Today Information Week reported that a man hacked into the University of Southern California computers in 2005 and stole personal information on up to 270,000 individuals apparently because he was rejected for admission. He was just sentenced to a 6-month home detention sentence, and must pay $37,000 in restitution for this crime.

So many times I read about and I hear business leaders say that they are not that concerned with the potential of a hacker or cybercrime because they do not have a business that would be a target of an attack, or they are not in an industry that would be targeted for an attack.  "Why, we only make O-rings for engine pistons...no one would be interested in attacking our systems!" 

It would nice to think that you're safe just because you aren't a financial or healthcare company, but that is completely unrealistic.  Any company system that is attached to the Internet, or to another organization's system that is attached to the Internet, or has personnel using the Internet, is subject to some kind of malicious code or hacker attack.

Motivation for cyber crime is a very interesting topic.  The rejected USC student perhaps also wanted to show that he would have been a very good computer student.  Or, he also may have just wanted to get even with an organization that he felt had done him wrong or was unfair.  Or, perhaps he wanted to sell the personal information he stole to be able to afford a more expensive university.  There are unlimited possibilities.   

It is important to educate business leaders not only about the regulatory requirements for information security and privacy, and the many different domains of information security that impact your business, but they also need to understand the motivators for cybercrime so that they can help to eliminate the presence of those motivators within the business environment as much as possible, or at least incorporate security safeguards to help prevent motivated individuals from doing bad things.

Donn Parker has done a lot of research and related work with cyber crime motivation.  Some of the motivators he lists in his book "Fighting Computer Crime" can be used to help business leaders understand these very real human threats.  At a high level the motivators he lists include:

• The Robin Hood Syndrome:  Stealing from the rich companies because, in the criminal's mind, they can afford the loss.
• The Differential Association Syndrome:  The criminal wants to deviate from accepted practice among his/her peers or associates in only small ways, such as stealing computer services by using them for personal use.  Such small successful crimes lead to larger more significant crimes as confidence builds from not getting caught.
• Fear of Getting Caught:  Because criminals are afraid of getting caught doing "normal" crimes, the complexity and seeming anonymity of computers and networks may lure them to cybercrime.  It is interesting to note, however, that complexity is also a deterrent to them since, according to Parker, they may end up avoiding the complexities inherent in using computers unless there are no other options.
• The Personification of Computer:  Criminals do not have to physcially confront their computer victims, or witness resulting anguish from computer crimes, so it is easier for them to commit crimes against computers.
• The Higher Ethic Motive:  The cyber criminal often justifies his or her actions by rationalizing that they need to do the crime for a greater good, such as stealing personal data and selling it to make money for a family member's operation.

Understanding that various human motivators can make your business a target just as much as the type of industry your business is in will help business leaders understand that ALL organizations need to implement a strong and effective information security and privacy program.

Technorati Tags
information security
IT compliance
policies and procedures
corporate governance
cybercrime
hacker
awareness and training
privacy