Saturday, 22 January 2011

Paper

A belated welcome to 2011.

I have another paper posted in the SANS reading room.

A Question of Platinum Plus
By: Craig Wright
Category: Risk Management
Posted: December 29, 2010
It is a Gold paper for a Platinum certification and yes I am the only one insane enough to have done this :)

Basically, it is a survival analysis related to security. All a part of quantification studies into information security risk.

Criminal Specialization as a corollary of Rational Choice.

Rational choice theory can provide a basis for a amalgamated and inclusive theory of behavior related to cybercrime. Rational choice centers on instrumental rationality [1]. This is the choice of the most efficient and effective means to achieve a set of particular ends. These ends include the acquisition of wealth or other scarce resources. The decision of an individual or criminal group to engage in socially detrimental criminal activity is not based on social deviance, but rather a perceived rational choice that such activities are most likely to provide the desired outcome. Cohen [7] asserted that conduct is rational if it involves the choice of means to achieve an end.

Grabosky [18] argued that cybercrime reflects any other profit based criminal activity. In this way it can be explained by three factors, motive, opportunity and an absence of capable governance or guardianship. Any one of these can be shown to increase the costs associated with criminal actions and hence reduce the profitability of cybercrime. This reflects the state of mind of the ‘rational criminal’.

Rational choice theory assumes that an agent can be modeled as Homo economicus [2]. This is an individualistic passive agent who is moved by the conditions experienced. These experiences and circumstances coupled with the rational agents assumptions lead to a series of rational choices that are believed to be optional by the agent, but may be detrimental to society as a whole [19]. ‘Rational man’ is thus an ‘economic man’. Instrumental rationality is used by the rational agent to gauge the ends and means that establish the actions used to plot one's course through life [6]. Choice involves an active progression in which each agent evaluates (consciously or subconsciously) the benefits and costs, and then makes a continuing series of conscious decisions [12]. Each agent reflects on his or her current circumstances as evaluated against the attainment of his or her goals as a set of composite goods. That agent alone can establish whether the price can be afforded [2].

Rational choice theory is based on the assumption an agent as Homo economicus holds particular sets of discrete, fixed, hierarchical predilections [24]. The assumption is that the agent will select the action with the preferred outcome. This outcome (if achieved) optimizes the difference between the costs and benefits [6] associated with the action. Rationality is achieved in a series of actions that remain consistent with the agent's stable preference rankings in a manner that is designed to return the optimal relation between the goals and beliefs of the agent [17]. This ideally returns the largest set of composite goods (as determined by the rational agent) for the lowest cost.

Actions including crime can be ‘rational’ for agents at the individual level. These when combined across a group coalesce to generate a variety of systemic social outcomes. At times (such as may result from cyber-terror and DDoS attacks), many of the ill effects are intended by agents. More often, the result is an unintended consequence that may be either socially optimal or more commonly socially non-optimal [8]. Ill effects from the actions of socially focused agents (such as police and 'white-hat' hackers taking vigilante action) can also frequently result in unintended sub-optimal social responses.

Present crime statistics for cybercrime more correctly reflect the political state than the actual extent of computer based crime [8]. This is a direct consequence of both low reporting and response rates. Many organizations fail to report any computer based incidents. This can result through a lack of knowledge of the event, a desire to avoid potentially adverse publicity or related consequences or a failure to meet an economically or legislatively set minimum loss value. These factors undervalue the losses to criminal activity.

Crime is explained by three factors, motive, opportunity and an absence of capable governance or guardianship. An increase in defenses that lowers the effect of any of these factors moves the amount of composite goods that can be obtained by the cybercriminal for any set level of criminal activity [20]. The rational choices made by agents considering criminal actions are decreased through a combination of price policy and benevolence policy. This applies at both a societal level and to individual organizations where increased defenses lower an organizations probability of attack by making their competitors more attractive lower cost opportunities.

References

[1] Adabinsky, H. The Criminal Elite. Westport, CT: Greenwood Press 1983.

[2] Archer, Margaret S. “Homo economicus, Homo sociologicus and Homo sentiens.” Rational Choice Theory: Resisting Colonization. Ed., Margaret S. Archer and Jonathan Q. Tritter. London: Routledge 2000.

[3] Badonnel, R. State, R. Chrisment, I. Festor, O. “A Management Platform for Tracking Cyber Predators in Peer-to-Peer Networks” : Internet Monitoring and Protection, 2007. ICIMP 2007. Second International Conference on, 2007, San Jose, CA

[4] Bednar, P.M. Katos, V. Hennell, C. “Cyber-Crime Investigations: Complex Collaborative Decision Making” Digital Forensics and Incident Analysis, 2008. WDFIA '08. Third International Annual Workshop. 2008

[5] Broadhurst, R.G. (2005) International Cooperation in Cyber-crime Research. In Proceedings 11th UN Congress on Crime Prevention and Criminal Justice, Workshop 6: ‘Measures to Combat Computer Related Crime’, pages pp. 1-12, Bangkok.

[6] Clarke, R. and D. Cornish. “Modelling offender’s decisions: A framework for research and policy.” Crime and Justice: An Annual Review of Research. Ed., M.Tonry and N. Morris. Chicago: University of Chicago Press 1985.

[7] Cohen, P. S. “Rational conduct and social life.” Rationality and the Social Sciences: Contributions to the Philosophy and Methodology of the Social Sciences 1976

[8] Derrick J. Neufeld, "Understanding Cybercrime," hicss, pp.1-10, 2010 43rd Hawaii International Conference on System Sciences, 2010.

[9] Devost Matthew G..”Hackers as a National Resource. Information Warfare –Cyberterrorism: Protecting Your Personal Security in the Electronic Age”. WinnSchwartau (Ed). Second Trade Paperback Edition. New York: Thunder’s Mouth Press, 1996.

[10] Einstadter, Werner and Stuart Henry. Criminological Theory. Fort Worth: Harcourt Brace 1995.

[11] Fowler., C. A. & Nesbit.R. F. “Tactical Deception in Air-Land Warfare” .Journal of Electronic Defense. June 1995

[12] Friedman, Milton. "The Methodology of Positive Economics." In his Essays in Positive Economics. Chicago and London: Chicago University Press, 1953.

[13] Gambetta, Diego. The Sicilian Mafia: The Business of Protection. London: Harvard University Press 1993. 41

[14] Gambetta, Diego. The Origins of the Mafias. Cambridge: Mimeo 1991.

[15] Gambetta, Diego. “Mafia: the price of distrust.” Trust: Making and Breaking Cooperative Relationships. Ed., Diego Gambetta. New York: Basil Blackwell 1988.

[16] Gambetta, Diego. “Fragments of an economic theory of the mafia.” Archives Europeennes de Sociologie 24 (1988).

[17] Gordon, S. & Ford, R. “Cyberterrorism?” Symantec Security Response White Paper 2002.

[18] Grabosky P., & R.G. Broadhurst 2005, ‘The Future of Cyber-crime in Asia’, in Broadhurst, R.G & P. Grabosky [Eds.], Cybercrime: The Challenge in Asia, The University of Hong Kong Press, pp. 347-360.

[19] Hechter, Michael and Satoshi Kanazawa. “Sociological rational choice theory.” Annual Review of Sociology 23 (1997).

[20] Lyman, Michael D. and Gary W. Potter. Organized Crime. New Jersey: Prentice Hall 1997.

[21] Morash, Merry. “Organized crime.” Major Forms of Crime. Ed., Robert F. Meier. California: Sage Publications 1984.

[22] Ramesh Kumar Goplala Pillai, P. Ramakanth Kumar, "Simulation of Human Criminal Behavior Using Clustering Algorithm," iccima, vol. 4, pp.105-109, International Conference on Computational Intelligence and Multimedia Applications (ICCIMA 2007), 2007

[23] Richards, James R. Transnational Criminal Organizations, Cybercrime, and Money Laundering. Boca Raton, Florida: CRC Press LLC 1999.

[24] Zey, Mary. Rational Choice Theory and Organizational Theory: A Critique. Thousand Oaks: Sage Publications 1988.