log-rank test for comparing the difference between the survival curves of two groups: log-rank chi square = 15.42, p < .001.
7. In an analysis not shown, we estimated whether the duration of first trespassing incidents is related to the number of repeated attacks against the system, computing a Pearson correlation coefficient. The finding from this test indicates an insignificant relationship between the first trespassing session duration and the number of repeated attacks against the system. A similar pattern was observed in experiment 2.
RESTRICTIVE DETERRENT EFFECTS OF A WARNING 45
are unique extensions of the classic Cox model that account for the heterogeneity and de- pendence issues generated by repeated observations (Box-Steffensmeier, De Boef, and Joyce, 2007; Liu, Wolfe, and Huang, 2004).8 Shared-frailty models are particularly useful in the context of our work because they allow us to estimate the effect of a warning on the hazard of trespassing incident termination while accounting for the frailty shared among all repeated trespassing incidents that are observed for the same target computer.
The results from our estimated shared-frailty model are reported in table 1, model 2. As indicated in the model, the effect of a warning banner in the target computers is positive and significant on the hazard of trespassing session termination. Accordingly, the hazard ratio estimate of our warning measure indicates that a warning banner increases the prob- ability of trespassing session termination by 29 percent. This finding further confirms our second research hypothesis and demonstrates that a warning banner reduces the duration of system trespassing incidents on the attacked system.
Our goal in the second experiment was to replicate the findings from experiment 1 while accounting for different system configurations that might moderate the effect of a warn- ing banner on the duration of system trespassing incidents. Based on previous research that explored the influence of the interactive relationships between deterrence and op- portunity on the occurrence of crime, we hypothesized that the RAM size and bandwidth capacity of a computer system condition the effect of a warning banner on the duration of system trespassing incidents. Specifically, we predicted that because smaller RAM size and lower bandwidth capacity require users to spend longer periods of time on the sys- tem, it is possible that when system trespassers encounter a deterring message on slower computers, they will be more likely to terminate the system trespassing incident earlier.
DESIGN AND PROCEDURE
In experiment 2, we used 300 public IP addresses that were provided to us by the IT team at a large American university, and we deployed our target computers on the univer- sity network. In line with our design in experiment 1, system trespassers had to infiltrate these target computers through a frequently scanned and vulnerable entry point. How- ever, in contrast to experiment 1, in experiment 2, we employed a 2 [warning banner, no banner (control)] × 2 [low (512 Mbytes) RAM, high (2.25 Gbytes) RAM] × 2 [low (128 Kbits/s) bandwidth, high (512 Kbits/s) bandwidth] × 2 [low (5 Gbytes) disk space, high (30 Gbytes) disk space] factorial design. The advantage of this experimental setting is that it allows examination of the responses of system trespassers to a deterring stimulus in different computing environments.
We deployed our target computers on the university network for a period of 6 months (October 4, 2011 to April 3, 2012), and we waited for system trespassers
8. The underlying premise of the Cox model assumes that event times are independent. In the pres- ence of correlated events and heterogeneity, the independence assumption is violated and leads to incorrect estimates of the standard errors of the model. To correct for this issue, the shared- frailty models assume that the unobserved effects across subjects/observations are commonly and randomly distributed across groups of observations.
46 MAIMON ET AL.
to find our systems and employ special software cracking tools to break into them successfully. We built a genuine computer network environment by programming the target computers to deny login attempts by intruders on its public IP addresses until a predefined threshold was reached (the predefined threshold was a random number between 150 and 200). When this threshold was reached, the target com- puter was “successfully” infiltrated, intruders were assigned randomly to one of 16 target computer configurations, and intruders were allowed to initiate a system trespassing incident. System trespassers were allowed to employ the system for a period of 30 days; yet their activities were monitored closely. At the end of the 30 days, we pre- vented access to the target computer by the system trespasser, cleaned the computer, and redeployed it.
Overall, a total of 502 target computers (of which 259 had a warning banner installed) were deployed and infiltrated, and more than 3,700 system trespassing incidents were recorded (2,041 on target computers with a warning banner) during the 6 months of the experimental period. Similar to the pattern observed in experiment 1, most of the tar- get computers experienced repeated system trespassing incidents. Data on the number of target computers deployed with each configuration, as well as the number of system tres- passing incidents recorded on them, are presented in appendix B in the online supporting information. To answer our research questions, we take a similar approach to that we employed when analyzing data from our first experiment: The first round of analysis uses information on the first trespassing incidents only (i.e., n = 502 incidents), and the second round analyzes information from the entire poll of trespassing incidents (i.e., N = 3,768 incidents).
First Trespassing Incidents
Consistent with our first experiment, we generated two dependent measures. The first, immediate incident cessation, is a binary measure (1 = immediate incident cessation) in- dicating a trespassing incident terminated after a period of 5 seconds from its start. The second, incident duration, is a continuous measure that taps the elapsed time (in seconds) between the beginning and the end of a system trespassing incident. We then employed in- formation from the first trespassing incident recorded on each target computer to explore the effect of a warning banner on immediate incident termination. Consistent with the findings reported for experiment 1, the results of a t test for comparing two proportions, with immediate incident cessation as a dependent variable, revealed an insignificant main effect for the warning (Z = .57, p > .05). Specifically, the proportion of first system tres- passing incidents that were terminated on the warning target computers up to 5 seconds after a trespassing incident had started is almost identical to the proportion of incidents that were terminated in the same period on the no-warning computers (18 percent on the no-warning vs. 16.6 percent on the warning target computers). This finding corroborates evidence from our first experiment and indicates that a warning banner does not lead to immediate termination of a system trespassing incident.
Next, we compare the survival distribution of first trespassing incidents on warning and no-warning target computers. The results from this analysis are presented in figure 2a. As indicated in the figure, the proportion of first trespassing incidents that survived longer periods of time is smaller on the treatment (warning) than on the control (no-warning)