Program Profile: Deterrent Effect of a Warning Banner in a Computer System

A warning banner was presented to unauthorized computer system trespassers each time a computer system was illegally infiltrated, to deter further engagement with the attacked computer system and to prevent subsequent infiltration. The program is rated No Effects. Across multiple studies, results showed that the intervention did not deter trespassers from engaging with the computer system; however, there was a small, statistically significant effect on the duration of trespassing incidents.

A No Effects rating implies that implementing the program is unlikely to result in the intended outcome(s) and may result in a negative outcome(s).

This program's rating is based on evidence that includes at least one high-quality randomized controlled trial.

Program Goals/Components

The presence of a warning banner or surveillance message in an attacked computer system is intended to influence computer system trespassers’ engagement during system-trespassing incidents. System trespassing occurs when a trespasser (also known as a hacker) illegally gains unauthorized access to a computer system by exploiting or defeating security vulnerabilities or security barriers. The goal of the warning banner was to deter trespassers from further engagement with the attacked computer system and to prevent subsequent infiltration.

Access may be illegally gained locally, through physical access, or remotely, by logging into the Internet. Once in the attacked system, trespassers may perform any number of active manipulations by entering commands directly into the console of the compromised/attacked system. The attack may be harmless, such as exploring the Internet, or more dangerous, such as reading/modifying privileged data, using the system to attack other computers, or installing a backdoor that will allow for easier access to the targeted computer system in the future (McQuade 2006; Maimon et al. 2013).

A warning banner is implemented to deter system trespassers from entering computer commands into an attacked system. Upon each entry into a computer system, a message is displayed, as a banner on the screen, conveying that the system is under surveillance. Warning banner messages vary in length. A short message may include the following language: “This system is under continuous surveillance. All user activity is being monitored and recorded” (Wilson et al. 2017, 838). A long message may include the following more detailed language: “The actual or attempted unauthorized access, use, or modification of this system is strictly prohibited. Unauthorized users are subject to institutional disciplinary proceedings and/or criminal and civil penalties under state, federal, or other applicable domestic and foreign laws. The use of this system is monitored and recorded for administrative and security reasons. Anyone accessing this system expressly consents to such monitoring and is advised that if monitoring reveals possible evidence of criminal activity, the Institution may provide the evidence of such activity to law enforcement officials” (Maimon et al. 2014, 41).

Program Theory

The presence of a surveillance message in an attacked computer system is believed to deter trespassers’ system engagement based on restrictive deterrence theory (Gibbs 1975). Restrictive deterrence is a process whereby an individual who commits a crime is not wholly deterred from engaging in crime, but instead modifies his or her behavior to reduce the probability of detection and punishment.

Restrictive deterrence theory is a subset of the broader deterrence theory, which understands individuals as rational actors who are susceptible to the influence of sanctions, as they weigh the potential costs and benefits of committing a crime (Bentham [1789] 1970). Therefore, it is believed that the presence of a surveillance message will deter computer system trespassers from committing a crime, given the presence of incriminating evidence against them.

Study 1

Wilson and colleagues (2015) used a randomized controlled trial in their evaluation of the deterrent effect of a warning banner in an attacked computer system on further system engagement. The experiment took place in a large, public university in the United States.

Three hundred public Internet protocol (IP) addresses were employed and designed to simulate real computer systems with vulnerable entry points. The computers were deployed over a 7-month period (from April 4, 2013 until November 3, 2013), during which time researchers waited for trespassers to find the computers and attempt to compromise them. To simulate a genuine computing environment, computers were set to reject the login attempts by system trespassers until a predefined threshold of attempts was reached. When this threshold was met, the login credentials used were treated as legitimate credentials for the system. System trespassers then had to input these credentials into the target computer to allow further access to the attacked system. Once intruders gained access, they were randomly assigned to one of four conditions. The first condition involved displaying the following surveillance banner upon each entry to the system: “This system is under continuous surveillance. All user activity is being monitored and recorded” (Wilson et al. 2017, 838). The second condition involved running surveillance software without the banner. The third condition involved both the presence of the surveillance banner, upon each entry to the system, as well as the surveillance software. The final control condition did not involve displaying a banner or running the surveillance software. Trespassers were allowed to work with their assigned computer for a 30-day period. At the end of the 30-day period, trespassers’ access to the computer was blocked.  

Over the 7-month experimental period, 660 computers were successfully compromised and retained at least one system-trespassing event. This included 155 computers, which received just the surveillance banner; 164 computers, which received just the surveillance software; 169 computers, which received both the surveillance banner and software; and 172 computers from the control condition, which received neither the surveillance banner nor the software.  Computers experienced 2,942 trespassing incidents during the experimental period with computer commands entered on the attacked system in 1,318 of these incidents. Demographic characteristics of the sample were not collected, given that the study’s unit of analysis was at the computer level.  

Outcome measures included the presence of any commands having been entered in the target computer during the first system-trespassing incident, whether computers had more than one recorded trespassing event, and the presence of any commands entered in the target computer during the second system-trespassing incident. For analytic purposes, the four conditions were consolidated into a banner group (which included the surveillance banner-only group and the surveillance banner plus software group) and a no-banner group (which included the software-only group and the no-surveillance banner and no-software group). Differences in probability were calculated for each measure across the four conditions.  

Study 2

Maimon and colleagues (2014) used a randomized controlled trial in their evaluation of the influence of a warning banner on the progression, frequency, and duration of system-trespassing incidents. The experiment took place at a large university in the United States.   

Eighty public IP addresses were employed, and specialized software (Sebek keylogger) was used to collect data on different components of system-trespassing incidents. The computers were deployed for a 2-month period (April 1 to May 20, 2011) during which time researchers waited for system trespassers to find the computers and infiltrate them. To simulate a genuine environment, the computers were modified to reject login attempts until a predetermined number of login attempts had been reached. Once the predetermined number of login attempts had been reached, users were given access and were assigned to a warning computer, which displayed a surveillance message, or to a no-warning computer, which did not display a surveillance message. The surveillance message was as follows: “The actual or attempted unauthorized access, use, or modification of this system is strictly prohibited. Unauthorized users are subject to institutional disciplinary proceedings and/or criminal and civil penalties under state, federal, or other applicable domestic and foreign laws. The use of this system is monitored and recorded for administrative and security reasons. Anyone accessing this system expressly consents to such monitoring and is advised that if monitoring reveals possible evidence of criminal activity, the Institution may provide the evidence of such activity to law enforcement officials” (Maimon et al. 2014, 41). System trespassers were allowed to engage with the infiltrated computer for a 30-day period. After 30 days, access was blocked, and the computer was cleaned and redeployed. Over the 2-month course of the experiment, 86 target computers were deployed and infiltrated, and 42 of these had a warning banner installed. A total of 971 system-trespassing incidents were recorded; 451 of these were recorded on the no-warning computers, and 520 sessions were recorded on the warning computers.  

Outcome measures included immediate incident cessation, which was determined by measuring whether the trespassing incident ceased after 5 seconds. The second measure, incident duration, was measured by the elapsed time in seconds between the beginning and end of the trespassing incident. The third measure, frequency of incidents, was measured by determining the average number of repeated system-trespassing incidents. A Cox proportional-hazard regression was used as well as a t-test.

Study 3

Testa and colleagues (2017) used a randomized controlled trial to evaluate the influence of a warning message on system trespassers’ navigation of the attacked computer system and file permission manipulation. The authors also evaluated whether the effects of a warning message varied based on system trespassers’ level of administrative privileges on the system. The experiment took place at a large university in the United States.

They employed 300 public IP addresses at “high-interaction honeypot” computers (target computers used as a decoy for research purposes) and used a specialized software (Sebek keylogger) to collect data on different components of system-trespassing incidents. The target computers were deployed for a 6-month period (October 2011 to April 2012), during which time researchers waited for system trespassers to find the computers and infiltrate them. Researchers recorded trespassers’ behavior by recording two common online behaviors: navigation on the trespassed system and changing file permission. Prospective trespassers could infiltrate the system using either an administrative or nonadministrative user account. To simulate a genuine environment, the computers were modified to reject login attempts until a predetermined number of login attempts (between 150 and 200) had been reached. Once the predetermined number of login attempts had been reached, users were given access and were assigned to a warning computer, which displayed a surveillance message, or to a no-warning computer, which did not display a surveillance message. The surveillance message was as follows: “The actual or attempted unauthorized access, use, or modification of this system is strictly prohibited. Unauthorized users are subject to institutional disciplinary proceedings and/or criminal and civil penalties under state, federal, or other applicable domestic and foreign laws. The use of this system is monitored and recorded for administrative and security reasons. Anyone accessing this system expressly consents to such monitoring and is advised that if monitoring reveals possible evidence of criminal activity, the Institution may provide the evidence of such activity to law enforcement officials” (Testa et al. 2017, 700). System trespassers were allowed to engage with the infiltrated computer for a 30-day period. After 30 days, access was blocked and the computer was cleaned and redeployed. Over the 6-month course of the experiment, 502 target computers were deployed and infiltrated, and 221 of target computers were used by trespassers to enter commands. A total of 553 system-trespassing incidents were recorded; 415 of these events were initiated by system-trespassers who used administrative credentials, and the other 138 used nonadministrative credentials. Approximately half of the system-trespassing events were recorded on computers with a warning banner.

The primary outcome measure of interest was the effect of the warning banner on the probability of navigating on the attack computer system and changing file permissions. A t-test was used to examine difference between the treatment and control groups. Navigation on the computers is usually performed by typing three key navigation commands: 1) change directory (cd); 2) list files (ls); and 3) print working directory (pwd). The cd command is used to change the directory the trespasser is currently working on, to navigate through the targeted computer system and reach a desired point during the trespassing event. The ls command can help generate information about the files and contents available on the current directory. And the pwd command is used to report the full pathname of a working directory, which is used for storing files. Finally, the change file permission command (chmod) is used to change the permissions of files, which define the way in which a particular file can be accessed.

Moderator Analysis

Maimon and colleagues (2014) also conducted a moderator analysis to test whether different system configurations, such as RAM size and bandwidth capacity, might moderate the effects of a warning banner on the duration of system-trespassing incidents. However, the results showed that there was no statistically significant impact on outcome measures even when controlling for different system configurations. In addition, Testa and colleagues (2017) also conducted a supplemental analysis to test whether the effects held at the single trespass-event level. Effects at the single trespass-event level were consistent with those at the target-computer level. Researchers also conducted a moderator analysis to test whether different system configurations, such as RAM size, bandwidth capacity, and disk space, might moderate the effects of a warning banner on the presence and volume of navigation and change file commands. However, the results showed that there was no statistically significant impact on outcome measures even when controlling for different system configurations.

These sources were used in the development of the program profile:

These sources were used in the development of the program profile: