Program Profile: Place Management for System-Trespassing Behaviors in a Cyber Environment

This program used banners indicating that a cyber infrastructure was cared for and supervised to reduce crime in the cyber environment. The program is rated Promising. During a 90-day period, the treatment condition had statistically significant reductions in user activities during system trespassing sessions and the average number of commands typed into the attacked computer, and in the likelihood of system trespassers returning to the hacked environment, compared with a control condition.

A Promising rating implies that implementing the program may result in the intended outcome(s).

This program's rating is based on evidence that includes at least one high-quality randomized controlled trial.

Program Goals

Crime prevention through environmental design (CPTED) operates on the belief that “the proper design and effective use of the built environment can lead to a reduction in the fear and incidence of crime, and an improvement in quality of life” (Crowe, 2000, 46). This approach to crime prevention hypothesizes that, by changing an individual’s perception of a place, crime can be reduced (Brantingham, Brantingham, and Wong, 1991; Cozens, Saville, and Hillier, 2005) and this can apply to both physical environments and cyber or online computing environments While criminal activity may take place in cyber environments, research has found that many traditional criminal justice policies for reducing cybercrime (such as sanctions) have been ineffective (Fisher, Maimon, and Berenblum, 2021).

The goal of crime prevention in the cyber environment is to prevent hacking, also referred to as system trespassing, the unauthorized access of a computer system with criminal intention (Grabosky, 2001). Therefore, the goal of this intervention was to employ principles of CPTED to reduce crime committed in a cyber environment, specifically focused on reducing system trespassing.

Program Components

CPTED offers a range of nonpunitive methods for reducing crime through the purposeful design of environments. Four key principles of CPTED that have emerged are 1) territoriality, 2) surveillance, 3) access control, and 4) place management (Sohn 2016). Territoriality requires creating and maintaining spatial hierarchies and ensuring that clear, well-recognized boundaries exist between public and private areas (Sutton, Cherney, and White, 2008). Surveillance aims to increase the perceived risks associated with offending by increasing the perception that all actions in a space will be observed (Sutton, Cherney, and White, 2008, 63). Access control strategies aim to encourage, restrict, and channel activities while denying access to those who have the potential to commit a crime (Sutton, Cherney, and White, 2008).

Finally, place management (which is the focus of the CrimeSolutions review) relies on the concept that management and maintenance of the physical environment send cues to those using the space. If a place appears not to be maintained, it is less likely to encourage legitimate use. Therefore, this strategy involves direct or indirect evidence to users that there is ownership over the space, and someone will take action against wrongdoing. In the physical environment, this involves keeping public spaces clean and rapidly repairing any vandalism and graffiti. An example of place management in the cyber environment is presenting trespassers with a banner indicating that the infiltrated infrastructure is cared for and supervised by an administrator, to increase the perceived likelihood of corrective action by the owner of the space.

Program Theory

CPTED is rooted primarily in rational choice theories of crime and draws on insights from criminology, environmental psychology, planning, and architecture (Cozens, 2008). Specifically, the place management principle of CPTED draws on the broken windows theory, that the management and maintenance of the physical environment send cues to those who use a space (Maynard, 2004, 9, as cited in Fisher, Maimon, and Berenblum, 2021). Public places that are broken down, dirty, vandalized, full of trash, and that generally look like they are not taken care of are less likely to encourage legitimate use by most groups, and less likely to engender a sense of pride and ownership by the community (Sutton, Cherney, and White, 2008). Conversely, well-maintained spaces that are well used and supervised send out messages to would-be wrongdoers that the community cares (McCamley, 2001). Consistent with this, presenting hackers with a banner indicating that the infiltrated infrastructure is cared for and supervised by an administrator may reduce online trespassers’ activity during the progression of the event by increasing the perceived likelihood of corrective action by the owner of the space, and reduce their likelihood of repeated system-trespassing (Fisher, Maimon, and Berenblum, 2021).

Study 1

Fisher, Maimon, and Berenblum (2021) conducted a randomized controlled trial to test the effectiveness of crime prevention through environmental design (CPTED) principles in reducing system trespassers’ hacking behavior in a cyber environment during a 90-day observation period. Unique data were collected by a large set of target computers, also known as honeypots, which are built for the sole purpose of being attacked (Stoll, 1989; Spitzner, 2003) and can be used to test the effects of CPTED principles (such as place management techniques) on reducing crime in the cyber environment. Honeypots are deployed on computer networks, to simulate a genuine computing environment and track system trespassers’ behaviors through Public Internet Protocol (IP) addresses, which are unique numeric labels (e.g., 131.87.17.67) that identify specific devices that are connected to a computer network and use an Internet Protocol to communicate with other devices (Ruiz–Sánchez, Biersack, and Dabbous, 2001).

The target computers were deployed on the computer network of a Chinese university between Nov. 6, 2015, and Feb. 24, 2016, for system trespassers to find and employ special software cracking tools to break into them. One hundred Public Internet Protocol (IP) addresses were used for the deployment. To simulate a genuine environment, the target computers had an Ubuntu–Linux–based operating system installed and were modified to reject the login attempts by system trespassers on its public IP addresses until a predefined number of attempts was reached, or once a password commonly used by a legitimate user was entered.

Once access to the target computer had been granted, system trespassers were randomly assigned to either the control condition or one of the four experimental conditions that used principles of CPTED: 1) territoriality, 2) surveillance, 3) access control, and 4) place management. In the place management experimental condition, a banner indicating that the device was cared for by an administrative person was presented to the system trespasser. The CrimeSolutions review of this study focused on the results of the place management experimental condition, compared with the control condition.

The main unit of analysis was the system-trespassing event. As such, all variables and analyses were designed to examine how the behavior exhibited by users of each IP address observed on the target computer during a system-trespassing event varied across the CPTED condition to which they were exposed (or the control).

Three outcome measures were constructed to examine whether each treatment condition was able to reduce engagement with the target computers (two measures) and reduce the likelihood of subsequent system-trespassing events (one measure). For each of these three outcomes, if the CPTED treatments were to succeed, there would be decreases in each measure relative to the control. The first outcome measured the number of concurrent Secure Shell sessions/open terminals per unique IP address during a system-trespassing event. Linux users can control the computer they work with as administrators remotely through a Secure Shell, a condition that hackers exploit. Once connected to a computer through Secure Shell sessions, the system trespasser can transfer files between the two machines and execute commands on the remote machine. Running concurrent Secure Shell sessions implied increased hacking activities during the system-trespassing event, as more operations could be conducted on the remote computer simultaneously. This measure was coded as a count variable, with (1) indicating a single Secure Shell session originated in a given IP address during a system-trespassing event, and higher numbers represent higher numbers of concurrent sessions. The second dependent variable was the number of commands that were entered in the target computer during the system-trespassing incident, coded as a count variable, with (0) indicating that no commands were entered from a given IP address after gaining access to the target computers. Finally, the third dependent variable was measured as a binary outcome that differentiated between unique IP addresses with more than one recorded trespassing event (1) and IP addresses with only one recorded trespassing incident (0).

The differences between experimental conditions and the control condition were not assessed. In the place management condition, there were 22 target computers, 737 unique IP addresses (system trespassers), 1,807 open-terminal/Secure Shell sessions, and 824 commands. In the control condition, there were 18 target computers, 594 unique IP addresses, 1,802 open-terminal/Secure Shell sessions, and 994 commands.

To allow the collection of meaningful data on system-trespassing incidents, the different components of the system-trespassing incident were monitored using specialized software that recorded the system-trespassing events for later analysis. The collected logs from the servers included all the commands that were entered by the hackers and the software they downloaded. Subgroup analysis was conducted by a type of command used after system trespassers gained access to the computing system.

Subgroup Analysis

Fisher, Maimon, and Berenblum (2021) conducted a subgroup analysis by type of command used after system trespassers gained access to the computing system. System trespassers in the place management experimental condition had statistically significant reductions in the use of the three most frequently used commands: “wget,” which is used to retrieve content from a server; “ps,” which displays the currently running processes; and “kill,” which stops currently running processes, compared with system trespassers in the control condition, during the 90-day observation period.

These sources were used in the development of the program profile:

These sources were used in the development of the program profile: