While policy interest and empirical research on cyber attacks have both increased substantially in recent years, very little attention has been focused on the local ecology of actively operating computer networks. In the research proposed we focus on a bazaar computing environment (i.e. weakly fortified computer networks where a wide variety of users engage in a range of activities with minimal security in largely unregulated settings) and seek to answer three broad research questions: (1) can users within bazaar environments be educated to engage in less risky on-line behavior? (2) can hackers within bazaar environments be deterred through available options? and (3) if users can be educated and hackers can be deterred what is the optimal environment in which IT management can maximize education of users and deterrence of hackers within weakly fortified environments? The proposed research represents a collaboration between criminologists, psychologists, and computer security experts and will evaluate criminological theories within cyberspace using, in addition to survey data and experimental design, detailed network and target computer data drawn from the real time operation of an organization network.
Intellectual Merit A major goal of this project is to move toward a new integrated social science perspective on cybercrime. The pathway to such integration is through the social ecology of a local computing environment. The research proposed here, which simultaneously examines the characteristics of users-victims, offenders-hackers and the computing environment where they interact, will provide a rare opportunity to integrate these situational components. In addition to providing new insights into criminology theory, the proposed research will provide detailed information on the interaction of hackers and users within the context of a weakly fortified computing environment.
Broader Impact We believe that our ecological approach to cyber security will offer useful insights for ways of improving online security by identifying those system configurations that discourage victim behaviors that are especially likely to result in attacks and deter attackers from malicious activities. Bringing information together from potential victims and offenders within the world of an operating computer environment will allow the development of more efficient safety programs and strategies and has the potential to increase the security of computer systems and strengthen users' confidence and trust in their systems and the cyber environment more generally.
