More meaningful and practical than trying to pigeonhole all criminals in cyberspace is to look at the DNA of perpetrators accentuated by their motives, to understand it and to deal with the findings individually. However, one possible motive alone does not make a white-collar criminal. We know that.
The primary motives of criminals in cyberspace differ in part from those of white-collar criminals in the real world and can be categorized as revenge, financial gain, curiosity and fame.
The first two motives according to Roger in cyber territory, which manifest themselves in the form of revenge and financial gain, are also very common in the real world. According to the Fraud Triangle and the theories underlying it, “revenge” belongs to the realm of “justification” and is less associated with the “motive”.
As far as challenge, curiosity and fame are concerned, practice shows that these motivators are less pronounced in the case of classic economic crimes and compliance violations.
In this respect, the motives differ between the cybercriminals and the white-collar criminals as we knew them until then according to Cresseys’ theory.
Curiosity encompasses in particular the urge for knowledge, intellectual challenge, with fame devoted to media attention, publicity and the image of the folk hero.
The DNA of white-collar criminals – whether in the virtual or real world – shows a large overlap in terms of motivation.
And it is precisely these drivers that need to be understood.
In the category of revenge, the personal “outstanding accounts” of or towards other persons, the organization or other states are to be understood.
The issue of greed and personal enrichment is considered from the perspective of financial gain. This categorisation of the various possible motives is in no way conclusive and is considered to be an aid in classifying possible manifestations.
Illustrated, the various perpetrators move within four different quadrants according to their characteristics.
Using the example of the “internal perpetrator (IN)”, the following derivation can be made using the graphic: The group of perpetrators has a relatively high standard of knowledge, which they were able to acquire internally (in the organization) and also externally (research, further training, etc.).
Compared to the “Information Warriors” (IW) they have slightly less knowledge, but much more than the novices (NV). The primary motivation is revenge coupled with financial interests. Curiosity plays a subordinate role.
The coders (VW) in turn do not act out of financial motivation, but enrich the motive of revenge with that of intellectual challenge (curiosity).
The novices, in turn, move more for motivational reasons which nourish curiosity and make it stand in a good light (fame). This method of the quadrant makes it possible, in a first step of an incident and a fact-finding – where only few or no established facts have been identified – to classify the information on motivation and abilities that is available up to that point. According to studies, hackers can also develop along a career ladder and rise from novice (NV) to professional perpetrator.
The quadrant as a tool
The quadrant can also be used to visualize the development during an investigation. In the course of an investigation, more and more prominent, concise traces, characteristics, properties, procedures, motives, as well as their interactions with each other become known with regard to a possible perpetration.
Based on this, a picture in the sense of a profile can be created. This image construction is a so-called psychological analysis of the course of events. The prominent, concise traces are left behind at the scene of the crime in the form of running programs, scripts, messages, etc. In addition, these traces contain relevant information about the victim and the goal of the action. These can be workstations, servers, operational systems. We also receive information about the affected data (customer data (CID), personal data, company-specific data (patents, licenses, prescriptions, secret internals, financial information).
The collected traces are aggregated, analyzed and assigned to the quadrant to visualize the existing information. The model allows investigators to benefit from the same investigative support as is possible when dealing with traditional crimes using behavior-based methods.
The quadrant in practice
The facts or traces available to the investigator indicate that only financial data is affected, the surrounding systems were only indirectly attacked, insignificant collateral damage was done, no scripts were left behind, the hacker’s skills were high and no messages were left behind.
Accordingly, these findings will lead to the hypothesis that one is dealing with an external, professional hacker who is financially motivated. This will allow us to exclude different groups of offenders and narrow the focus to support the hypothesis. Accordingly, resources are allocated more effectively.
If we now change a few characteristics and classify the hacker’s skills as low, the model and, based on that, its validity looks completely different. One would now assume that we are dealing with a financially motivated petty criminal (PT).
The missing piece of the puzzle?
The application of the quadrant and thus the presentation of the essential components and their Interactions with each other do not preclude either an investigation or further clarification, but are a tool for visualization, hypothesis formation and hypothesis adjustment during an investigation.
What tools do you use to complete your puzzle?