The Art Of Profiling Cybercriminals
New psychological and criminological studies attempt to capture a glimpse of the human behind the hack
By Kelly Jackson Higgins
Dec 08, 2011
He’s a white, 37-year-old engineer in your organization, and he feels justified in selling out your intellectual property to a foreign country because he’s miffed about getting overlooked for a promotion. He has had a history of mental health problems, and his marriage is on the rocks as he faces personal financial issues.
Those are some of the common characteristics of the perfect storm for a typical malicious insider who steals and profits from his organization’s trade secrets, according to a new report authored by psychologists with expertise in risk management and forensic psychology. The “Behavioral Risk Indicators of Malicious Insider Theft of Intellectual Property” research paper by Drs. Eric Shaw and Harley Stock was commissioned by Symantec and draws from real-world malicious insider cases.
With cybercrime becoming the weapon of choice for more criminals, psychologists such as Shaw and Stock, as well as sociologists and criminologists, are increasingly being tapped to help construct profiles of hackers and malicious insiders so organizations can better defend against outside threats and to better spot trouble internally.
While technology has been the main weapon against these attacks, experts say a better understanding of the psychological, criminological, and sociological side of the equation can help boost defenses and even catch an internal thief before he goes the distance.
Stock, a certified forensic psychologist and managing partner with the Incident Management Group (IMG), says the profile of the malicious insider that he and Shaw derived from real-world cases isn’t just about the physical profile: “In the research, it says the typical person who conducts intellectual property theft is a 37-year-old male Caucasian. But we don’t want companies to get sidetracked by that [profile] — anybody at any given time is capable of stealing,” Stock says. “We tried to describe how they get on a critical pathway to IP theft, and how you can identify different parts of that pathway.”
Criminologist David Maimon, assistant professor of criminology and criminal justice at the University of Maryland’s College of Behavioral and Social Sciences, recently teamed with engineer and computer scientist Michel Cukier, associate professor of reliability engineering at the university, to study the criminological side of hacking, spamming, and malware.
The professors, who plan to present details of their findings early next year, discovered some interesting correlations between computer crime and network usage trends that can help organizations better predict victims and attacks.
“We both had interest in the human component and tried to figure out innovative ways to try and study the human players behind cybercrime,” says Maimon, who provided Dark Reading with a preview of some of the findings.
The researchers used real data from actual attempted attacks against the University of Maryland’s network to study trends in how and when attackers strike, as well as other characteristics. One of their key findings was that the social composition of the network typically helps determine the origin of an attack, and that cybercriminals are like physical criminals: They are opportunistic when it comes to their victims.
“Cyberattacks against the campus network occurred at specific times, when most of the victims were on campus and using the system,” Maimon says. “When you have more users online, you have more victims so more crimes going on during that time.”
And like physical crime, where you go on the network determines your risk, too, he says. “We all use the same sort of devices to protect our systems, IPSes, IDSes, firewalls, and antivirus,” Maimon says. “These tools are important, but at the same time you have to take into consideration the social [aspect] and end users.”
As for the malicious insider, predispositions and professional dissatisfaction or a sense of being slighted in his job can serve as a trigger for sending him on that path. “A perceived injustice sends them along the critical pathway. They move from a psychological sense of not being treated fairly to developing justification responses, giving themselves excuses to do bad behavior,” Stock says.
Around 65 percent of malicious insiders have already lined up new job with a competitor or started their own firm at the time of the data theft. More than half begin stealing information within a month of leaving their employer. One-fourth sell the stolen information to a foreign company or country, and 20 percent are hired by an outsider to pilfer the information, according to the Symantec report.
Three-fourths take information that they have legitimate access to in their jobs, and more than half of these cases involve the theft of trade secrets; 30 percent, billing information, price lists, and other administrative data; 20 percent, source code; 14 percent, proprietary software; 12 percent, customer information; and 6 percent, business plans.
Even so, an employee going rogue after being overlooked for a promotion, for example, is the exception, not the rule. “A lot of employees aren’t happy and think about doing bad things, but very few move down that pathway to do it. Those who do are very dangerous,” Stock says.