RESTRICTIVE DETERRENT EFFECTS OF A WARNING BANNER IN AN ATTACKED COMPUTER SYSTEM

System trespassing by computer intruders is a growing concern among millions of Internet users. However, little research has employed criminological insights to explore the effectiveness of security means to deter unauthorized access to computer systems. Drawing on the deterrence perspective, we employ a large set of target computers built for the sole purpose of being attacked and conduct two independent experiments to investigate the influence of a warning banner on the progression, frequency, and duration of system trespassing incidents. In both experiments, the target computers (86 computers in the first experiment and 502 computers in the second) were set either to display or not to display a warning banner once intruders had successfully infiltrated the systems; 1,058 trespassing incidents were observed in the first experiment and 3,768 incidents in the second. The findings reveal that although a warning banner does not lead to an immediate termination or a reduction in the frequency of trespassing incidents, it significantly reduces their duration. Moreover, we find that the effect of a warning message on the duration of repeated trespassing incidents is attenuated in computers with a large bandwidth capacity. These findings emphasize the relevance of restrictive deterrence constructs in the study of system trespassing.

[1]  David Mackey,et al.  Web Security for Network and System Administrators , 2003 .

[2]  B. Jacobs Crack dealers' apprehension avoidance techniques: A case of restrictive deterrence , 1996 .

[3]  John F. Decker CURBSIDE DETERRENCE? An Analysis of the Effect of a Slug‐Rejector Device, Coin‐View Window, and Warning Labels on Slug Usage in New York City Parking Meters , 1972 .

[4]  Mark Warr,et al.  A Reconceptualization of General and Specific Deterrence , 1993 .

[5]  Etienne Blais,et al.  Situational deterrence and claim padding: results from a randomized field experiment , 2007 .

[6]  Kate J. Bowers,et al.  Assessing the Extent of Crime Displacement and Diffusion of Benefits: A Review of Situational Crime Prevention Evaluations * , 2009 .

[7]  Graeme R. Newman,et al.  On crimes and punishments : fifth edition , 2009 .

[8]  Michael Grüninger,et al.  Introduction , 2002, CACM.

[9]  R. Paternoster,et al.  Absolute and Restrictive Deterrence in a Panel of Youth: Explaining the Onset, Persistence/Desistance, and Frequency of Delinquent Offending , 1989 .

[10]  M. Cusson,et al.  SITUATIONAL DETERRENCE : FEAR DURING THE CRIMINAL EVENT by , 2006 .

[11]  Susan W. Brenner Cybercrime: Criminal Threats from Cyberspace , 2010 .

[12]  Ian Diamond,et al.  Life Table Techniques and their Applications , 1988 .

[13]  Jonathan P. Caulkins,et al.  No change is a good change? Restrictive deterrence in illegal drug markets , 2011 .

[14]  John E. Eck,et al.  IMPROVING THE MANAGEMENT OF RENTAL PROPERTIES WITH DRUG PROBLEMS: A RANDOMIZED EXPERIMENT , 1998 .

[15]  Matthew J. B. Robshaw,et al.  Brute Force Attacks , 2011 .

[16]  John S. Carroll,et al.  Crime Perceptions in a Natural Setting by Expert and Novice Shoplifters , 2015 .

[17]  J. Gibbs Crime, punishment, and deterrence , 1975 .

[18]  Ken Caldeira,et al.  A Dynamic Marine Calcium Cycle During the Past 28 Million Years , 2008, Science.

[19]  Bruce A. Jacobs,et al.  CRACK DEALERS AND RESTRICTIVE DETERRENCE: IDENTIFYING NARCS* , 1996 .

[20]  Steven Furnell,et al.  Cybercrime: Vandalizing the Information Society , 2003, ICWE.

[21]  Martin Bouchard,et al.  Cleaning up your act: Forensic awareness as a detection avoidance strategy , 2010 .

[22]  W. F. Skinner,et al.  A Social Learning Theory Analysis of Computer Crime among College Students , 1997 .

[23]  Michael Cherbonneau,et al.  Auto Theft and Restrictive Deterrence , 2014 .

[24]  Stephen Coleman,et al.  The Minnesota Income Tax Compliance Experiment: Replication of the Social Norms Experiment , 2007 .

[25]  Natalie Taylor,et al.  An experimental evaluation of tax-reporting schedules: a case of evidence-based tax administration , 2004 .

[26]  Robin Berthier,et al.  An evaluation of connection characteristics for separating network attacks , 2009, Int. J. Secur. Networks.

[27]  Cormac Herley,et al.  Do Strong Web Passwords Accomplish Anything? , 2007, HotSec.

[28]  R. Paternoster,et al.  The deterrent effect of the perceived certainty and severity of punishment: A review of the evidence and issues , 1987 .

[29]  L. Sherman Police Crackdowns: Initial and Residual Deterrence , 1990, Crime and Justice.

[30]  David Elliott Deterring Strategic Cyberattack , 2011, IEEE Security & Privacy.

[31]  Richard E. Hayes,et al.  Information Warfare and Deterrence , 1996 .

[32]  Travis C. Pratt,et al.  The Empirical Status of Deterrence Theory: A Meta-Analysis , 2006 .

[33]  Alex R. Piquero,et al.  Reconceptualizing Deterrence: An Empirical Test of Personal and Vicarious Experiences , 1995 .

[34]  Risto Kulmala,et al.  Effects of variable message signs for slippery road conditions on driving speed and headways , 2000 .

[35]  Linda Steg,et al.  The Spreading of Disorder , 2008, Science.

[36]  Lawrence W. Sherman,et al.  General deterrent effects of police patrol in crime “hot spots”: A randomized, controlled trial , 1995 .

[37]  Julia H. Allen,et al.  Detecting Signs of Intrusion , 2000 .

[38]  Bruce A. Jacobs,et al.  DETERRENCE AND DETERRABILITY , 2010 .

[39]  Janet M. Box-Steffensmeier,et al.  Event Dependence and Heterogeneity in Duration Models: The Conditional Frailty Model , 2007, Political Analysis.

[40]  Michael E. Whitman Enemy at the gate: threats to information security , 2003, CACM.

[41]  J. Lowman STREET PROSTITUTION CONTROL Some Canadian Reflections on the Finsbury Park Experience , 1992 .

[42]  Philip Hougaard Shared frailty models for recurrent events , 2000 .

[43]  Simson L. Garfinkel,et al.  Practical UNIX and Internet Security , 1996 .

[44]  Andrew S. Tanenbaum,et al.  Computer networks, 4th Edition , 2002 .

[45]  Peter Grabosky,et al.  UNINTENDED CONSEQUENCES OF CRIME PREVENTION , 2013 .

[46]  Bruce A. Jacobs,et al.  UNDERCOVER DECEPTION CLUES: A CASE OF RESTRICTIVE DETERRENCE* , 1993 .

[47]  Marc Dacier,et al.  Lessons learned from the deployment of a high-interaction honeypot , 2006, 2006 Sixth European Dependable Computing Conference.

[48]  Noah J. Goldstein,et al.  A Room with a Viewpoint: Using Social Norms to Motivate Environmental Conservation in Hotels , 2008 .

[49]  P. Gallagher Recommended Security Controls for Federal Information Systems and Organizations , 2010 .

[50]  Andy Dale Handbook of Crime Prevention and Community Safety , 2008 .

[51]  R. Michael Alvarez,et al.  Event History Modeling: A Guide for Social Scientists , 2004 .

[52]  Greg Pogarsky,et al.  Identifying “deterrable” offenders: Implications for research on deterrence , 2002 .

[53]  Charles R. Tittle,et al.  Sanctions and social deviance: The question of deterrence , 1980 .

[54]  Jayant Gadge,et al.  Port scan detection , 2008, 2008 16th IEEE International Conference on Networks.

[55]  Kenneth Geers,et al.  The challenge of cyber attack deterrence , 2010, Comput. Law Secur. Rev..

[56]  S. Piantadosi Clinical Trials : A Methodologic Perspective , 2005 .

[57]  Barak Ariel,et al.  DETERRENCE AND MORAL PERSUASION EFFECTS ON CORPORATE TAX COMPLIANCE: FINDINGS FROM A RANDOMIZED CONTROLLED TRIAL* , 2012 .

[58]  Will Goodman,et al.  Cyber Deterrence: Tougher in Theory than in Practice? , 2010 .

[59]  J. Bargh,et al.  Automaticity of social behavior: direct effects of trait construct and stereotype-activation on action. , 1996, Journal of personality and social psychology.

[60]  R. D. Schwartz,et al.  On Legal Sanctions , 1967 .

[61]  Thomas J. Holt,et al.  On-line Activities, Guardianship, and Malware Infection: An Examination of Routine Activities Theory , 2009 .

[62]  J. Bentham An Introduction to the Principles of Morals and Legislation , 1945, Princeton Readings in Political Thought.

[63]  S. Blank Can Information Warfare Be Deterred? , 2001 .

[64]  Gary S. Green,et al.  GENERAL DETERRENCE AND TELEVISION CABLE CRIME: A FIELD EXPERIMENT IN SOCIAL CONTROL* , 1985 .

[65]  Robin Berthier,et al.  Characterizing Attackers and Attacks: An Empirical Study , 2011, 2011 IEEE 17th Pacific Rim International Symposium on Dependable Computing.

[66]  Bruce A. Jacobs,et al.  Crack dealing, gender, and arrest avoidance , 1998 .

[67]  Joel Slemrod,et al.  Taxpayer response to an increased probability of audit: evidence from a controlled experiment in Minnesota , 2001 .

[68]  W. Gove,et al.  Deterrence: Some Theoretical Considerations , 1975 .

[69]  Amy L. Tobler,et al.  General deterrence effects of U.S. statutory DUI fine and jail penalties: long-term follow-up in 32 states. , 2007, Accident; analysis and prevention.

[70]  P. Wesley Schultz,et al.  CRIMINAL BEWARE: A SOCIAL NORMS PERSPECTIVE ON POSTING PUBLIC WARNING SIGNS* , 2009 .