As most of you probably already know, I’m working as a pentester for a rising company in the field of security and audit assessment. Technical evaluations are the core of my work however, social aspects pushing hackers to act remain obscure and only a little researches have been done in this area. Indeed, understand the motivation behind an attack is priceless to provide an adapted solution to mitigate, prevent or acknowledge the detected flaws. That is why, I decided to share with you guys, my last critical review about the paper ‘A typology of hackers: Classifying cyber malfeasance using a weighted arc circumplex model’ wrote by Ryan Seebruck in 2015. I hope you will enjoy it and that it will give you the envy to go deeper into this unknown but relevant domain.
Disclaimer : It will be a long reading
Seebruck exposes a new way to classify hackers in order to “clarify the current state of the field by uniting recent case studies on hackers with existing categorization techniques” (Seebruck, 2015). Previous researches were based on circumplex model which cannot describe the multidimensional nature of hackers and their relationship. To resolve this problem, Seebruck proposes an updated model, using a weighted arc circumplex model, specially designed to highlight this lack of information. Moreover, it takes a particular attention to explaining how this model can be used and why it is necessary for each company that wants to be efficiently protected against classical and new threats.
The purpose of this critical review is to summarize and evaluate the content of this paper and discuss the applicability of this research in the professional world.
The author of this paper is Ryan Seebruck, imminent sociologist working as an adjunct instructor in sociology at the University of Arizona and as a statistician for the U.S Department of Homeland Security. His principal interests are the racial inequality, in the domain of the labor market and the educational opportunities as well as the Japanese society.
This paper was published the 5th January 2015, at the University of Arizona, School of Sociology, United States.
Since many years, cyber attacks increase every day. Indeed, “various studies and surveys indicate that even though businesses have increased expenditures on information technology safeguards, the annual losses due to network security breaches are increasing yearly (Berinato, 2004; Melek, 2004)” (Rogers, 2005). Moreover, Seebruck exposed in his paper that “every day British Petroleum fends off 50 thousand cyber attacks whereas the Pentagon receives 10 million (Glenny, 2013). These cyber attacks create serious monetary damages. In 2012, credit card hackers stole $11.5 billion; in 2013 one ATM heist garnered $40 million in ten hours (Glenny, 2013)”.
Due to this fact, companies spend thousands of dollars into countermeasures in order to prevent any breach that can be potentially present in their network. Those decisions are generally taken by the Security Chief Officer (SCO) who based his choices on security audits or security specialists. However, they forgot the absolute key to fighting hackers. In fact, as it is explained in the famous book, The Art of War, "If you know the enemy and you know yourself, you need not fear the result of a hundred battles (pp. 18).” In other terms, it is crucial to study and improve knowledge about hackers in order to be well prepared and protected against them.
This point of view is shared by many researchers such as Fitch, who said that “by understanding the different types of hackers and what motivates their behavior, it is possible to profile computer crime, making it easier to predict future activity” or Fötinger and Ziegler who think that “to understand a person’s intention and motivation to hack into a system we have first to analyse their background, psychology and social environment”.
Despite the importance of improving our understanding of hackers, only few paper, related to hacker classification, have been published. This is to clarify this subject and help companies to fight against those threats, that Ryan Seebruck worked on this new type of classification.
Type of classification
As it has been exposed before, hackers classification are crucial for computer security. It exists several type of classifications such as the taxonomy, the typology, … But what differentiate them and which of those is more likely to be used in order to classify hackers.
The taxonomy is often associated with biology and “based on empirical observation and measurable traits” (Seebruck, 2015). Consequently, this type of classification tends to be quite exhaustive. However, several domains use it like the Phenetics, which is a system for ordering species based on overall similarities, or the original chemical classification which consist on the basal taxonomy of chemical compounds.
Whereas the typology is more related to the study of types and based on ideal types. As the taxonomy, this way of classification is used for many purposes like, for example, the anthropology, which consist on the division of culture by races, or in the domain of the archeology which classify artifacts according to their characteristics.
Due to the fact that hackers will be breaking down into several types, it is clear that typology is more adapted for this type of classification. Moreover, by nature, typology is more flexible than taxonomy, which is a real advantage when the classification tends to be indubitable complex.
Classify hackers can be quite difficult due to the lack of information that is available on the internet or public publication.
The first one to perform this kind of classification was Landreth in 1985, who classified them by mischief, intellectual challenge, thrill, ego boost and criminal profit. Later on, Hollinger, in 1988, proposed a new scheme based only on skills whereas, in 1996, Chantler classified hackers according to their motivation, ability and experience. However, those information can be harder to gather. That is why, Rogers (2006, 2010) choose to base his own classification on several motivations which are revenge, financial, notoriety and curiosity.
Since this date, few papers have been published in this domain and those classifications become slowly outdated. Indeed, they “formally identifying hacktivists as class of cyber adversaries, also places them in the notoriety category, arguing that political motivation is not usually the primary motivation of hacktivists, despite hacktivists' claims”. (Seebruck, 2015). Moreover, none of those researches told about Crowdsourcers, which consist on gathering information about people (Doxing), a new potential threat appeared several years ago.
To conclude, those researches are now deprecated and this case highlights the importance to keep classification up to date.
A new way of classification
To established his new scheme of classification, Ryan Seebruck based his works on Rogers’s previous paper. As he explained in 2005, “in order to arrive at some type of understanding about the motivation of individuals engaged in hacking, the generic hacker term needs to be broken down into more useful and empirically valid categories (Furnell, 2002; Rogers, 1999; Rogers & Ogloff, 2004, Woo, 2003)”. That is why Seebruck has chosen to classify hackers according to five motivations.
Motivations are the principal vector which brings hackers to act. Moreover, it will help to improve our understanding of hackers, understanding which must include, as it has been explained by Fötinger and Ziegler, “personality characteristics, motivations, and what attracts these criminals in the first place”. It is important to note that this step is crucial to “effectively combat computer crime and discourage hacking activity” (Fitch, 2003).
Seebruck classified hackers according to five distinguished motivations which are :
Prestige, people who hack for notoriety.
Ideology, which characterizes political activists and nationalists.
Profit, which defines hackers motivated by material gain.
Revenge, identify people who act for personal vengeance.
Recreation, which symbolizes pirate who hack for pleasure or intellectual curiosity.
Those categories will help to classified hackers according to their types.
Circular order circumplex of hackers
The circular order circumplex model is the first scheme published by Ryan Seebruck. It is represented by a circle, divided by five axes which represent the boundaries of each of the five motivations presented before. Several hacker types such as punks, novices, cyber warriors , hacktivists, coders, crowdsources, insiders or criminals are represented.
It is important to “recall that position in a circular order circumplex model indicates relationship, so that nearby groups are more closely related, positions near sector boundaries indicate multiple motivations, and positions closer to the outer edges of the circle indicate more sophisticated hackers” (Seebruck, 2015)
Therefore, we can conclude that coders use well more sophisticated hacking techniques than novices whereas cyber warriors are truly more technical than coders. Moreover, it appears that cyber warriors are not only motivated by ideology but by profit too, whereas coders seem only hack for prestige.
This type of classification can be very useful for a company with a niche target that can, thanks to this scheme, focus its countermeasures against the right threats.
Furthermore, hackers types can be replaced by hacker cells in order to highlight relationships between them. As it has been explained by Seebruck, this type of scheme “is an amalgamation of a sociogram and a circumplex”.
Weighted arc circumplex model
This scheme is quite similar to the previous one except on the points, which represented hacker types, have been replaced by an arc. This arc highlights the multiple motivations that bring hackers to hack. Thicker is the arc, more important is the motivation. For example, coders are primarily motivated by prestige, secondary by recreation and tertiary by ideology.
It allows highlighting the complex behaviors of human and show that people can be motivated by several reasons which can help, once again, to understand them.
As before, we can replace the hacker types by hacker cells in order to have a larger overview of their motivations.
It was exposed before, that anonymous seemed only motivated by revenge. However, the scheme above shows that it is well more complicated than that. Indeed, Anonymous is a hacker group composed of millions of individuals, each of them acting for their own purpose. As it can be seen in the picture above, Anonymous can hack for several motivations such as, order by importance, revenge, ideology, recreation and finally prestige. Once again, the weighted arc circumplex model helps to highlight the fact that human mind can be a veritable headache.
To conclude, the weighted arc circumplex model allows gathering more details and information about hackers by highlighting the complexity of human behaviors and the different motivations that feed them. This type of classification can definitely help company to improve their understanding of hackers in order to be well prepared against their potential attacks.
The author made few recommendations on his paper. However, he insisted on the fact that this type of classification has to be mandatory for every company with limited resources for cyber defense that are niche targets. Indeed, that kind of enterprise is generally subject to specific threats. Consequently, by highlighting them, the company will save money by avoiding the implementation of useless countermeasures.
Furthermore, investigators, during the classification phase’s, must consider as many parameters as possible in order to have a complete threats overview, which will, once again, allow to protected the targeted company.
Lastly, as it has been explained before with the Crowdsourcers example, it is crucial to keep the diagram up to date for the sake of being aware of new threats.
Applicability of Research
Firstly, the paper has been published in 2015, which is quite recent and makes it relevant. Moreover, all the information used to create the previous classifications are accurate. Indeed, they come from public researches or publications which let us assume of their reliability.
Secondly, as said Grime in 2011, “it's important to understand the motivation and objective of your intruders -- doing so can help you devise an appropriate defense”. Therefore, this work is critical. It will definitely help companies to protect themselves against right threats by simplifying the risk assessment which will aid to quickly determine them.
Furthermore, this classification improves our knowledge about hackers which “is useful to security practitioners and researchers working in the domain of cyber operations.” (Applegate & Stavrou, 2013). Indeed, we all face to hackers and improving our understanding will allow us to have a clearer frame of their behaviors in order to not be taken shortly anymore.
Finally, the weighted arc circumplex model can be broken down into sub-model in order to fit with any need, which can be very useful for a company which wants to focus its analyze on a specific hacker type or motivation.
However, this classification has some disadvantages. Indeed, it tends to be “limited in that they condense complex entities” (Seebruck, 2015) like anonymous, for example. Moreover, it can be difficult to apply to high-status target such as federal institution or major corporation which can be targeted for several unknown reasons. Additionally, due to lack of information about hackers, it can be difficult to classify them. In fact, many hacker cells still unknown by the public so, without information about them, it will be difficult to be well prepared against their attacks. Lastly, as every classification, we will, unfortunately, loss information …
This paper, in general, is well structured and clear. Several previous researches have been done and its works highly differ from the previous classification thanks to its weighted arc circumplex model which aid to identify and understand several types of hackers. The purpose of the article was to “ … demonstrate how archetypical circumplex models can be wed with sociograms to depict social and technical relationships between hacker groups” (Seebruck, 2015) and we can assume that the content fit perfectly of what he claims to achieve. Indeed, those diagrams allow highlighting relationships between hacker types or cells.
However, due to the fact that Seebruck work is based on Rogers one, I read the paper published by Rogers in 2005 and he noticed in the future work section that “obviously, more empirical research is required in order to mature the hacker circumplex. Future studies should examine the exact relationship between classification variables using empirically derived zero order correlation coefficients. It is anticipated that the model will go through several iterations before a definitive framework is derived.” (Rogers, 2005). Nevertheless, the work of Seebruck is just a sort of improvement of the circumplex model and not of the study and understanding of what empirically really motivate hackers to act.
Finally, Seebruck showed data about the amount of attacks that the British petroleum and the Pentagon go through each day. However, those information seems exaggerated and some explanation about their provenance and how they based their estimation are missing. It could be relevant to indicate to the reader the entire story behind those numbers.
Futur work and improvement
Sociology is, by nature, related to subjectivity and of the author point of view. Consequently, it can be hard to advice what can be improved in this kind of research. However, it could be relevant to follow Rogers guideline's, present in his previous papers. Rogers was the first one to focus his analyze on a “parsimonious categorization scheme […] which classifies hackers based on skill and motivation (revenge, financial, notoriety, and curiosity)” (Seebruck, 2015) and it could be very interesting to continue his works.
This paper is a truly innovative and useful way to classify hackers. It allows highlighting the relationship between hackers and what motivate them. That information is crucial for each company that wants to be protected against each potentials threats that can harm them. Moreover, from an economic point of view, this type of classification will avoid wasting money into nonrelevant countermeasures.
However, this typology has some flaws concerning high-status targets and complex entities which have to be known in order to prevent any misuse.
Despite those issues, “we all have to gain a better understanding of their social and psychological background in order to find solutions to protect society and the individual” (Fötinger & Ziegler).
Grime, R.A. (2011). Your guide to the seven types of malicious hackers. [Online]. Available from : http://www.infoworld.com/article/2623407/hacking/your-guide-to-the-seven-types-of-malicious-hackers.html. [Accessed : 17 March 2016].
Fitch, C. (2003). Crime and Punishment: The Psychology of Hacking in the New Millennium. [Online]. Available from : https://www.giac.org/paper/gsec/3560/crime-punishment-psychology-hacking-millennium/105795. [Accessed : 17 March 2016].
Fötinger, C. S. & Ziegler, W. Understanding a hacker’s mind – A psychological insight into the hijacking of identities. [Online]. Available from : http://www.donau-uni.ac.at/de/department/gpa/informatik/DanubeUniversityHackersStudy.pdf. [Accessed : 17 March 2016].
Rogers, M. K. (2005).The Development of a Meaningful Hacker Taxonomy: A Two Dimensional Approach. [Online]. Available from : https://www.cerias.purdue.edu/assets/pdf/bibtex_archive/2005-43.pdf. [Accessed : 17 March 2016].
Seebruck, R. (2015). A typology of hackers: Classifying cyber malfeasance using a weighted arc circumplex model. [Online]. Available from : http://www.sciencedirect.com/science/article/pii/S1742287615000833. [Accessed : 17 March 2016].
Applegate, S. D. & Stavrou A. (2013). Towards a Cyber Conflict Taxonomy. [Online]. Available from : https://ccdcoe.org/cycon/2013/proceedings/d3r1s2_applegate.pdf. [Accessed : 17 March 2016].
Abraham G. & Hassel. L. Cyber terrorism : Hackers becoming terrorists or terrorist becoming hackers ?. [Online]. Available from : https://www.google.co.uk/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&uact=8&ved=0ahUKEwjj3uqTl8jLAhXGPhQKHT2OD9YQFggcMAA&url=https%3A%2F%2Fidea.library.drexel.edu%2Fislandora%2Fobject%2Fidea%253A535%2Fdatastream%2FOBJ%2Fdownload%2FCyber-terrorism__hackers_becoming_terrorists_or_terrorists_becoming_hackers_.pdf&usg=AFQjCNFkZInek84JxrIGewXwMdeYrGvcJA. [Accessed : 17 March 2016].
Buyens, K. & De Win, B. & and Joosen, W. Empirical and statistical analysis of risk analysis-driven techniques for threat management. [Online]. Available from : https://lirias.kuleuven.be/bitstream/123456789/146252/1/paper.pdf. [Accessed : 17 March 2016].
Egan, M. (2011). Hackers With a Conscience? Ideological Attacks Complicate Cyber Defense. [Online]. Available from : http://www.foxbusiness.com/features/2011/12/15/hackers-with-conscience-ideologically-motivated-attacks-complicates-cyber.html. [Accessed : 17 March 2016].
Hacking - a new Classification System . [Online]. Available from : http://www.truthliesdeceptioncoverups.info/2013/05/hacking-classification-test-hackers-vs.html. [Accessed : 17 March 2016].
Hallek, G. A Hacker Taxonomy. [Online]. Available from : http://www.blackknife.com/Papers/HackerTaxonomy.html. [Accessed : 17 March 2016].
Lawson, L. (2001). You say cracker; I say hacker: A hacking lexicon. [Online]. Available from : http://www.techrepublic.com/article/you-say-cracker-i-say-hacker-a-hacking-lexicon/. [Accessed : 17 March 2016].
Mcbrayer, J.(2014). Exploiting the digital frontier: hacker typology and motivation. [Online]. Available from : http://acumen.lib.ua.edu/u0015/0000001/0002070/?page=1&limit=40. [Accessed : 17 March 2016].
Schneider, B. (2003). Airplane Hackers. [Online]. Available from : https://www.schneier.com/essays/archives/2003/11/airplane_hackers.html. [Accessed : 25 March 2016].