This is a summary of a presentation given by Dr Maria Bada, former research fellow at the Global Cyber Security Capacity Centre, and Dr Jason R. C. Nurse, former researcher at Cyber Security Oxford, during the International Crime and Intelligence Analysis Conference in February 2016. The purpose of the presentation was to reflect on the current research and practice in the field of cybercrime, to present different methods of profiling cybercriminals and case scenarios, and to outline a future research agenda.
The challenge for research on cybercrime (or crime perpetrated using online technological means) is that it, at one hand, comprises any crime that involves a computer and a network. On the other hand, it relates to any crime committed on the Internet using the computer either as a tool or as target. The difference of those perspectives is that in the first case, the crime does not require a high level of technical expertise and aims to attack an individual in the real world in a subtle manner and /or on the psychological level. When using the computer as a target, crimes are often committed by groups of collaborating individuals. This requires a high level technical knowledge and skills, as well as coordination of those individuals, which makes this kind of crime often very sophisticated.
Current research focuses on the impact of an attack and its economic (and financial) harm, less on the cybercriminal itself. The existing stereotype of the uncertain, geeky hacker, is no longer accurate and attackers now are often cautious and stealthy. Practitioners cope with the situation in different ways: Governments attempt to respond with laws, corporations with policies and procedures, suppliers with terms and conditions, users with peer pressure, and technologists with code. The challenge for them as well for researchers is to factor in an understanding of criminal behaviour that has been amplified and facilitated by technology (Europol, 2011).
The Cybercriminal Profile
The key step in profiling a cybercriminal is identifying specific common characteristics that need to be investigated: Personal traits and characteristics comprise innate aspects such as openness, conscientiousness, extroversion, agreeableness, and neuroticism. Also, personal traits and characteristics are shaped by life experiences and events thus leading to machiavellianism, narcissism, psychopathy, sensation seeking maturity, aggressiveness, social-skill problems, superficiality, (lack of) self-esteem and personal integrity. The motivating factors for cybercriminals reach from hacktivism, monetary gain, espionage/ sabotage, and political/ religious belief, to curiosity/boredom, emotion/ sexual impulses, intolerance, thrill-seeking, enhancing self-worth, and the intent to control/manipulate others. Besides that, Rogers Mitchell (2006) has identified types of cybercriminals distinguished by their skill levels and motivations, such as novice, cyber-punks, internals (insider threat), coders, information warriors/cyber-terrorists, old guard hackers, and professional cybercriminals.
In practice, forensic psychologists use inductive or deductive profiling to make an educated guess of the characteristics of criminals. Inductive criminal profiles are developed by studying statistical data involving known behavioural patterns and demographic characteristics shared by criminals. Deductive profiling uses a range of data, e.g. including forensic evidence, crime scene evidence, victimology, and offender characteristics. A model example for a deductive cybercriminal profile (Nykodym et al., 2005) take information regarding the victim, the motive, the offender, and any forensic evidence.
Another way for profiling cybercriminals is the framework for understanding insider threat (Nurse et al., 2014) by the University of Oxford. It takes precipitating event (e.g. demotion) to look at a variety of actor characteristics and how those shape the character and the aim of an attack (see fig. 1)
The Case Scenarios
Using the existing literature and information available online presentation focused on analysing the profiles of cybercriminals based on two case scenarios:
Traits / Social characteristics:
- M. Mitchell worked with DuPont for ~24 years, and was DuPont engineer and Kevlar marketing executive
- Mitchell had been a model citizen with no criminal record
- Became disgruntled and eventually fired for poor performance
- During his tenure, he copied numerous DuPont computer files containing sensitive and proprietary information to his home computer
- Mitchell entered into lucrative consulting agreements with Kolon Industries, a DuPont competitor, and supplied them with the data (via email), resulting in millions of dollars in losses to DuPont
Using Mitchell and others to template the insider cybercriminal that targets Intellectual Property (IP) Theft
So, how can law enforcement benefit from these approaches?
By understanding the cybercriminal profile law enforcement can develop strategies to combat criminal behaviour manifested online and inform investigative methods. For future research this means to work further on the development and modelling of cybercriminal profiles and gathering more case and cybercriminal data to link types of cybercriminal profiles to types of cyber attacks (i.e. identify the patterns).
Nurse, J.R.C., Buckley, O., Legg, P.A., Goldsmith, M., Creese, S., Wright, G.R. and Whitty, M., 2014. Understanding insider threat: A framework for characterising attacks. In Security and Privacy Workshops (SPW), 2014 IEEE (pp. 214-228). IEEE. https://www.cpni.gov.uk/documents/publications/2014/2014-04-16-understanding_insider_threat_framework.pdf
Nykodym, N., Taylor, R. and Vilela, J. (2005) 'Criminal profiling and insider cyber crime', Computer Law & Security Report, 21 (5), pp. 408-414.
Rogers, M. K. (2006) 'A two-dimensional circumplex approach to the development of a hacker taxonomy', Digital Investigation, 3 (2), pp. 97-102.