Psychological Profiling of Hacking Potential1
Total Page:16
File Type:pdf, Size:1020Kb
Proceedings of the 53rd Hawaii International Conference on System Sciences | 2020 Psychological Profiling of Hacking Potential1 Joana Gaia Bina Ramamurthy G. Lawrence Sanders Department of Management Department of Computer Department of Management Science and Systems Science and Engineering Science and Systems University at Buffalo, SUNY University at Buffalo, SUNY University at Buffalo, SUNY Sean Patrick Sanders Shambhu Upadhyaya Xunyi Wang Department of Computer Department of Computer Department of Management Science and Engineering Science and Engineering Science and Systems University at Buffalo, SUNY University at Buffalo, SUNY University at Buffalo, SUNY Chul Woo Yoo Information Technology and Operations Management Florida Atlantic University Abstract Several suggestions will be made on what This paper investigates the psychological traits of organizations can do to address insider threats. individuals’ attraction to engaging in hacking behaviors (both ethical and illegal/unethical) upon 1. Introduction entering the workforce. We examine the role of the Dark Triad, Opposition to Authority and Thrill- International Data Corporation (IDC) [1] estimates Seeking traits as regards the propensity of an that the amount of data stored will grow from 33 individual to be interested in White Hat, Black Hat, zettabytes to 175 zettabytes by 2025 (a zettabyte is a and Grey Hat hacking. A new set of scales were trillion gigabytes). The ongoing protection of this developed to assist in the delineation of the three hat batholith of organization and personal information is a categories. We also developed a scale to measure major challenge because a substantial amount of that each subject’s perception of the probability of being data has monetary and information value. The Privacy apprehended for violating privacy laws. Engaging in Rights Clearinghouse has been keeping a running tab criminal activity involves a choice where there are since 2005 on the number of data breaches. In 2005 consequences and opportunities, and individuals the number of data breaches made public was 8,804. perceive them differently, but they can be deterred if Now that number is approaching 11.6 billion [2] there is a likelihood of punishment, and the records. The eighteen largest breaches in 2018 punishment is severe. involved more than 10.3 million individuals [3]. The dark side of the abundance of personal The results suggest that individuals that are White information is that the information, even legally Hat, Grey Hat and Black Hat hackers score high on protected information can be compromised by trusted the Machiavellian and Psychopathy scales. We also insiders and by external hackers. A substantial portion found evidence that Grey Hatters oppose authority, of privacy violations including funds embezzlement, Black Hatters score high on the thrill-seeking pilfering of trade secrets, theft of customer dimension and White Hatters, the good guys, tend to information, theft of competitive information, and be Narcissists. Thrill-seeking was moderately related fraudulent activities can be traced to insiders important for White Hat hacking and Black hat [4]. The losses from insider attacks can be significant hacking. Opposition to Authority was important for [5]. The average cost of an insider attack is $8 million Grey Hat hacking. Narcissism was not statistically per year [6]. But the fallout from a breach can lead to significant in any of the models. The probability of long-term loss of customers, lawsuits and severely being apprehended had a negative effect on Grey Hat damaged reputations. Insiders can be current and and Black Hat hacking. former employees, contractors, and business partners 1 This material is based upon work supported by the NSF under grant No. DGE-1754085 URI: https://hdl.handle.net/10125/64014 978-0-9981331-3-3 Page 2230 (CC BY-NC-ND 4.0) that have access to an organization’s network, system, This paper is organized as follows: first, a literature or data. Insiders can engage in malicious or review on hacking motivation and dark triad is unintentional activity that negatively affects the provided, followed by the economics of crime confidentiality, integrity, and availability of an literature. Then, we propose core hypotheses for the organization’s information system [7]. empirical examination. Next, the research method However, despite the importance of insiders in employed for validating the instrument and data security management, an understanding of how their collection is discussed, followed by a test of the hacking intention is motivated and developed based on structural model using partial least squares (PLS)- personal traits is still lacking. Particularly, examining based structural equations. Our empirical findings are different hacking intentions as a white hat, a black hat, then summarized, and possible explanations are and a grey hat has not been attempted in the literature. provided. Lastly, in the final section, the theoretical This study addresses this gap in the literature by and practical implications of these results are bringing attention to Dark Triad, Opposition to examined, and recommendations for future research Authority and Thrill-Seeking traits regarding the directions are offered. propensity of an individual and examining their influence on the white hat, black hat, and grey hat 3. Prior Research on Hacking hacking intention. The current study seeks to address two research Motivation questions: 1. Are the Dark Triad personality traits Psychological profiling hackers has attracted consisting of Machiavellianism, substantial recent research interest [5, 9-13]. Narcissism, and Psychopathy, along with Motivations for participating in hacking behavior the Opposition to Authority and Thrill- include seeking revenge, ideology, fun, thrills, Seeking constructs related to behavioral survival, notoriety, recreation, and profit [5, 14, 15]. intentions to engage in White Hat, Black Madarie conducted a study on what motivates Hat, and Grey Hat hacking? hackers using Schwartz’s theory of motivation types 2. Does the perception of being caught and found that many hackers are motivated by what engaging in illegal violations of privacy they don’t like, rather than what they like [16]. Of laws moderate the relationship, and is it particular note, was the discrepancy between what the inversely related to hacking propensity? “experts” suggest is the motivating factor behind To answer these questions, we conducted a survey hackers, and what actually motivates hackers. Madarie with 439 individuals that will soon enter the postulates that the discrepancy in the literature reflects workforce. a cultural and background bias. That is, hackers may This research note makes a twofold contribution to report to experts what they have heard that motivates the security literature. The first major distinguishing them, rather than what actually motivates them. contribution of our study is that we developed a set of Madarie’s study found that hacking is a social activity, dependent variable scales to measure behavioral where the hacking frequency is driven by peer intentions to engage in legal White Hat, illegal Black recognition, respect and by the opportunity to engage Hat, and hacktivist Grey Hat hacking. They are the in team-play and not by the intellectual challenge of White Hat, Black Hat, and Grey Hat hacking personas. the activity, by curiosity and even to seek justice. We also used a short form of the Dark Triad called the Maasberg et al. proposed a research model that Dirty Dozen, and we incorporated thrill-seeking and integrated the Dark Triad and the Capability, Motive, opposition to authority constructs. and Opportunity (CMO) framework [17]. The CMO The second major contribution of our study is that framework is one of the classical models used to we also integrated the economics of crime and rational understand insiders and how cyber-attacks occur. In choice theory frameworks with the psychological the CMO model, the potential perpetrator needs to profile of the subjects. Engaging in criminal activity have the Capability to commit the attack, the Motive involves a choice where there are consequences and for attacking, and the Opportunity to carry out the opportunities, and individuals perceive them breach [18]. differently, and individuals can be deterred when there The Dark Triad refers to a group of three generally, is a likelihood of punishment, and the punishment is socially undesirable personality traits, including severe [8]. We also included a construct to determine Machiavellianism (manipulative, deceitful and if the propensity to engage in one of the hacking exploitive), Narcissism (self-centered and attention- activities is moderated by the probability of being seeking) and psychopathy (lack of remorse, cynical apprehended. Page 2231 and insensitive) [19-21]. These measures are related, 3. The Genesis of White Hat, Black Hat, but they are nevertheless, distinct constructs [19, 22]. and Grey Hat Hacking Many of the Dark Triad personality traits are used by the press and by security experts to describe criminal activity by insiders, but as noted by Maasberg The White Hat, Black Hat, and Grey Hat hacker there are few studies involving insider threat behavior typology has been around for several years, and these [17]. We could only find one. terms have also been popular with the hacking A recent study investigated the relationship communities [24], the academic communities [25-27], between computer abuse, Narcissism, Psychopathy,