In our current digital society, the threat of cyberattacks is ever-present. According to a recent report: four in five CISOs and CTOs admit that IT projects have been slowed down by fears of “inevitable security issues.” Ninety per cent agreed that software vulnerabilities put their entire business at risk.
Implementing a risk-based security programme and controls against cyber threats can be a tricky job for many organisations. But, by understanding the motivations that fuel cyber-attacks, organisations can better identify which of their assets are at risk and thus efficiently and effectively address those areas to best protect their vulnerable assets.
As the complexity and frequency of cyber-attacks increases, it becomes more important to understand the motivations for and differences between attacks.
When analysing motivations for cyber-attacks, The Rational Actor Model (RAM) is a good place to start. This theory relies on the premise that humans act rationally and are motivated to make decisions in their own best interests. Therefore, by changing the balance of costs and benefits, people change their behaviours accordingly.
A person’s rationality relies heavily on their calculations of the costs and benefits of an action. However, there are no blanket rules for rationality. We are all different, and what is deemed rational fluctuates from person to person and in different groups and situations. Regarding the rational actor model, it must be remembered that not all crimes can be prevented thorough deterrence because some people may decide that, having weighed the pros and cons, calculating a crime is simply worth the risk.
There are some criminologists who disregard the RAM in favour of others, but it is hard to dispute the value of RAM which echoes the model of risk management and rational decision-making; a concept repeated in all areas of behaviour, including cybercrime.
Human behaviour is driven by intrinsic and extrinsic motivations. Intrinsic motivations are driven by internal rewards which satisfy the individual, such as eating a delicious meal. Extrinsic motivations result in external rewards. For example, going to work every day to earn a wage.
Having discussed the RAM theory, it is possible to explore the motivations of cyber-attacks. The seven motivations for cyber-attacks or crimes (the terms ‘crime’ and ‘attack’ are not used as legal terms) are:
- Financial (extrinsic) – Theft of personally identifiable information (PII), that is monetised. These are usually perpetrated by organised crime groups.
- Social/Political “Hacktivism” (mostly intrinsic) - Ideological issues generate motivation for some to attack organisations.
- Espionage (extrinsic) - Cyber espionage often represents theft of intellectual property or of confidential information.
- Revenge (intrinsic) - Disgruntled employees typically commit revenge-based cyberattacks.
- Nuisance/Destruction (intrinsic)- Some people simply attack organisations/ others purely to generate chaos and cause destruction.
- War/Defence (extrinsic) Nowadays nation states and ‘patriot hackers’ inevitably initiate or defend against adversaries.
- Facilitation (extrinsic) - Cyber attackers soften use proxies/ other systems to attack their final targets.
It is important to highlight the fact that that motivations for cyber-attacks are not mutually exclusive, as a person could have more than one motive when targeting an organisation. Also, within a team of hackers, it is wholly possible that each person in that team is motivated by a different factor/factors.
If organisations are re-evaluating their security strategies and looking to implement a risk-based security framework, they should consider potential motivational related threats.
It is common for organisations to neglect security practices and adhere to the mantra that “We are not a target; we have nothing to steal.” But in reality, the complexity of motivations can vary significantly; and people could be motivated to hack organisations for reasons as diverse as to steal money, cause chaos or even for environmental reasons that the organisation may not be wholly aware of.
To establish whether organisations are targets for cyber-attacks, here are questions to consider:
Does the organisation possess any personally identifiable information (PII)?
This data could come in the form of card payment data, healthcare data, social security details or bank accounts. Those desiring to steal payment card data typically install malware on point-of-sale systems (POS) with the intent of stealing magnetic stripe data. Companies conducting a risk analysis would be well served to think about such motivations when evaluating their exposure.
Does the organisation have a global brand that is recognisable and possibly offensive to certain groups?
An organisation could be affiliated to a national government, for example, and thus be viewed by opposition groups as an enemy and target for attack. Alternatively, if an organisation relies on its brand reputation, their social media accounts could be vulnerable to attack and therefore precautions should be taken to secure the data inherent within them from outsider threats.
Does the organisation possess trade secrets?
In this instance the term ‘trade secrets’ does not necessarily mean top secret national security information; it could simply be industry information that competitors want to get their hands on. Information can be secured through improving security awareness of Advanced Persistent Threats (APTs) and updating security protocols with appropriate Identity and Access Management (IAM) or Privileged Account Management (PAM) controls.
Are rogue employees likely to be an issue?
Nuisance and revenge are acts that often occur because the attacker simply wants to cause harm and therefore, all companies are subject to these attacks. These types of attacks are very difficult to protect from but can be avoided and perhaps anticipated if companies are vigilant and on the lookout for red flags in employee behaviour. For example, if employees or ex-employees are disgruntled.
Answering these questions can help an organisation prioritise which risks are deemed the greatest and act accordingly. When considering the threats and associated risks facing an organisation, it is vital to identify and understand the motivations that inspire potential attackers so that organisations can effectively apply controls and limit the potential damage caused by cyber-attacks.
Chris Mark, PCI National Practice Director, AT&T Cybersecurity