Laws and policies aren't enough to combat computer crime. Understanding an attacker's motive can help.

While studying the air map on a recent flight, I started wondering whether this so-called small world--which really doesn't appear to be so small from 38,000 feet--can effectively deal with the growing problem of data theft and the increasing sophistication of computer crime through legal tools alone.

There's little doubt laws are essential to combat computer crime--especially laws that are user-friendly enough for application and are dusted off occasionally to ensure continued usefulness. Such a dusting was done last year with the U.K.'s Computer Misuse Act, which now broadens "unauthorized misuse" and revamps definitions of computer abuse to apply to DDoS attacks. Policies are also necessary crime-fighting tools. For example, more organizations will make laptop encryption mandatory this year, according to SANS. But are legal tools enough?

One of my students once argued, "Even the best laws and policies aren't going to stop people from computer abuse--you've got to change people if you really want to see an impact." I agree. Attacks, breaches and fraud happen because the people behind those activities have a motive for what they do. Simply put, human behavior underlies wrong-doing. Understanding why people engage in unwanted behavior has a definite place in shaping crime response. Perhaps even a bigger place than we think.

Our standard computer crime response embodies Criminology 101: Prevent and deter crime by making it harder to do wrong by reducing opportunities to commit crime, and diminishing the allure of wrongdoing by imposing consequences for behavior (jail or employment termination). But when was the last time we stopped to ask why a hacker or employee did what he did? Motivations are as relevant to computer crime response as they are to traditional crime response. Many of our strategic efforts consider means and opportunity of unwanted behavior, but neglect or merely give cursory thought to motive.

Legal tools have limits. Mandatory laptop encryption policies aren't going to remedy insider abuse. But when an employee turns bad, we can learn something by asking why. If he was disgruntled with work, then understanding the cause of that frustration has value. Asking why an employee is motivated to engage in wrongdoing can reveal how we can better distribute our security resources. Asking why a hacker wants access--motives may include economics, politics or vanity--can help determine what assets are most vulnerable.

By including motive in the strategic equation, we can detect precursors to crime. Clues as to why an employee might commit wrongdoing can be uncovered through:

• Good background checks and screening of employment history for red flags, such as lawsuits against former employers, indications of violence or restraining orders.



• Documented performance problems by HR or managers.



• Patterns in non-work related Web browsing while at work, such as search engine research that warns of impending trouble, or heavy use of outside email.

Legal tools alone bring hope to combating computer crime, but unless we understand why people behave the way they do, there is still much to fear in this so-called small world.