Hackers Gonna Hack: Investigating the Effect of Group Processes and Social Identities Within Online Hacking Communities
Total Page:16
File Type:pdf, Size:1020Kb
Hackers gonna hack: Investigating the effect of group processes and social identities within online hacking communities Helen Thackray Thesis submitted for the degree of Doctor of Philosophy Bournemouth University October 2018 This copy of the thesis has been supplied on condition that anyone who consults it is understood to recognise that its copyright rests with its author and due acknowledgement must always be made of the use of any material contained in, or derived from, this thesis. 1 2 Hackers gonna hack: Investigating the effect of group processes and social identities within online hacking communities Helen Thackray Abstract Hacking is an ethically and legally ambiguous area, often associated with cybercrime and cyberattacks. This investigation examines the human side of hacking and the merits of understanding this community. This includes group processes regarding: the identification and adoption of a social identity within hacking, and the variations this may cause in behaviour; trust within in the social identity group; the impact of breaches of trust within the community. It is believed that this research could lead to constructive developments for cybersecurity practices and individuals involved with hacking communities by identifying significant or influencing elements of the social identity and group process within these communities. For cybersecurity, the positive influence on individual security approaches after the hacker social identity adoption, and the subsequent in-group or out-group behaviours, could be adapted to improve security in the work place context. For individuals involved in the communities, an increase in the awareness of the potential influences from their adopted social identities and from other members could help those otherwise vulnerable to manipulation, such as new or younger members. Further discussion on such information, as well as historical examples, will lead to informed behaviour by these communities. Whilst this may not cause the group behaviour to change, it would ensure there would be understanding and acceptance of consequences to unethical or illegal actions, which is hoped to discourage cybercriminal behaviour. The research employed a mixed methods approach, with online questionnaires and individual participant interviews. This approach primarily utilised the netnographic approach (Kozinets, 2015), with the results providing more qualitative information than originally anticipated. Informal data collection for this research included observation of relevant websites and forum discussions as well as observation at hacking related conferences; the subsequent surveys and interviews were conducted with volunteers from these communities. Formal data collection was initiated through a pilot study, carried out in early 2016, with 44 participants. This was followed by the first study survey in early 2017, completed by 155 participants. The second study was individual interviews, conducted with 14 participants throughout 2017. These interviews were analysed in the context of Social Identity Theory (Tajfel, 1974). The third and 3 final study was another survey, conducted early 2018 with 197 participants. Thematic analysis was conducted on all data. There was limited evidence of manipulation of group process or trust observed in forums or reported by participants. The adoption of a specific social identity does have strong and influential behavioural norms; however, the adoption of a specific social identity category does not prevent individuals from identifying and confirming to multiple categories which may use or accept different behaviours. The majority of particiapnts in these studies appeared to position themselves as positive deviants, acknowledging past or minor “black-hat” behaviour. This work contributes to the development and improvement of methodologies in online environments: this research was exploratory in accessing a hard to reach demographic that is often untrusting of outsiders. Adaptions to ethical procedures ensured complete anonymity for the participants, improving the participant recruitment rate. Key findings from this research demonstrate that hacking communities can be very positive and supportive for their members, functioning primarily as meritocracies. This is regarded by the communities as an important positive trait, in conjunction with online anonymity. The conclusions of this research consistently support the findings of previous studies. 4 Author’s declaration I confirm that this thesis is the result of my own work with the following exception of the reports detailed below. Additional material used in this thesis have been fully referenced and acknowledged throughout. Chapter 2 is in part published as a book chapter in collaboration with one co-author. It was conceived by HT and JM, researched and written by HT; JM provided commentary, review and support. Thackray, H., and McAlaney, J., 2017. Groups Online: Hacktivism and Social Protest. In Psychological and Behavioral Examinations in Cyber Security. 194-209. IGI Global. Chapter 6 is in part published as a conference paper in collaboration with four co- authors. It was conceived by HT and JM and researched and written by HT; JM, JT, CR and HD provided commentary, review and support. Thackray, H., Richardson, C., Dogan, H., Taylor, J. and McAlaney, J., 2017. Surveying the Hackers: The Challenges of Data Collection from a Secluded Community. In: 16th European Conference on Cyber Warfare and Security (ECCWS), 29 - 30 June 2017, Dublin, Ireland, 745-748. 5 Presentations by lead author: • Thackray, H, McAlaney, J., Taylor, J. (2018). “Talking to hackers: A social psychological approach to improving Cybersecurity”, Presentation at Behavioural and Social Sciences in Security (BASS18), July, Lancaster, UK. • Thackray, H., McAlaney, J., Dogan, H., Taylor, J., Richardson, C. (2017). “Challenge accepted: Data Collection from hacking communities”, Presentation at 22nd Annual CyberPsychology, CyberTherapy and Social Networking Conference (CYPSY22), 26th June, Wolverhampton, UK. • Thackray, H., McAlaney, J., Dogan, H., Taylor, J., Richardson, C. (2016). “Social Psychology: An under-used tool in Cybersecurity”, Position Paper at 30th British Human Computer Interaction Conference, July, Bournemouth, UK. • Thackray, H, McAlaney, J., Taylor, J. (2016). Anonymous Online Hacking Groups. Presentation at 3rd Interdisciplinary Network for Social Protest Research (INSPR) Conference, June, Cambridge, UK. Published Papers and Articles: • McAlaney, J., Thackray, H., Taylor, J. (2018). “Behaviour Change: Cybersecurity”, British Psychological Society. • Sample, C., McAlaney, J., Bakdash, J. Z., Thackray, H. (2018). “A Cultural Exploration of the Social Media Manipulators”, in 17th European Conference on Cyber Warfare and Security (ECCWS), Oslo, Norway. • Taylor, J., McAlaney, J., Hodge, S., Thackray, H., Richardson, C., James, S., and Dale, J. (2017). “Teaching psychological principles to cybersecurity students,” in Proceedings of the IEEE Global Engineering Education Conference, Athens, Greece. • Thackray, H., McAlaney, J., Dogan, H., Taylor, J., Richardson, C. (2017). "Hackers gonna hack: Data Collection from hacking communities", WIP Paper in 16th European Conference on Cyber Warfare and Security (ECCWS), Dublin, Ireland. • McAlaney, J., Thackray, H., Taylor, J. (2016). “The social psychology of cybersecurity”, The Psychologist, Issue 29, 686-689. Poster Presentations: • Thackray, H. (2016). Anonymous Online Hacking: From a Social Psychology perspective. Poster at The Faculty of Science and Technology's Second Annual PGR Conference 2016, May, Bournemouth, UK. 6 • Thackray, H. (2016). Anonymous: Online group processes, social identity and cybersecurity. Poster at Bournemouth University 8th Annual Post Graduate Conference, March, Bournemouth, UK. Hacking Conventions: • Thackray, H (2018). “Can’t hack, love to lurk: Sharing academic research”, Presentation at SteelCon, July 2018, Sheffield, UK. • Thackray, H (2017). “Hackers gonna hack: But do they know why?” Presentation in the Social Engineering Village, DefCon25 Hacker Convention, July 2017, Las Vegas, USA. • Attended BruCon, October 2016, Ghent, Belgium. • Attended Hacktivity, October 2016, Budapest, Hungary. • Attended DefCon24 Hacker Convention, August 2016, Las Vegas, USA. 7 Contents Abstract ......................................................................................................................... 3 Author’s declaration ..................................................................................................... 5 List of Figures .............................................................................................................. 10 List of Tables ................................................................................................................ 10 Acknowledgements ..................................................................................................... 12 Chapter 1: Introduction................................................................................................... 13 1.1 Problem Overview ................................................................................................. 13 1.2 Research Context and Scope .............................................................................. 16 1.2.1 Aims and Objectives ....................................................................................................17 1.2.2 Research Ethics ...........................................................................................................18