PROCEDURES
Unlike common experimental designs that require active subject recruitment, we did not recruit subjects to participate in our experiment. Instead, we deployed our target computers on the university network for a period of 2 months (April 1 to May 30, 2011) and waited for system trespassers to find our systems and employ special software crack- ing tools (McQuade, 2006) to break into them. To simulate a genuine environment, the target computers were modified to reject the login attempts by system trespassers on its public IP addresses until a predefined number of attempts. The predefined threshold was a random number between 150 and 200. When this threshold was reached, the target computer was “successfully” infiltrated and allowed the intruder access to the system by creating a new user with the latest credentials attempted by the system trespasser.3
Once access to our target computer had been granted, system trespassers were ran- domly assigned to either a warning (treatment) or a no-warning (control) computer and
2. An IP address is an identifier for a computer or device on the Internet network. Networks that use the standard Internet protocol (i.e., TCP/IP protocol) route Internet traffic based on the IP address of the destination.
3. To limit the number of deployed target computers per attacker IP address, the system rejected any login attempt from an IP address that had already deployed target computers.
RESTRICTIVE DETERRENT EFFECTS OF A WARNING 41
initiated a system trespassing incident. When assigned to a warning target computer, the following message appeared on the screen of the intruder immediately after he or she broke into the system successfully:
The actual or attempted unauthorized access, use, or modification of this system is strictly prohibited. Unauthorized users are subject to institutional disciplinary pro- ceedings and/or criminal and civil penalties under state, federal, or other applicable domestic and foreign laws. The use of this system is monitored and recorded for ad- ministrative and security reasons. Anyone accessing this system expressly consents to such monitoring and is advised that if monitoring reveals possible evidence of crimi- nal activity, the Institution may provide the evidence of such activity to law enforce- ment officials.
In contrast, when assigned to a no-warning target computer, no message appeared on the screen of the intruder.
To assess the effect of warnings, we allowed system trespassers to employ the target computers and initiate repeated system trespassing incidents for a period of 30 days— including sharing the target computer with friends, allowing access to other intruders, renting it, using it to attack other computer systems, and so on. To ensure that trespassers do not engage in activities that jeopardize our computer networks, and those of others, we constantly monitored their activity. Using special software (Sebek keylogger), we then recorded each trespassing incident. At the end of a 30-day period, we blocked access to the target computer by the system trespasser, cleaned it, and redeployed it on the net- work, so if a system trespasser wanted to regain access to the system, then she or he had to break into the system again before initiating a system trespassing incident.
During the 2 months of the experimental period, 86 target computers were deployed and infiltrated by system trespassers (42 of the computers had a warning banner installed), and 971 system trespassing incidents were recorded; 451 of the system trespassing in- cidents were recorded on the no-warning computers, and 520 sessions were recorded on the warning treatment computers. Importantly, most of the target computers experienced repeated system trespassing incidents. Information regarding the actual number of target computers deployed for the treatment and control conditions, as well as the number of system trespassing incidents recorded on these computers, is presented in appendix A in the online supporting information.4 In an effort to address our list of research hypotheses, we first run our analyses using data on the first system trespassing incidents only (n = 86 trespassing sessions), and then we employ data on the entire poll of trespassing incidents recorded during the experimental period (N = 971 sessions).
OUTCOME MEASURES
Because system trespassing incidents are similar to other criminal events in the sense that they have a beginning and an end, we timed the start and termination points of each trespassing session and calculated the duration each incident lasted. We then created two dependent measures. The first measure, immediate incident cessation, is a dummy measure (1 = immediate incident cessation) indicating the termination of a trespassing incident
4. Additional supporting information can be found in the listing for this article in the Wiley Online Library at http://onlinelibrary.wiley.com/doi/10.1111/crim.2014.52.issue-1/issuetoc.
42 MAIMON ET AL.
after a period of 5 seconds from its start.5 The second measure, incident duration, is a continuous measure that taps the elapsed time (in seconds) between the beginning and the end of a system trespassing incident.
RESULTS
First Trespassing Incidents
We begin with analyzing the first trespassing incidents recorded on each target com- puter, and we test for a significant difference between the proportions of immediate in- cident cessation on warning and no-warning target computers. To achieve this goal, we perform a t test for comparing two proportions, with immediate incident cessation as a dependent variable. The results from this test revealed a nonsignificant main effect for warning (Z = –1.46, p > .05). Specifically, although the proportion of immediate incident termination is larger on the warning than on the no-warning computers (40 percent vs. 25 percent), the main effect of the warning is insignificant.
Turning to an exploration of the effect of a sanction threat on the duration of tres- passing incidents, we investigate the influence of a warning banner on the survival time of system trespassing incidents. However, because of the right-skewed distribution of the survival time of trespassing incidents, we cannot simply compare the average durations of system trespassing incidents on the warning and no-warning target computers. Instead, we employ event history analysis techniques that allow for estimating and comparing the proportion of units surviving an event [i.e., survival function S(t)], as well as a prediction of the rate at which durations end [i.e., hazard rate h(t)] (Box-Steffensmeier and Jones, 2004).
We first use standard life table methods to examine the effect of a warning on the time until termination of the system trespassing incidents (Namboodiri and Suchindran, 1987). To determine whether warning banners influence the time until termination, we compare the survival distribution of first trespassing incidents observed on target computers with a warning banner with the corresponding survival distribution of first trespassing incidents recorded on computers with no warning message. The results from this analysis are pre- sented in figure 1a. As indicated in the figure, across all time points, the proportion of first trespassing incidents that survived longer periods of time is smaller on the treatment (warning) than on the control (no-warning) target computers.
To test whether the effect of a warning on the duration of system trespassing incidents is significant, we assess the impact of a warning banner on the hazard of incident termi- nation by generating a dummy variable indicating whether a system trespassing incident was recorded on a warning or a no-warning target computer (1 = warning) and estimat- ing a Cox proportional-hazard regression (Box-Steffensmeier and Jones, 2004; Walters, 2009). Similar to a simple regression, the Cox model aims to explore the relationships between dependent and independent variables. However, in contrast to a simple or- dinary least-squares regression, a Cox model allows investigations of the relationships
5. For both experiments discussed in this article, we chose 5 seconds as a cutoff threshold because we wanted to ensure sufficient time for attackers to see and read the banner. However, in analyses not shown, we also tested the effect of a warning banner on immediate session cessation while using different cut points (0, 3, and 7 seconds). The results from these analyses were identical to those reported in this article.
RESTRICTIVE DETERRENT EFFECTS OF A WARNING 43
Figure 1. Time to System Trespassing Incident Termination— Experiment 1
0 .2
.4 .6
.8 P
ro po
rt io
n S
ur vi
vi ng
0
(a)
2,000 4,000 6,000 8,000 Duration
Warning = 0 Warning = 1
0 .2
.4 .6
.8 P
ro po
rt io
n S
ur vi
vi ng
0 2,000 4,000 6,000 8,000 10,000 Duration
Warning = 0 Warning = 1(b)
(a) First trespassing incidents (n = 86) (b) All trespassing incidents (N = 971)
between the survival of the event and independent measures of interest (Box- Steffensmeier and Jones, 2004). The results from the estimated Cox model are presented in table 1, model 1. Consistent with our research hypothesis, model 1 confirms that a warn- ing banner in the target computer is positively associated with the hazard of first system trespassing incident termination. Specifically, the hazard ratio estimate of our warning
