RESTRICTIVE DETERRENT EFFECTS OF A WARNING BANNER IN AN ATTACKED COMPUTER SYSTEM∗
DAVID MAIMON,1 MARIEL ALPER,1 BERTRAND SOBESTO,2
and MICHEL CUKIER2
1Department of Criminology and Criminal Justice, University of Maryland 2A. James Clark School of Engineering, University of Maryland∗∗
KEYWORDS: cybercrime, deterrence, restrictive deterrence, honeypots, experiments
System trespassing by computer intruders is a growing concern among millions of Internet users. However, little research has employed criminological insights to explore the effectiveness of security means to deter unauthorized access to computer systems. Drawing on the deterrence perspective, we employ a large set of target computers built for the sole purpose of being attacked and conduct two independent experiments to in- vestigate the influence of a warning banner on the progression, frequency, and duration of system trespassing incidents. In both experiments, the target computers (86 comput- ers in the first experiment and 502 computers in the second) were set either to display or not to display a warning banner once intruders had successfully infiltrated the sys- tems; 1,058 trespassing incidents were observed in the first experiment and 3,768 inci- dents in the second. The findings reveal that although a warning banner does not lead to an immediate termination or a reduction in the frequency of trespassing incidents, it significantly reduces their duration. Moreover, we find that the effect of a warning message on the duration of repeated trespassing incidents is attenuated in computers with a large bandwidth capacity. These findings emphasize the relevance of restrictive deterrence constructs in the study of system trespassing.
System trespassing, which is defined as “illegally gaining access to one or more com- puter systems after exploiting security vulnerabilities or defeating a security barrier” (McQuade, 2006: 83), is one of the fastest growing areas of cybercrime (Furnell, 2002). According to a recent survey of more than 580 information technology (IT) practi- tioners employed by large organizations and governmental agencies, 90 percent of U.S.
∗ Additional supporting information can be found in the listing for this article in the Wiley Online Library at http://onlinelibrary.wiley.com/doi/10.1111/crim.2014.52.issue-1/issuetoc. This research was conducted with the support of the SANS Institute, the National Consortium for the Study of Terrorism and Responses to Terrorism in the University of Maryland, and the National Science Foundation Award 1223634. We thank Lawrence Sherman, Jean McGloin, Ray Paternoster, and Theodore Wilson for their helpful comments throughout the project. We also wish to thank Gerry Sneeringer and the Security Team of the Office of Information Technology at the University of Maryland for their insights on this research. Finally, we thank Wayne Osgood and the four anonymous reviewers for their helpful comments on this paper. Direct correspondence to David Maimon, Department of Criminology and Criminal Justice, University of Maryland 2220 LeFrak Hall, College Park, MD 20742 (email: firstname.lastname@example.org).
∗∗ Correction added on 28 November 2013, after first online publication on 20 November 2013: The affiliation of Bertrand Sobesto and Michel Cukier has been corrected.
C© 2013 American Society of Criminology doi: 10.1111/1745-9125.12028
CRIMINOLOGY Volume 52 Number 1 33–59 2014 33
34 MAIMON ET AL.
corporations, both private and public, experienced multiple incidents of system trespass- ing during 2010 (Ponemon Institute, 2011; Whitman, 2003). These breaches are estimated to result in billions of dollars of financial losses annually, as well as in serious invasion of privacy for both customers and employees (Whitman, 2003). Nevertheless, despite the growing public and legal awareness of system trespassing and its consequences for com- mercial, governmental (Rantala, 2008), and individual computer users (Bossler and Holt, 2009), only scant attention has been given to this phenomenon in the criminological liter- ature (Skinner and Fream, 1997).
Addressing this challenge, this work explores the effectiveness of sanction threats in attacked computer systems in preventing the progression, reducing the frequency, and shortening the duration of system trespassing incidents. Specifically, focusing on recent extensions of deterrence theory (Gibbs, 1975; Jacobs, 2010), we seek to answer four re- search questions. First, does a warning banner, displayed when a system trespasser in- trudes on an information system for the first time, result in immediate termination of the system trespassing session? Second, does this warning banner reduce the frequency of re- peated system trespassing incidents on the target computer? Third, does a warning banner affect the duration of first and repeated system trespassing incidents? And last, do vary- ing computer configurations condition the effect of the warning banner on the duration of system trespassing incidents? To answer these questions, we designed a randomized trial using a large set of target computers built for the sole purpose of being attacked. This research design allows experimental investigation of the role of deterring cues in the development of first and repeated system trespassing incidents.
Similar to trespassing in the physical world, system trespassing involves the violation of a use restriction on property by someone who has no right to access the property (Bren- ner, 2010). Overall, unauthorized users can access a computer either locally, by gaining physical access to it, or remotely, by logging in via the Internet (Anderson, 1980; Stallings, 2005). Depending on the motivation of the intruder (e.g., revenge, monetary gain, ideol- ogy, thrill, status, or addiction [McQuade, 2006; Wall, 2007; Yar, 2006]), the attacks could be harmless (e.g., exploring the Internet) or dangerous (e.g., reading and modifying priv- ileged data, disrupting the system, using the system to attack other computers, or all of the above) for the target systems and their users (Stallings, 2005).
In an effort to gain remote unauthorized access to a system, system trespassers, who also are referred to as hackers or crackers (Furnell, 2002; Wall, 2007), randomly scan the Internet and look for open networked computer ports (Gadge and Patil, 2008). Once they have identified open ports, trespassers may use special software cracking tools— available for purchase and as open source software on the Internet—that systematically check all possible keys to a system until the correct one is found and access to the system is granted.1 Once unauthorized access to a system is obtained, system trespassers may log
1. These powerful tools can generate millions of passwords in a short period of time using dictionary wordlists and smart rule sets in an effort to guess the right password to an account (Florêncio, Her- ley, and Coskun, 2007; Knudsen and Robshaw, 2011). Several tools even try different combinations
RESTRICTIVE DETERRENT EFFECTS OF A WARNING 35
in and out of the compromised system at any time, access and corrupt private information and files, and interrupt the ability of legitimate users to use the system. In addition, de- pending on the system configuration, intruders may use the compromised system to send spam e-mail, set up fake websites, launch denial-of-service (DoS) attacks against various network targets to deny legitimate users access to network resources (Garfinkel, Spafford, and Schwartz, 2003), or employ the system for launching subsequent system trespassing incidents to intrude on other computers (Brenner, 2010; McQuade, 2006).
To mitigate system trespassing and allow more secure and protected computing envi- ronments, extensive efforts have been made during the last 20 years to develop techni- cal solutions for detecting and preventing unauthorized access to computers (Allen and Stoner, 2000; Mackey, 2003). Moreover, responding to the pressing need to generate de- terrence against the operations of system trespassers, Congress enacted the Computer Fraud and Abuse Act in 1986, which allows for up to 10 years of imprisonment for com- puter misuse offenses (Kerr, 2009). The belief that credible threats of apprehension will deter computer crime offenders is based on the general assumption that the behaviors of individuals can be altered by the threat and imposition of punishments (Paternoster, 1987; Tittle, 1980).