Antisocial, loner, computer addicted — malicious hackers have long been labeled with these stereotypes by the public. While movies and popular culture may paint a simple, unflattering portrait of the average cybercriminal, a scientific approach to the question found a more nuanced and complex picture, with many actors exhibiting skills and traits that would be considered positive or even admirable in other contexts.
A recent study led by Marleen Weulen Kranenbarg, assistant professor of criminology at Vrije University in Amsterdam, sheds new light on the specific personal characteristics of digital offenders by comparing a sample of 261 cybercrime suspects with that of offline offenders. The study found that cyber offenders have a higher level of diligence, conscientiousness, and self-regulation but scored low on modesty, fearfulness, flexibility, and aesthetic appreciation.
Studying the specific mindsets and psychological proclivities of cybercriminals may be worth the effort in part because, as the study notes, online crime continues to steadily rise as other forms of offline crime become less and less frequent. Further, online crime differs from offline crime in important ways that may shape the behavior of both cybercriminals and their victims.
“Cyberspace is a unique context in which interactions have a different nature than in the offline world. For example, offenders and victims do not need to have physical contact in cyberspace, which may lower the threshold for committing cybercrimes,” the study notes. “Additionally, cyberspace may require specific skills or characteristics that offline crimes do not. This begs the question whether decades of consolidated knowledge about offender characteristics still apply to this comparatively novel category of offenders.”
For example, studies of criminals in the physical space show that many tend to focus on short-term rewards, have lower levels of education, exhibit poor self-regulation and have higher rates of alcohol and drug use. What little research there has been on cybercriminals tend to show that these individuals are better at self-regulating their behavior, are more diligent and less willing to experiment with drugs or alcohol. Other studies have found that unlike most offline criminals, many cybercriminals may not actually be motivated by financial gain. Instead, they may commit crimes for reasons like curiosity, for the thrill, or simply because they relish the challenge of breaking into computer systems.
To dive deeper, researchers in the study applied the HEXACO personality inventory to a previously existing dataset of 260 offline criminals and 261 online criminals who had been formally suspected of committing either a cyber-dependent crime or an offline crime during the period 2000–2013 and submitted to a follow-up questionnaire in exchange for a €50 voucher. The study also includes a community sample of 512 individuals who took the HEXACO test. According to their website, HEXACO’s model judges individuals along six personality dimensions: honesty-humility, emotionality, extraversion, agreeableness, conscientiousness and openness to experience.
The results show that far from the stereotype of the lone, socially awkward hacker. Many cybercriminals tend to exhibit a mix of positive skillsets and personality traits associated with both the offline criminal community sample datasets. For example, cyber offenders’ “tendency to be thorough and pay attention to detail (perfectionism) and be cautious (prudence) is useful for committing cybercrimes.”
“It appears that cyber offenders are more similar to offline offenders on facet-level traits that may help them perform criminal activities, but they are more similar to the community sample on characteristics that may strengthen their ability or tendency to commit cyber offenses,” the study noted.
Custom insights into cybercriminals could help craft custom defenses
Jon DiMaggio, chief security strategist at Analyst1 who previously worked in U.S. intelligence and has years of experience interacting with cyber offenders, told SC Media the study represents a valuable look at how businesses can bolster their defense against ransomware and other cyber threats by better understanding human factors of the attacks.
"This paper is very useful in opening people's eyes and people's minds," said DiMaggio. "Profiling and analyzing cybercriminals personalities is very beneficial. Government has done it for a long time, and it is something we should also be doing in the corporate world."
The authors noted that this subject remains under researched and is ripe for further study, particularly to better understand whether cybercriminals behave the same way across different countries, the contexts in which they are recruited, and whether there are differences between cybercriminals accused of serious crimes and lower-level offenders in the general population.
Drew Schmitt, lead analyst and ransomware negotiator at GuidePoint Security, agreed with DiMaggio and suggested that understanding cyber offenders' behaviors and enhancing threat profiles are particularly useful in deploying ransomware negotiation strategies as attackers today often interact with victims directly to discuss the payments.
"My team builds negotiation profiles for every threat actor we have engaged with," Schmitt said. "For groups like Vice Society that have fewer numbers of individuals, we have fewer variables [in the profiles] because there are fewer individuals we need to deal with, but for larger groups like LockBit with many different affiliates, we will put a lot more varied details [into the profiles] and craft appropriate messages accordingly."
To produce a comprehensive threat profile, besides including the personality characteristics of cyber offenders as the study noted, DiMaggio said that organizations should also take cyber offenders' geographical locations, beliefs, political views, families, and financial situations into account. The information can be prepared in advance by following their dark web posts or interacting with them on the underground forums. . In addition, DiMaggio noted that many top ransomware gangs are also accessible and responsive to requests from media and security researchers, though there is robust debate in journalism and information security circles today about the ultimate value of such conversations and whether publicizing interviews with cybercriminals does more to market their brands than provide useful insights into their behavior.
With those clues in hand, organizations may better understand the motives behind individual attackers and may even empathize with cyber offenders during the conversation. Kurtis Minder, a CEO and co-founder of GroupSense who has spent years negotiating with ransomware groups, told SC Media this approach could lead to a more successful negotiation.
For organizations that have not started profiling, DiMaggio suggested they can begin by analyzing top cybercriminal groups in their industry.
"Start to expand beyond the zeros and ones, and pick the top five [cybercriminal groups] in your vertical and spend time understanding who they are, where they come from, and what their beliefs are," DiMaggio said.