Anonymity, Antisocial Behavior, Integrity, and Cybercrime.
The negative impacts of cybercrime continue to escalate. Globally-integrated financial services organizations are virtually, if not totally-dependent on effective Internet communications. That requires a broad spectrum of Internet-facing interfaces. About the only characteristic those interfaces must share, is effective resistance to the totality of hostile agents using the Internet as part of their supply-chain. Fulfilling the infrastructure, operations, and information security role keeps getting tougher. As we develop risk management strategies and plan our investments, insider-related cybercrime must also be on many of our top priority lists – as some hostile agents directly or indirectly work for us.
A little more than a year ago on this blog I tossed out a recommendation that you should “Integrate employee background checking and monitoring into HR processes” as a component of your strategy to resist credential-enabled cyber-crime. I made the recommendation without clearly explaining its potential connectivity with the broader story about widely-deployed bot networks that was the focus of that post. Insiders can play a key role in enabling many types of cybercrime. They are one source of bulk identity information – a key raw material for organized Internet crime. And they are an important source of targeted, high-value intellectual property as well.
In one form or another, we are all involved in re-architecting and optimizing our organizations to better address the challenges of the global financial services marketplace. As our organizations search for top talent and demand lower operating costs, we are increasingly required to support a workforce that is broadly-dispersed and interacts with corporate resources via one or more remote interaction channels. As the workforce is more thinly dispersed across the globe, and as workers are treated more openly (or simply think or “feel” they are being treated) as commodities, an increasing fraction of those individuals will likely feel alienated or disassociated from the corporation. Conventional wisdom has supported the idea that there is a relationship between each worker’s sense of membership and satisfaction with their employer, and their willingness to engage in insider crime. Similarly, many have accepted the notion that increasing anonymity enabled by remote Internet interactions tends to increase cybercrime. It is, though, important to periodically question conventional wisdom.
In that context, earlier today I read a Purdue University Dissertation by Ibrahim M. Baggili entitled, “Effects of Anonymity, Pre-Employment Integrity And Antisocial Behavior On Self-Reported Cyber Crime Engagement: An Exploratory Study.” If you have even a passing interest in better understanding the relationships between anonymity, antisocial behaviors, integrity, and cybercrime, I strongly recommend this dissertation as a starting point for your research. Dr. Baggili reviews the literature on these topics. The literature posits that anonymity may trigger individuals to engage in antisocial behaviors characterized by low levels of integrity or simply dishonesty. To understand the effect of anonymity on cyber criminals, Dr. Baggili first examines how anonymity is related to cybercrime. He measures “the cybercrime engagement of people, their antisocial behavioral tendencies and their integrity, while manipulating their anonymity.” (“Effects of Anonymity…,” page 46)
The dissertation is an enjoyable read. Here, grossly over-simplified, are some of his conclusions:
- Self-reported antisocial behaviors and integrity were significantly correlated with self-reported cybercrime engagement.
- Anonymity also had significant effects on self-reported cybercrime engagement.
- Of the variables considered in his research, pre-employment integrity testing appeared to have the strongest predictive power of cybercrime engagement.
(“Effects of Anonymity…,” page 94)
Dr. Baggili’s excellent research and analysis seems rational-enough to be actionable as-is. Consider working with your HR or employee recruiters to ensure that effective pre-employment integrity testing is integrated into their processes — at least for roles that have access to bulk sensitive information, or who have access to valuable intellectual property. Use Dr. Baggili’s work, as well as the literature he references, as a foundation for that work.
“Effects of Anonymity, Pre-Employment Integrity And Antisocial Behavior On Self-Reported Cyber Crime Engagement: An Exploratory Study.” by Ibrahim M. Baggili https://www.cerias.purdue.edu/assets/pdf/bibtex_archive/2009-31.pdf
and videos of a presentation on this topic “CERIAS TALK – Channel 5 — Anonymity and how it affects Cyber Crime” by Ibrahim M. Baggili at: http://baggili.weebly.com/tv.html
“WSJ-WP-NYT Re-Tell ZeuS Infection for The Masses.” Completosec Channel, by Matt McCright https://completosec.wordpress.com/2010/02/18/wsj-and-wp-re-tell-zeus-infection-for-the-masses/
“Anonymity of users is key issue in cyber crime: Kaspersky.” By Avantikumar, MIS Asia, October 22, 2009 (http://www.networkworld.com/news/2009/102209-anonymity-of-users-is-key.html)