- BlogInfoSec.com - https://www.bloginfosec.com -

Cybercrime’s Dark Triad

There is a very interesting article (at least for me) by Michele Maasberg, Craig Van Slyke, Selwyn Ellis and Nicole Beebe in the December 2020 edition of the Communications of the ACM with the title “The Dark Triad and Insider Threats in Cyber Security.” The article traces “the relationship between personality traits and insider cyber sabotage,” and claims to be the first empirical demonstration of the relationship.

I have been saying for some time that we need to know more about why cybercriminals do what they do—not just the what, where, when and how. The CACM article goes a long way in demonstrating the benefits of the “why” approach, as I shall describe further.

However, I must say at the start that several other personality traits come to mind and such traits apply not only to insiders but to malicious and malevolent actors in general, whether they be attackers, seeming defenders, influencers, observers, etc.

The three “malevolent personality traits” in the CACM article are narcissism, psychopathy, and Machiavellianism, where “Machiavellians engage in bad behaviors for some gain, narcissists …  because they are only concerned with themselves, and psychopaths … for the thrill, regardless of the risk to themselves.” There is a very helpful table in the article that assigns key characteristics to each trait. The table shows that certain characteristics, such as sense of superiority and low empathy, are common to all three traits, but that other characteristics are specific to individual traits. For example, narcissists have an all-encompassing need for ego-reinforcement, and psychopaths are thrill-seeking and show lack of impulse control.

Those of us who have been in the cybersecurity business for many years have no doubt come across such nefarious players both within and outside our organizations. I think that the cybersecurity field is particularly subject to attracting such characters, especially as business management often doesn’t understand the technologies involved and mistakes technical prowess for the potential for misdeeds. The line between white and black hats can be very thin.

The CACM article is very enlightening but somewhat narrow in scope, both regarding personality traits and work situations. In my experience, cybercriminals are likely to be sociopathic rather than psychopathic. Some may want explicitly to cause pain in others—psychopaths—but others just don’t care about how other people are affected—sociopaths. Psychopaths may bear a grudge against a company, say, and set out to destroy it, whereas sociopaths don’t care if, say, they cause victims pain and inconvenience, but that isn’t their main objective. The WebMD website points out that some experts view sociopaths as “hot-headed” individuals who act without thinking about the impact of their deeds on others, whereas psychopaths are more “cold-hearted” and calculating and carefully plot their moves, taking out any barriers that cross their paths irrespective of how others might be affected. My opinion, based on experience, is that insiders tend to be sociopathic in that they will respond to opportunities that present themselves rather than making elaborate plans to defraud or destroy. External cyberattackers, on the other hand, are inclined to plan their exploits carefully. For example, those perpetrating ransomware attacks often do irreparable harm to victim organizations, whether or not ransoms are paid, which puts them in the psychopath camp. This means that any appeals to their better nature will not work.

Interestingly, there was a recent case of a cyberattack on a Vermont hospital that was thought to be ransomware, but no ransom was requested—see an Associated Press article with the title “Vermont hospital says cyberattack was ransomware” in Modern Healthcare at Vermont hospital says cyberattack was ransomware (modernhealthcare.com) [1]  The article describes the dilemma as follows: “… hospital officials said its information technology workers found a file directing them to contact the attackers if they wanted their systems restored, but it did not contain a request for money.” It would seem that the attackers really messed up. But the hospital suffered the consequences of an unpaid ransom anyway.

Knowing the traits of attackers may be helpful in the hiring process for employees, contractors, and third-party suppliers and service providers, but such screening is difficult to arrange and perform—and psychological testing of such a nature can be highly questionable, if not illegal. Nevertheless, understanding perpetrator motivations and motives behind attacks could help in choosing a deterrence, since threats of consequences will have a different impact subject to the traits of the individuals. There is clearly no point in trying to appeal to someone’s better instincts if they don’t have any, or threatening punitive actions if they don’t care or believe that you are bluffing.