Date created: | Last Updated:

Category: Project

Description: With the advancement of technology, traditional markets are digitizing along with other aspects of our day-to-day life. Criminal markets are no exception. One important platform for the exchange of stolen digital goods is hacker forums (Liu et al., 2020). After obtaining victims’ personal information, hackers publish the information on the forum in a post, either for free, for instance to boast about their success, or as an advertisement that they are able to share more, for a price. Other forum users are then able to use the compromised personal information for some limited personal benefit (as they have to share it with other forum users), or ask to purchase other information for their personal use. One type of information that is often stolen and shared on such forums includes account credentials (i.e. a username and password combination which allows access to online accounts) to financial, entertainment, or personal correspondence platforms (Ilascu, 2020). Cybercriminals who access these account credentials can not only make use of the accounts to abuse sensitive information they contain, but also prevent the original owners’ access to them. This poses a great threat for the security and privacy of those victims the accounts belong to. On hacker forums, posts advertising account credential leaks (a list of stolen account credentials offered) are plentiful, and it seems unlikely that all posts are equally examined by forum users. Users first look at a list of post titles, and then decide which titles to click to reach the post contents (i.e. ‘view’ it). Little is known about the factors that determine the likelihood of a post on a hacker forum to be interacted with. In this study, we aim to investigate the role of risk and reward cues in the post title on its likelihood to be chosen for further interaction. According to the rational choice perspective of crime, risks and rewards play a great role in criminal decision-making. This perspective suggests that cost-benefit analyses are performed when making decisions, consciously or unconsciously (Beccaria [1764] 2009; Becker, 1968; Bentham [1823] 2020). In the context of crime, this perspective suggests that a crime is committed if the actor perceives its benefits to outweigh its potential risks (Becker, 1968; Clarke & Cornish, 1985; Lattimore & Witte, 2014). For example, a cyber attacker may be more likely to steal sensitive data if its content may yield a high reward, but they are less likely to target data protected by strong security measures which might lead them to get caught. As an extension, theorists adopting this perspective suggested the situational crime prevention techniques, focusing on modifying the immediate environment to prevent criminal behavior (Clarke, 1980; Cornish & Clarke, 2014). This can be achieved, for example, by decreasing perceived rewards of a crime or increasing the risk of being caught or punished. There is some evidence that risks and rewards play a role in cybercrime propensity. For example, Back and LaPrade (2020) conducted a mixed-method design to study the relationship between different cybersecurity measures adapted from the situational crime prevention techniques and the likelihood to experience different cyberattacks on information systems of US American academic institutions. They found that measures reducing rewards by denying benefits and reducing temptation towards the target, and measures increasing risks by employing official surveillance were both associated with lower likelihood of a cyberattack. However, this is a correlational study which could not determine cause and effect. In this study, we wish to conduct a field experiment which manipulates risk and reward cues and measures their resulting effect on the likelihood of a target being selected. Other studies have found some evidence for a deterrent effect of risk cues in the form of warning banners, alerting a system infiltrator that the machine is monitored and accessing it with no authorization could lead to legal consequences. For example, one study found that the warning banners reduced the duration of a system attack (Maimon et al., 2014). Another study found that fewer actions were taken during attacks where such a risk cue was presented (Wilson et al., 2015). However, in those studies, the risk warning was only apparent after the crime of system infiltration was committed. In this study, we are interested in determining whether a risk cue would have a deterrent effect before the target is selected for a crime. Specifically, we wish to test the role of risks and rewards in cybercrime target selection. To do this, we will post fake credential leaks on a hacker forum, manipulating the titles of those posts to vary in cues of risks and rewards in a 2x2 design (high vs low risk, high vs low reward). We will test whether this manipulation has an effect on the number of views our posts will receive. We expect that in the high-risk condition, posts will be less likely to be viewed than posts in the low-risk condition. Contrary, we expect that accounts in the high-reward condition will be viewed more often than accounts in the low-reward condition. While preparing for the study, we identified different reward cues associated with different credential types. We wish to generalize these findings over different credential types, so we will repeat this experiment for webmail, streaming, shopping, gaming, music, and VPN account credentials.