Have you ever wondered what hackers’ motivations are or how they turned to a life of cybercrime? Was it a conscious, rational choice, or are hackers drawn to crime by external factors they can’t control? The answers to these questions may lie in criminology theory.
Researchers once believed criminals behaved badly due to biological factors largely outside their control. Contemporary criminology theorists, however, have shifted to the perspective that motives are more nuanced, ranging from personality and emotion to social pressures and beyond. Whatever the underlying motivations, researchers at Nuix agree that, “Criminological theories, therefore, have a lot to offer in terms of explaining the behavior of hackers. These theories are useful . . . [to] inform crime prevention strategies.”
Last year, these researchers spoke in-depth with 112 professional hackers at Black Hat and Defcon, uncovering firsthand perspectives on hackers’ motivations, perceptions, methods, and more. The result was The Black Report 2018, a deep look into hackers’ motivations. By learning what drives hackers, you can shape a criminology-informed network security strategy that’s more likely to succeed.
Learn which criminological theories explain hacker behavior
Based on the findings from Nuix, as well as those from HackerOne, it’s clear hackers’ motivations vary. Some hack because they’re curious and crave an intellectual challenge. Some just want to get paid. Others, like MafiaBoy, want to show off their technical skills. When Nuix researchers solicited insights from expert forensic criminologist Dr. Claire Ferguson of Queensland University of Technology, she provided a list of several theories that could explain cybercriminal minds:
- Rational Choice Theory: The benefits of committing a cybercrime may outweigh the risks of getting caught or punished from the hacker’s perspective.
- Routine Activities Theory: When an opportunity exists, crime occurs. Hackers may spring into action if they see a lucrative target or discover a network with weak security.
- Strain Theories: Some hackers act in response to negative emotions, including anger at a former employer or a desire to take money from a brand they perceive as unethical.
- Social Control Theory: Due to societal pressures, hacker collectives may reject social norms or put peer pressure on members to hack.
These criminological theories can—and should—inform your network security strategy. You can build on decades of research to understand the context of crimes and make sure your organization’s security posture provides protection against all types of hackers. For example, if you only consider rational choice when building your cybersecurity strategy, you may not have sufficient insider threat protection to guard against disgruntled employees motivated by strain theory. Criminology theory reflects the real-world variation in hacker motivations.
Extrapolate from new data on hackers’ motivations
Data breach investigation reports may show a massive amount of cybercrime is financially motivated, but pro hackers tell a different story. In response to a survey given by Nuix researchers, here’s what cybercriminals had to say about their motives:
- 86 percent like the challenge and hack to learn
- 35 percent do it for entertainment
- 21 percent hack for financial gain
- 6 percent said they hacked for social or political reasons
Some experts, including founder and CEO of Luta Security Katie Moussouris, believe organizations can harness hackers’ motivations for good by providing them with opportunities to stay on the straight and narrow. As a pioneer of bug bounty programs, Moussouris believes enterprises can provide alternative rewards for hackers while winning security gains for themselves.
“I was trying to create a mechanism for hackers to one, stay out of jail, and two, help people become more secure,” Moussouris says, explaining how she launched bug bounties. With a well-managed bug bounty program, you can provide an avenue for thrill-seekers and payoff for hackers seeking financial reward. In the process, you can get some help removing glaring points of weakness from your network security.
All types of organizations are seeing the advantages of offering a bug bounty program today. For example, HP recently launched their first bug bounty program for print security—the first of its kind! This just goes to show that teaming up with the “enemy” can actually help better protect your IT environment.
Understand that hackers aren’t always thrill-seekers
Criminals are usually seen as big risk-takers, but according to Nuix’s survey findings, around two-thirds of hackers have some degree of self-control when it comes to how and when they commit cybercrime. Specifically:
- 54 percent of hackers say they think before they act
- 64 percent enjoy taking risks, but 51 percent generally plan carefully
- 38 percent say they don’t need to exert a lot of self-control to stay out of trouble
Based on patterns in hacker behavior, Nuix researchers propose that around one third of the hacker population behaves recklessly, but the majority exhibits some level of caution. By hardening your network security surface, you can control both segments of the hacker population—the impulsive thrill-seekers and the cautious planners. When it’s harder to get in and out without detection, it’s more difficult for opportunists to impulsively end up on the inside. At the same time, the most cautious hackers will likely target organizations less likely to catch them.
Replacing weak endpoint security and flawed office IT equipment with solutions engineered for security can make your organization a much tougher target for both types of hackers. Everything from laptops with strong security features to smart business printers that can detect attacks before they happen are important for protecting your business from hackers of every stripe.
Hear exactly what hackers want you to know
When asked if they had any messages for CEOs or IT security pros on the other side, 42 percent of self-identified hackers wanted to pass on the following:
“You will never be secure. This is a journey, not a destination. Get used to the idea that security is now part of normal operations.”
Hackers perceive most businesses as compliance-focused instead of genuinely security-focused—and that’s good for them. If you want a true cybersecurity focus, adopt a more dynamic stance that takes into account criminology theory, hacker motivations, and the enormous variations found between one hacker and another.