First, a warning banner in the attacked computer system does not cause the immediate prevention of a first system trespassing incident. The findings from the two experiments indicate that in contrast to the classic deterrence model, the proportion of system trespass- ing incidents that were terminated in the first 5 seconds after a warning banner appeared (in the beginning of an incident) is similar to the proportion of incidents that ended af- ter the same period of time when a warning banner was not displayed. We suspect that the inability of a sanction threat in the compromised system to prevent the progression
52 MAIMON ET AL.
of a trespassing incident relates to the substantial time and efforts the system trespassers invested before obtaining access to the target computer. Specifically, to break into the target computers successfully, system trespassers need to scan the network, identify sys- tem vulnerabilities, discover open computer ports, and “guess” the correct combination of username and password to the target computer. This process is time consuming and demanding, and it might not always end in success. It could be the case that when “suc- cessfully” breaking into the system, system trespassers like to harvest the fruits of their success and engage in an exploratory first trespassing incident, independent of the pres- ence of a warning banner in the system. Moreover, because hacking is considered by many attackers to be a mundane and easy routine (Spitzner, 2002; Wall, 2007), this finding lines up with the Wikström (2006) assumption that once an act of crime becomes a habit, de- terring cues and messages have no effect on the decision of an offender to commit the act. System trespassers in this sense seem to follow the Pogarsky definition of incorrigi- ble offenders, that is, “offenders who are impervious to dissuasion” (2002: 433) and to be insensitive to threats of legal sanctions.
Similarly, we find no evidence that a warning banner reduces the volume of repeated system trespassing incidents on the target computer. This finding seems to stand in con- trast to the claim by Gibbs (1975) that offenders reduce the frequency of their criminal involvement in response to deterring cues. However, we suspect that we do not detect a restrictive deterrent effect on the frequency of repeated system trespassing incidents in our experiments because system trespassers are likely to keep access to multiple compro- mised computer systems at any given time and do not recall the unique configuration on each of these systems. Specifically, Spitzner (2002) claimed that system trespassers infil- trate as many computer systems as they can and then keep access to these computers for their future operations. Therefore, it could be the case that the warning banner has no effect on the frequency of repeated trespassing incidents because trespassers simply do not remember the presence of a sanction threat in the target computer prior to initiating a repeated trespassing incident.
In contrast, and in line with the third hypothesis, our findings reveal that the presence of a warning banner in the target computer significantly shortens the duration of first and repeated system trespassing incidents. Specifically, findings from our two independent experiments suggest that a warning banner in the target computers significantly increases the hazard of system trespassing incident termination (although this effect is less pro- nounced in the second experiment). These findings offer important support to the ideas of restrictive deterrence proposed by Gibbs (1975) and Jacobs (2010), and it is suggested that the presence of a sanction threat in the target computer results in system trespassers restricting the scope of their criminal activity. Specifically, we suspect that the warning messages presented to system trespassers during the trespassing incident 1) raised the concerns of trespassers regarding the possible protection measures taken by the victim in an effort to defend the system and 2) made them expose themselves on the target com- puter for shorter periods of time. Alternatively, it could be the case that a warning banner automatically activates cautious behavior from system trespassers and reduces their will- ingness to expose themselves for longer periods of time on the target computer (Bargh, Chen, and Burrows, 1996). In either case, although considerable attention had been given in the criminological literature to the notion of punishment avoidance (Stafford and Warr, 1993), this study is among few to focus on the actions taken by offenders in efforts to avoid punishment.
RESTRICTIVE DETERRENT EFFECTS OF A WARNING 53
This finding joins previous empirical evidence that demonstrates offender responsive- ness to sanction threats in the environment (Jacobs, 1996a, 1996b; Jacobs and Cher- bonneau, 2012; Weaver and Carroll, 1985). Nevertheless, future studies should further explore the influence of sanction threats on other dimensions of restrictive deterrence. For instance, subsequent analyses should investigate the influence of punishment threats on the seriousness of system trespassing incidents and on the willingness of system tres- passers to engage in risky online behaviors while using the target computer. Future work also should investigate how increasing the risk of being detected influences the actions of system trespassers on the target computer.
Fourth, we find mixed support for the assumption that the bandwidth capacity of a computer system conditions the effect of a warning banner on the duration of system trespassing incidents. Specifically, an analysis of the first trespassing incidents recorded on our target computers reveals no significant interactive effect between warning and band- width capacity on the hazard rate of system trespassing incident termination. In contrast, when analyzing the entire poll of system trespassing incidents (i.e., both first and repeated trespassing incidents), we find that the effect of warnings on the hazard rate of incident termination is conditioned by the bandwidth capacity of the target computer. The latter finding is consistent with our theoretical expectation: Low-bandwidth-capacity comput- ers offer fewer opportunities for subsequent online operations and a greater probability of detection, and in turn, these computers encourage compliance by system trespassers with the deterring message and restriction of their criminal activity (Jacobs, 2010).
Importantly, system trespassers do not need to check the bandwidth capacity of the tar- get computer to determine its functionality. Signs like delays in the appearance of com- mands on the intruder screen, as well as a low rate of data transfer between the target computer and that of the intruder (for instance, the download time of a 250-Kbytes file on the 128-Kbytes/s target computer is 15 seconds vs. 3 seconds on the 512-Kbytes/s comput- ers), serve as important indicators of the bandwidth connectivity and functionality of the target system for the system trespasser. Thus, if the system trespasser cannot communi- cate with the target computer in an effective and rapid way, then he or she has no reason to remain on the system and expose himself or herself for long periods of time. This issue is particularly relevant for explaining the mixed findings regarding the interactive effects of warning and bandwidth capacity during first and subsequent system trespassing incidents. Specifically, we suspect that when encountering a warning during the first trespassing in- cident on the system, intruders explore and experiment with the system cautiously, while limiting their exposure on the system regardless of its bandwidth configuration. Using the intelligence gained during the first system trespassing incident, repeated trespassers would then have some understanding of the capabilities of the system, and the next time they trespass, they will limit their activities only to necessary operations, and then leave. Indeed, additional experiments are required to confirm this finding.
Finally, we find no support for the assumption that computer RAM size moderates the effect of a warning banner on the duration of system trespassing incidents. It could be that computer RAM size does not condition the effect of a warning because at the end of the day, the minimum RAM size required for the execution of commands and for running the tools of the intruder on the target computer is not very high, and therefore it does not affect the exposure of the trespasser on the target computer system. Alternatively, it could be that the target computer RAM size determines the specific uses trespassers find for the system. In that case, future research should investigate whether RAM size conditions the
effect of warnings on the probability of storing files on the target computer, setting up fake websites, or initiating subsequent attacks on other computer systems.
These findings support the view suggesting that criminological theories, particularly the deterrence perspective, should be implemented in the study of computer-focused crimes. Specifically, we suspect that the unique cyberspace realm allows investigations of theoret- ical constructs in a way that brings scholars closer to the antecedents of human behavior. For instance, in the current study, we did not actively recruit subjects to participate in our study, nor did we generate an unnatural environment for them to work in (Wright and Decker, 1994). As a consequence, the unique setting and tools that are common in the cyberspace realm brought us closer to the offenders and their reactions to a punish- ment threat and refined our understanding regarding the effect of a deterring message on the development of a criminal event. Moreover, it enabled empirical investigation of the effect of a sanction threat on the occurrence of criminal events and on the progres- sion and duration of criminal incidents (Gibbs, 1975). Indeed, our findings suggest that once encountering a warning banner in the attacked system, system trespassers are will- ing to pursue the criminal act; yet they drop the connection with the target computer sooner than when they do not encounter such a banner. These findings may prove useful in contributing to the ongoing dispute regarding the application of deterrence strategies in cyberspace (Elliott, 2011; Geers, 2012). Future studies should further explore the “causal chain” of events that shape the decision making of offenders in cyberspace and shape their behavior in the presence of sanction threats.
In addition to its theoretical contributions, we believe that this study carries some pol- icy implications for computer users and for IT managers who are in charge of protecting organizational networks and computer systems from data breaches and trespassing inci- dents. Indeed, the National Institute of Standards and Technology (NIST) recommends the display of a warning banner when all computer users (both legitimate and illegiti- mate) attempt to log in to the system (NIST, 2009). However, to date, no prior research has assessed the effectiveness of such warnings in influencing the behaviors of users and system trespassers. Our study is the first to show that displaying a warning banner in the attacked computer system does not prevent the occurrence of a trespassing incident and does not reduce the number of repeated trespassing incidents on the target computer, but it does reduce the duration of system trespassing incidents. These insights could be used by computer users and IT managers who debate whether implementing a warning banner in their own computer systems is beneficial for their needs. Future work should assess the effectiveness of other security measures to help IT managers tailor specific security solutions that are unique to their organizations.
Despite the important theoretical and practical implications that are derived from the findings presented in this work, it is essential to emphasize a few caveats about its design and results. First, we deployed our target computers on the Internet network infrastruc- ture of a single educational institution. Although the two independent experiments indi- cate that our findings could be replicated and are valid over time, future research should further validate these findings by deploying target computers on a range of educational, industrial, and governmental networks. Second, it could be the case that the dosage of our treatment is simply not enough to obtain compliance with the warning by subjects (Piantadosi, 2005). Specifically, it could be that a more aggressive or more ambiguous warning (Sherman, 1990) would have produced different results for our immediate sys- tem trespassing cessation measure. Related to this, because we administered a similar warning message across the treatment groups, it is difficult for us to determine to which
RESTRICTIVE DETERRENT EFFECTS OF A WARNING 55
of the warning banner components system trespassers are actually responding. Future research should address this issue and test the effectiveness of different warning forms on the progress and development of system trespassing events. Third, we have no way to tell whether system trespassers realized that they were not using actual systems but honeypots. Finally, we set up our target computers as computer systems with the Linux operating system. Although we have no reason to believe that system trespassers behave differently when intruding on computers with a Microsoft (Microsoft Corporation, Red- mond, WA) or an Apple (Apple Inc., Cupertino, CA) environment installed, this point should be clear.
In sum, this work suggests that although a warning banner may be ineffective in pre- venting the occurrence of system trespassing incidents, it causes system trespassers to change their course of criminal action and stay on the target computer for shorter pe- riods of time. This finding supports the restrictive deterrence perspective (Gibbs, 1975) and presents evidence that ties the administration of sanction threats to the engagement of offenders in detection avoidance strategies in response to such threats. We believe that these findings demonstrate the relevance of the deterrence perspective in the study of system trespassing events and provide clear ground for the development of an interdisci- plinary explanation on the etiology of computer-focused crimes.