Do you ever catch yourself asking, Why do hackers hack the systems, what is the reason behind this behaviour.
Historians often use a special tool when analysing past political decisions made by leaders, attempting to replicate the rationale behind particular choices they make. The same tool provides us some great insights into — Why do threat actors launch cyber-attacks on a organisation?
This tool is known as the rational actor model.
The main assumption of it is reflected in its name:
That the primary decision-maker is believed to be a rational person.
That he/she is making an optimal choice.
This choice is made on the basis of some calculated expected benefits.
That he/she is guided by consistent personal values.
Once this knowledge about their preferences is gained, then it is used to explain the choices they’ve made.
While the main concepts of this model can be applied successfully when making a new decision of any kind, it can be successfully used when analysing the decisions made in the field of cyber-security too.
The key premise of rational choice theory is that people don’t randomly select products off the shelf. Rather, they use a logical decision-making process that takes into account the costs and benefits of various options, weighing the options against each other.
An example of a rational consumer would be a person choosing between two cars. Car B is cheaper than Car A, so the consumer purchases Car B. Similarly, another customer who is seeking higher security, will purchase Car A.
Some people will simply weigh the pros and cons of committing a crime and determine it is ‘worth the risk’ based upon their personal internal value calculus.
So, this model allows you to explore human motivation.
In short there are two types of motivations that drive human behaviour, Intrinsic and extrinsic motivation.
**1. Intrinsic motivations **are those that are driven by internal rewards. It includes motivations that are satisfying to the individual. Eating, climbing a mountain, and watching a great movie are all examples of intrinsically motivated actions.
**2. Extrinsic motivations, **by contrast, are those behaviors that result in external rewards. Working for a wage, playing the lottery and crime can all be examples of extrinsically motivated behavior.
It must be clear to you that– all actions can be both intrinsically and extrinsically motivated.
It is arguable that even terrorists employ a RAM model, and often select targets where there is fairly good certainty of “success”. This, again, echoes the model of risk management and a rational model of decision-making. The concept repeats in all areas of behavior, including cybercrime.
Each individual, hacker or group of hackers, or threat actors would calculate this calculus differently…when they are contemplating attacking your organisation. Isn’t it?
7-MOTIVATIONS TO CYBER-CRIMES
In general, seven different motivations exist for those who attempt a cyber-attack. The seven motivations are:
1. Financial (extrinsic)
When the personally identifiable information (PII) is stolen and that is then monetized, is a classic example of financial motivation of cyberattacks. Primarily perpetrated by organised criminal groups, this motivation represents a large percentage of cyberattacks against retailers and health care providers.
2. Social/Political “Hacktivism” (primarily intrinsic)
Social or Ideological issues also create a motivation for some to attack organizations/companies to make a statement. The hacking and defacement of a U.S. Government system in which the attackers post messages disparaging remarks about capitalism or democracy would be a solid example of hacktivism.
3. Espionage (extrinsic)
Generally, we think of cyber espionage in terms of theft of intellectual property but it could also be focused upon the theft of confidential information related to acquisitions, marketing plans and other types of data. Nation State actors are considered the largest group of cyber espionage attackers but there have been examples of companies engaging in cyber espionage against competitors. Your business rivals may also be motivated enough to launch the cyber-attacks on you.
4. Revenge (intrinsic)
Former employees or current disgruntled employees are those that typically commit the lion’s share of revenge-based cyberattacks. The news on internet is full with stories of disgruntled former employees attacking their former employees.
5. Nuisance/Destruction (intrinsic)
There are some people who are intrinsically motivated to simply attack an organization or person for no other reason than to create chaos and destruction. It is unfortunate but true. A great example is that of the notorious bank robber “slick” Willy Sutton. There is an apocryphal story about why he robbed banks. When asked it was reported that he stated he robbed banks because “That is where the money is”. In reality he stated he “simply loved to rob banks”. Money was not a motivating factor. There are so many threat actors are like him.
6. War/Defense (extrinsic)
It would be irresponsible to ignore the fact that nation states and even ‘patriot hackers’ play CYBERWARS, in either initiating or defending against adversaries. Disrupting supply chains, destroying centrifuges and other attacks can be classified as War/Defense driven. The Stuxnet Virus identified in 2010 that was used to destroy the Iranian centrifuges is but one relevant example of such a motivation. There are large number of such attacks which have been appropriated to Chinese Nation-state actors in recent years.
7. Facilitation (extrinsic)
Cyber attackers frequently use proxies and other systems to attack their final target. For this reason it is important to note that some organizations and systems may simply be convenient targets which enable and facilitate attacker’s actions.
Consider bot nets. Systems are compromised to enable them to then attack other systems. The compromise of a system that is within the bot net is simply used to facilitate another attack.
Another example would be that of a person selling illicit products on the dark web. They will frequently compromise a system to then place the hidden service on that particular system. This provides a degree of abstraction from their actions and plausible deniability in the event law enforcement is involved.
These motivations are not mutually exclusive. An attacker may have more than a single motivation to target a particular organisation. Additionally, different attackers may have different motivations.
If your organisation is evaluating its security posture and developing a risk based security framework, then you must consider the various potential motivations related to threats. The practical relationship between security, risk, and decision making is well articulated in security circles. Right?
Often you would find company executives saying that — “I do not believe we are a target. We have nothing anyone wants to steal.” It only means one thing that they are ignoring the fact that people are motivated by different factors. This is the time when you should tell them that there are many possible reasons to motivate people to launch a cyber-attack on their organisation.
Here are some example questions you can ask to determine what may make your organization a target for cyber-attacks:
• Does your organization possess any PII or ‘regulated data’ such as payment card data, health care data, social security numbers or bank accounts? (Financially motivated attacks)
**• Does your organization have a global or large brand that is affiliated with something that could be considered offensive to some group? As an example, does your organization support a government organization? **Can your brand be affiliated by some as being associated with “American capitalism’ or “imperialism”? Does your organization build products or services that may incite extremists? An example would be animal testing or mining. (Hacktivism)
**• Does your organization have patents and trade secrets? **Even specialized processes can be at risk. (Espionage)
**• Does your organization support the U.S. Military? **An example would be supply chain management or manufacturing of parts that could be used by the military? (War/Defense)
Nuisance and Revenge are acts that are normally undertaken for the intrinsically satisfying value of simply doing harm. All companies are subject to these.
Since each decision a person makes is based upon his own internal value calculus that weighs the cost versus the benefits of an action, we can alter this the cost-to-benefit ratios of the decisions…When the costs becomes huge compared to expected benefits, it will serve as a deterrent and discourage him to take that decisions. If you implement right security controls then you increase this cost and stop them doing these unwarranted behaviours.
Sometimes considering their motivations may even unearth the methods they may have deployed against your organisation.
Please let me know your thoughts and comment down below. Please share with others if the information shared here helps you in some manner.