Implementing a risk based security program and appropriate controls against adaptive cyber threat actors can be a complex task for many organizations. With an understanding of the basic motivations that drive cyber-attacks organizations can better identify where their own assets may be at risk and thereby more efficiently and effectively address identified risks. This article will discuss the Rational Actor Model (RAM) as well as the seven primary intrinsic and extrinsic motivations for cyber attackers.
Deterrence and security theory fundamentally rely upon the premise that people are rational actors. The RAM is based on the rational choice theory, which posits that humans are rational and will take actions that are in their own best interests. Each decision a person makes is based upon an internal value calculus that weighs the cost versus the benefits of an action. By altering the cost-to-benefit ratios of the decisions, decisions, and therefore behavior can be changed accordingly.
It should be noted at this point that ‘rationality’ relies upon a personal calculus of costs and benefits. When speaking about the rational actor model or deterrence, it is critical to understand that ‘rational’ behavior is that which advances the individual’s interests and, as such, behavior may vary among people, groups and situations. For this reason, it is impossible to prevent all crime through deterrence. Some people will simply weigh the pros and cons of committing a crime and determine it is ‘worth the risk’ based upon their personal internal value calculus.
While some criminologists dispute RAM in favor of other models, anecdotally it is difficult to argue with the value of the model. It is arguable that even terrorists employ a RAM model, and often select targets where there is fairly good certainty of “success”. This, again, echoes the model of risk management and a rational model of decision-making. The concept repeats in all areas of behavior, including cybercrime.
Understanding RAM it is important to explore human motivation. In short there are two types of motivations that drive human behavior. Intrinsic and extrinsic motivation. Intrinsic motivations are those that are driven by internal rewards. It includes motivations that are satisfying to the individual. Eating, climbing a mountain, and watching a great movie are all examples of intrinsically motivated actions. Extrinsic motivations, by contrast, are those behaviors that result in external rewards. Working for a wage, playing the lottery and crime can all be examples of extrinsically motivated behavior. No doubt at this point readers have identified that actions can be both intrinsically and extrinsically motivated.
With an understanding of the Rational Actor and Motivation theory it is now possible to discuss the motivations of cyber-attacks. It should be noted that the term ‘crime’ is not used as it is a legal term and an attack may or may not be considered a crime. As such a more generic term of ‘attack’ is used. In general, six different motivations exist for those who attempt a cyber-attack. This has been coined as the Mark Heptad (yes after this author and creator). The six seven motivations are:
- Financial (extrinsic) – Theft of personally identifiable information (PII), that is then monetized is a classic example of financial motivation of cyberattacks. Primarily perpetrated by organized criminal groups, this motivation represents a large percentage of cyberattacks against retailers and health care providers.
- Social/Political “Hacktivism” (primarily intrinsic) -Social or Ideological issues create a motivation for some to attack organizations to make a statement. The hacking and defacement of a U.S. Government system in which the attackers post messages disparaging remarks about capitalism or democracy would be a solid example of hacktivism.
- Espionage (extrinsic) - Generally, we think of cyber espionage in terms of theft of intellectual property but it could also be focused upon the theft of confidential information related to acquisitions, marketing plans and other types of data. Nation State actors are considered the largest group of cyber espionage attackers but there have been examples of companies engaging in cyber espionage against competitors.
- Revenge (intrinsic) - Disgruntled employees or former employees are those that typically commit the lion’s share of revenge-based cyberattacks. The news is replete with stories of disgruntled former employees attacking their former employees.
- Nuisance/Destruction (intrinsic)- There are some that are intrinsically motivated to simply attack an organization or person for no other reason than to create chaos and destruction. It is unfortunate but true. A great example is that of the notorious bank robber “slick” Willy Sutton. There is an apocryphal story about why he robbed banks. When asked it was reported that he stated he robbed banks because “That is where the money is”. In reality he stated he “simply loved to rob banks”. Money was not a motivating factor.
- War/Defense (extrinsic)- In the 21st century it would be irresponsible to ignore the fact that nation states and even ‘patriot hackers’ play in either initiating or defending against adversaries. Disrupting supply chains, destroying centrifuges and other attacks can be classified as War/Defense driven. The Stuxnet Virus identified in 2010 that was used to destroy the Iranian centrifuges is but one relevant example of such a motivation.
- Facilitation (extrinsic)- Cyber attackers frequently use proxies and other systems to attack their final target. For this reason it is important to note that some organizations and systems may simply be convenient targets which enable and facilitate attacker’s actions. Consider bot nets. Systems are compromised to enable them to then attack other systems. The compromise of a system that is within the bot net is simply used to facilitate another attack. Another example would be that of a person selling illicit products on the dark web. They will frequently compromise a system to then place the hidden service on that particular system. This provides a degree of abstraction from their actions and plausible deniability in the event law enforcement is involved.
The motivations are most accurately depicted in a Venn diagram as they are not mutually exclusive. An attacker may have more than a single motivation to target a particular organization. Additionally, different attackers may have different motivations. Consider the example of a large construction company. It is foreseeable that an organization such as the Earth Liberation Front (ELF) may attempt an attack to make a political or social statement while the same organization could be targeted by an adversarial nation state in an attempt to steal intellectual property.
Organizations evaluating their security posture and developing a risk based security framework would be well served to consider the various potential motivational related threats. The practical relationship between security, risk, and decision making is well articulated by the US Department of Homeland Security as it is described as an approach for making security decisions. This is further advanced in the National Institute of Standards and Technology NIST 800-37 Risk Management Framework when it says:
“…For operational plans development, the combination of threats, vulnerabilities, and impacts must be evaluated in order to identify important trends and decide where effort should be applied to eliminate or reduce threat capabilities; eliminate or reduce vulnerabilities; and assess, coordinate, and deconflict all cyberspace operations…” (NIST, 2010. p. 3). (emphasis added)
It is not uncommon to speak with executives and hear the common refrain “I do not believe we are a target. We have nothing anyone wants to steal.” This position ignores the fact that people are motivated by different factors. Recently, while speaking at an event for a large construction machine manufacturer I posed the question: “Why would someone want to attack your company?” A very astute participant answered succinctly “because we destroy the planet”. She was right. While there may be numerous reasons someone would want to attack that company it would be naïve to not consider the fact that someone may view then in a negative light as ‘destroying the Earth’ and desire to make a statement by attacking them.
Here are some questions you can ask to determine what may make your organization a target for cyber-attacks.
- Does your organization possess any PII or ‘regulated data’ such as payment card data, health care data, social security numbers or bank accounts? (Financially motivated attacks)
- Does your organization have a global or large brand that is affiliated with something that could be considered offensive to some group? As an example, does your organization support a government organization? Can your brand be affiliated by some as being associated with “American capitalism’ or “imperialism”? Does your organization build products or services that may incite extremists? An example would be animal testing or mining. (Hacktivism)
- Does your organization have patents and trade secrets? Even specialized processes can be at risk. (Espionage)
- Does your organization support the U.S. Military? An example would be supply chain management or manufacturing of parts that could be used by the military? (War/Defense)
- Nuisance and Revenge are acts that are normally undertaken for the intrinsically satisfying value of simply doing harm. All companies are subject to these.
When considering the threats and associated risks that face an organization, it is important to also consider the motivations that may drive attackers. By doing so organizations can more efficiently and effectively apply applicable controls as motivations for attacks often drive the attack method. Consider, for example, nation state cyber espionage and intellectual property theft. Numerous reports indicate that the primary method for such attacks is Advanced Persistent Threat (APT). Those desiring to steal payment card data typically install malware on point of sale systems (POS) with the intent of stealing magnetic stripe data. Companies conducing a risk analysis would be well served to consider such motivations when evaluating their exposure.