The Psychological Levers of the Cyber Criminal

Mark Sirkin, PhD

Head, Applied Psychology & Human Factors,

Assured Cyber Protection

Criminals have probably been around since there have been societies and hard-working people for them to take advantage of.  Of course, the technology changes, but the motives remain the same: take from those who have without paying the fair and honest price for the goods or value received.  It is an obvious fact that pickpockets did not exist before there were pockets, but once that “technology” was invented, people came along to take what was in them.  The famous American bank robber John Dillinger was asked, “Why do you rob banks?”  After a brief pause, he answered, “Because that’s where the money is.”  Information is now the world’s most important commodity. Computers, and the digitalization that accompanies them, are the new “bank vaults” of our time.  Cyber criminals ply their trade “where the money is,” and these days that’s inside sophisticated computer networks.

In the world of cyber security, there five types of criminal behavior:

  1. State-sponsored cyber crime
  2. Criminal gangs
  3. Cyber criminals
  4. Mischief makers
  5. Clueless and inept

While not a scientific classification, and sometimes the lines between the types blur, it is safe to say that the motivations and methods of each group differ.

State sponsored cyber crime (SSCC) is the new battlefield in the never-ending struggle between states for dominance and advantage.  Sometimes the goal is outright theft, but more often these are sophisticated players, looking to find secrets and compromise people, agencies, and states.  SSCCs are the most sophisticated, and well-funded, threat actors out there.  And while their targets are most often other states, they may be equally interested in using their tools to gain financial profit, both to hurt their victims as well as to fund and enrich their activities.  Often, however, the goals are less financial and more about damaging political opponents or entities.  Sowing seeds of confusion and doubt, making popular candidates vulnerable, and other activities of espionage and statecraft have been around for millennia.  But like many tasks these days, computers enable the SSCCs to accomplish more with less.  The response to these threat actors must match their sophistication and resources to be effective.  These actors are often motivated by a perverted patriotism that views harm to another state as a win for the state doing the harm.

Criminal gangs may be funded by a state, but are typically smaller, self-contained groups focused on financial gain.  Usually, their goals entail using information to gain money directly or obtain or control of something valuable, in order to extort money.  Many municipalities around the world, especially in the U.S., have been “hacked,” allowing these criminals to hold entire cities hostage until a ransom, often in the multi-millions, has been paid.  Bitcoin, unfortunately, has enabled these criminals to take their proceeds and move on, undetected.  The problem is exacerbated when victims refuse to admit or expose what has been done, or that a ransom has been paid.  Because of this embarrassment, the extent of this cybercrime is not well-known or advertised, but it is an ongoing and growing problem.  Gangs are motivated primarily by greed and the ability to turn their computer knowledge to quick and significant profit.

Cyber criminals are individuals who are clever enough to use advanced technologies for personal gain.  Many phishing, or spear phishing, attacks are of this sort.  A bad actor reaches out to a group, or individual, promises them significant gain if only they send money or do some other thing, which exposes the individual’s bank account, or other valuable information, allowing the criminal to rob them.  As with most other cyber techniques, this one has evolved over time.  Ten years ago, many of us received emails from the ubiquitous “Nigerian prince” (or some other wealthy, desperate person) who needed a small sum from you in order for you to get a much larger sum down the road.  Of course, the larger sum never appeared.  As this crime became more sophisticated, the goal became access to your entire bank account.  Spoofing, which involves the imitation of an email from a reputable source, is often used in current situations to trick people into exposing banking and other information, which the criminal can use to access as much of your net worth as they can get their hands on.  Cyber criminals, like con men of yore, will use a “charm” offensive to get you to feel sorry for them so you give them money or get sloppy about your security so they can help themselves.  This group too is motivated by money, but they also enjoy the “game” of getting it.

Mischief makers are a new breed of cyber criminal.  While many, if not most, criminals are motivated by profit, these have something to prove.  The smash-and-grab methods of the bank robber are replaced by the more sophisticated methods of the “black hat hackers.”  Their primary goal is to prove they are smarter than you, that no vault or encryption can keep them out.  If they do use their methods to make money, that is often an extra prize, not the main goal.  Mischief makers often justify their behavior in the same way anarchists or political activists (or so-called “hacktivists”) do.  “The system,” they will say, “is corrupt and we are striking out for the little guy.”  Of course, if they steal from “the system” who can blame them, since for these actors the system is flawed.  Criminal behavior is transformed into standing up for the little guy, getting back at the “man,” or some other type of scorekeeping.  Motivated by their sense of justice, and a misguided idea of right and wrong, mischief makers justify their often-illegal behavior.

Our last group are both clueless and inept.  These people are not really criminals in the common sense, but they are more often guilty of criminal negligence.  Basic cyber training can teach most people how to avoid obvious phishing scams, the importance of complex passwords and two-factor authentication.  But whether through laziness, lack of intelligence, or simple neglect, these are the people who inadvertently let criminals in.  The criminals themselves, we know, are motivated by greed.  These people don’t benefit directly from their actions, or inactions.  Often, they themselves are the biggest losers.  They are often motivated by a lack of attention to detail, an unwillingness to take the care and time to do things right or come up with a password more complicated than “1-2-3-4-5-6.”  While they may not be criminals in themselves, they enable crime – they are the lock into which the cyber criminals’ key best fits.  The good news is that, although these people are the most common type of cyber criminal, they are the easiest to train or screen out of your organisation.

Each type of cyber criminal has slightly different motivations that must be considered to prevent them from doing damage to the network.  Well-funded, state criminals probably require a well-funded, state response.  Other sorts of criminals require a response that is proportional to the value of what is being protected.  And bad, or lazy, actors must be stopped or convinced of the error of their ways.