hackerarticle2019.pdf

Breaking Bad in Cyberspace: Understanding why and how Black HatHackers Manage their Nerves to Commit their Virtual Crimes

Mario Silic1 & Paul Benjamin Lowry2

# Springer Science+Business Media, LLC, part of Springer Nature 2019

AbstractWhat is happening in hacker’s minds when they are committing criminal activities? How black hat hackers manage nerves, whichis about managing fear and underlying emotions, and which tactics they employ during their decision-making process before,during and after committing a crime, is the question that could provide some initial insights on hacker’s trajectories, their switchfrom black hat to white hat and ultimately about their behaviors and motivations. The main difficulty in answering this questionresides with the access to hacker’s data. To address this gap, we conducted interviews with 16 black hat hackers. Supported by thegeneral strain theory and routine activity theory, we identified five techniques that they use to manage their nerves: shunting,minimization, plan B, thrill, and lens widening techniques. Each of these techniques help hackers to better manage their nervesand consequently, learn how to better cope with the fear. During their psychological decision-making processes, hackers use thesefive techniques to create a new mindset, behind which they hide, with the objective of minimizing and mitigating the inherentrisks they encounter during their criminal activities. The theoretical importance of nerve is the key to a better understanding ofblack hat hacker’s illegal acts, their behaviors and ultimately their actions.

Keywords Black hat hacker . Security . Criminology nerve management . General strain theory . Routine activity theory (RAT)

1 Introduction

In 2016, black hat hackers, that we define as individuals withextensive computer knowledge employed to get personalgains or for other malicious reasons by conducting illegalactivities (Chandler 1996; Smith and Rupp 2002), were be-hind major cyber security incidents (Cisco 2018; EY 2018).This caused an average 20% loss of a company’s customerbase with a trend of the hacking becoming more business andcorporate oriented with unprecedented levels of sophisticationand impact (Cisco 2018). The resulting revenue loss opportu-nities push companies to increase their security investments,since it is unlikely that the magnitude and the impact ofcybercriminal attacks will decrease, given the current rate of

increase in internet traffic. Sony, Ashley Madison, JP Morganare examples of recent security incidents which reveal thepervasiveness of this issue. To combat this trend, it is essentialto get a better understanding of cybercrime’s costs, benefits,and attractiveness (Kshetri 2006). However, little is knownabout the people behind these illegal cybercrime activities,for three key reasons: (1) given its criminal nature, it is diffi-cult to obtain reliable data (Benjamin et al. 2019; Mahmoodet al. 2010); (2) the fact that existing studies are anecdotal andrely on descriptive accounts and reporting (Crossler et al.2013); and (3) the lack of a solid theoretical foundation tosupport the empirical evidence (Crossler et al. 2013;Mahmood et al. 2010). A key weakness in the IS securityliterature is that it focuses too much on policy complianceand non-malicious behaviors; by contrast, there is a clear needfor more research on the “black hat” dimension of cyber se-curity (Benjamin et al. 2019; Mahmood et al. 2010), with afocus on the malicious and deviant (i.e., criminal) behaviorthat threaten organizations (Crossler et al. 2013; Lowry et al.2017; Willison and Lowry 2018; Willison et al. 2018).

Different theories, ranging from the differential associationtheory (Blackburn 1993), theory of operant conditioning(Skinner 1972), social learning theory (Bandura and Walters1977; Lowry et al. 2016), to deterrence theory (Gibbs 1975;

* Mario [email protected]

Paul Benjamin [email protected]

1 University of St. Gallen, Mueller-Friedberg-Str. 8, 9000 St.Gallen, Switzerland

2 Pamplin College of Business, Virginia Tech, Blacksburg, VA, USA

Information Systems Frontiershttps://doi.org/10.1007/s10796-019-09949-3

Willison et al. 2018), have all been relatively effective inexplaining deviant behaviors and criminal continuation.However, because hacking is an unconventional criminal ac-tivity (Davis and Hutchison 1997), there is no single theorythat well explains hacker1 behavior. Interestingly, the role ofemotion, stemming from the general strain theory (Agnew1992), was found to be one of the central factors in drivingdeviant behavior that is fostered by anger and frustration.Although this theory was widely applied in traditional streetcrimes (Baron 2004), it is not clear what role emotion mayplay in the hacking context. In particular, we are interested inhow black hat hackers process their fear and subsequentlymanage their nerves when committing a virtual crime.Clarifying this theoretical issue would be of high importancein better understanding the hacking criminal behavior.Notably, we would extend existing theoretical understandingsof hacker-offending decision-making processes.

That is, we are particularly interested in understanding howblack hat hackers manage fear and their nerves. Nerve man-agement is about the ability to manage fear and underlyingemotions. Nerve management is essential, since it drives thedecision-making process during the criminal act (Cornishet al. 2008). Unlike other criminal activities (e.g., car thieves),where offenders develop various tactics (e.g., self-medication,shunting, fatalism) for committing crime (Jacobs andCherbonneau 2017), black hat hackers, likely employ differ-ent tactics to create and manage their nerves because they arein a highly unique criminal context that is virtual and percep-tually hidden in a computer system,.

The importance of better understanding these tactics is es-sential in better understanding black hat hacking, and ulti-mately how to thwart it. Indeed, in the hacking decision-making processes, calm nerves should facilitate better controlof the crime situation, minimizing risks and possible sanctionthreats. It is particularly compelling to consider how black hathackers manage their nerve, given that face the possibility ofsevere sanctions if they are caught (e.g., arrest, prosecution,loss of employment, and fines). According to Holt and Bossler(2014, p. 33): “The increasingly rapid adoption of technologyat all ages in industrialized nations requires research identify-ing how the use of computers and the Internet affect adoles-cent development through adulthood and involvement in bothon- and off-line offending” (p. 33). We argue that better un-derstanding how emotional dimension, and more precisely ahacker’s nerves, is managed could provide new insights intohacker trajectories and their psychological functioning. It isevident that nerve management could be an important unex-plored dimension that could provide theoretical explanationsof hacker’s emotional states they have to cope with whenconfronted to crime situations.

In this context, our study relies on the qualitative approachbased on grounded theory (Corbin and Strauss 2008), which isparticularly useful in dynamic environments (Strauss andCorbin 1994), such as the hacking context (Turgeman-Goldschmidt 2005). Indeed, according to Turgeman-Goldschmidt (2005, p. 10) “the best way to reach the truemeaning of the criminal behavior of hackers requires usingqualitative research methods in general and the grounded the-ory in particular because computer crime has yet to be exten-sively explored from the offenders’ points of view (i.e., theirperceptions, attitudes, behaviors, etc.)” (p. 10). By applyingthe grounded theory approach we can discover relevant cate-gories and relationships among them (Strauss and Corbin1994) to reveal the justification for the black hat hacker’smotivations and psychological states that drive and shape theirnerve management. We argue that the theoretical importanceof nerve management is the key to a better understanding ofthe black hat hacker’s illegal acts, behaviors and actions. It iscrucial to understand how black hat hackers manage theirnerves and which factors influence their decision-making pro-cess before and after committing a crime. The answer to thisquestion could provide some initial insights on hacker’s tra-jectories, their switch from black hat to white hat and theirbehaviors and motivations.

In the following sections, we present the theoretical foun-dations for this study, followed by the research methodology.We then discuss our findings and conclude the study.

2 Theoretical Background

Our research applies grounded theory approach which shouldprovide us relevant explanations, interpretations and implica-tions. To apply and interpret our grounded theory develop-ment, we are supported by the theoretical foundations of gen-eral strain theory (Agnew 1992) and routine activity theory(RAT) (Cohen and Felson 1979).

2.1 Development of Crime

Based on its origins in the 1960’s, the word “hack” meantimproving programming flaws of mainframe computers by agroup of MIT students. Fixing bugs and improving program-ming mistakes by doing small “hacks” was performed by anindividual (i.e., hacker). This person was considered to have ahigher level of computer knowledge and was able to alterprograms or systems (Yar 2005). In 1963, one of the firstincidents of malicious hacking was reported (telephonehackers) by MIT’s student newspaper (Lichstein 1963).Hackers are now generally divided into two main groups:white hat and black hat hackers. These two groups have dif-ferent motivations, objectives and rules. While white hathackers are usually considered positively. They seek to

1 Throughout the text, for concision, we use the term, ‘hacker’ to refer to the‘black hat hacker.’

Inf Syst Front

acquire new knowledge and to provide information about vul-nerabilities, weaknesses and threats that they have identifiedin computer systems. By contrast, the black hat hackers at-tempt to achieve financial gain from their knowledge byblackmailing, sabotaging or engaging in other criminal activ-ities (Schell and Dodge 2002). Previous studies that focusedon the motivation behind hacking activities provided differentexplanations for their acts, such as justice (Rogers 2006), en-joyment and curiosity (Turgeman-Goldschmidt 2005), moral-ity and connectedness (Teske 1997), among others.Regardless of the specific motivation to commit an illegalaction, every hacker usually balances benefits and costs, be-fore deciding whether or not to commit the crime (Probascoand Davis 1995). These intangible psychological costs relateto the amount of mental energy required to commit the crime.Fear of apprehension of punishment remains an importantdecision-making criteria before the crime is committed(Kshetri 2006).

Most individuals who commit crimes and act unethicallybelieve that there is nothing wrong in what they are doing(Kallman and Grillo 1998). They do not perceive their actionsas being really illegal, unethical or inappropriate. It is clear thatfor most black hat hackers, committing a cyber-crime does notincrease their guilt level, as is the case for more conventionalcrimes (Phukan 2002). This is because it is not always easy toidentify the victim, as well as different socio-cultural back-grounds where the cost of their acts is weighed against thecontext in which they operate (Deci and Ryan 2010).

To date, little empirical evidence has been provided to fur-ther explain the black hat hacker’s motivations (Crossler et al.2013; Holt and Bossler 2014; Holt et al. 2012; Mahmood et al.2010; Schell and Holt 2009). This has contributed to the dif-ficulty in getting the data (Benjamin et al. 2019). The majorityof previous studies primarily focused on discussing hackersmotivation, rather than providing empirical evidence (e.g.,Cross 2006; Schell and Dodge 2002). Other studies that triedto understand the complex hacker’s phenomenon, mostly fo-cused on the student population (e.g., Hu et al. 2011;Rogers 2006). However, we believe students are a par-ticularly poor sample frame from which to represent thecomplex psychological motivations behind black hathackers’ highly criminal. Moreover, the other flaw inthese studies is they did not analyze the actual context inwhich hackers operate, such as hackers forums or InternetRelay Chats (e.g., Benjamin et al. 2015; Benjamin et al.2019; Benjamin et al. 2016). Importantly, the few studies thatused known hackers as informants (e.g., Holt 2009; Hu et al.2011; Schell and Holt 2009; Young et al. 2007), revealed thathackers perceive a low level of potential sanction. They alsobelieve that they will not be caught easily. This signals that thelikelihood of punishment is low (Young et al. 2007). Thesefindings indicate that hackers are able to manage their nervesin the face of great potential risks they engage in.

An assessment of cybercrime research by Holt and Bossler(2014, p. 33), has showed three kind findings that we build on:(1) that there is a considerable increase in scientific contribu-tion on various forms of cybercrime; (2) that traditional crim-inological theories generally hold in the online context; but,also (3) that there are still important new avenues for researchto explore, and especially to further examine “breadth ofexisting and recent criminological theory to expand ourknowledge of cybercrimes.” Notably, existing knowledge onhacker’s motivations, ranging from political or religious rea-sons (Holt 2009) to money, entertainment, ego, cause, en-trance to a social group, and status (The-Honeynet-Project2004), is relatively well researched. However, little to no re-search on hacker’s demographics, psychological predisposi-tions, and social/behavioral patterns exists (Schell and Holt2009). We position our research within the psychologicalboundaries in which emotional states and fear managementare taking roots. This positioning is guided by the theoreticalinput that we detail in the following section.

There are several theories, originating from the criminolo-gy field, that fit well into the hacking context, such as self-control theory (Gottfredson and Hirschi 1990), RAT (Cohenand Felson 1979), situational action theory (Wikström 2004,2006), or even theories borrowed from economics (Kshetri2006; Leeson and Coyne 2005). However, due to the differentcontext in which they operate, compared to other crime con-texts where physical violence is usually present, we argue thatthere is a need to apply different theoretical insights to supportthe underlying premises. Hackers do not always operaterationally—especially in terms of operating through costs,benefits, and sanctions—as economic theories would suggest(Yar 2005). Something else is driving them and allows them tosuspend threat of sanctions that most people would perceive.A lack of empirical studies to validate the applicability ofcertain theories in the hacking milieu and with known hackers,suggests that different theoretical premises should be incorpo-rated into the theoretical foundation, when studying hacker’sbehaviors. We address this mystery.

To guide the interpretation of our grounded theory re-search, we rely on the general strain theory (Agnew 1992)and RAT (Cohen and Felson 1979). General strain theoryargues that negative emotions can lead to anger and frustra-tion, where individuals experiencing strains or stressors en-gage in crime to escape from those stressors. These negativeemotions are particularly important in the hacking context asthey could be a source of inspiration for illegal behavior.Several specific strains are advanced in the theory such asthe failure to achieve positively valued goals (e.g., money)or the presentation of negatively valued stimuli (e.g., politicalmotives such as injustice related to different causes) (Patchinand Hinduja 2011). The first strain is about unmet expecta-tions of individuals that leads to disappointment. The secondstrain is a response to the negatively valued stimuli in which

Inf Syst Front

individuals look for avoidance, leading to negative and illegalactivities such as hacking. Finally, these negative emotionscall for a way to relieve one’s internal pressure. Accordingto Patchin and Hinduja (2011) when people cannot achievetheir goals then strain will be experienced, which can thencause them to turn to crime. Typically, this path to the criminalbehavior can be seen among black hat hackers where failure toachieve positively valued goals, such as financial remunera-tion, leads to the criminal behavior.

RAT suggests that crime commitment is the result of anopportunity, highlighting “the convergence of motivated of-fender, suitable target, and the lack of a capable guardian ata particular place and time as the core elements necessary fora crime to occur” (Groff 2008, p.99). Motivated offenders areindividuals or groups that have the ability and motivation tocommit a crime for various reasons. Guardianship refers tothe ability to intervene into a crime (i.e., the hacking activity)and consequently, prevent it. Importantly, in our virtualcybercrime context, the concept of physical proximity is re-moved (Yar 2005). Consequently, the applicability of RAT tocybercrime is even more relevant because victims are placedin the “virtual proximity” to motivated offenders. That is,opportunity for black hat behavior is increased because it iseasier for motivated offenders to find victims because they donot have to be physically proximate. Typically, the risk isgreatly increased in online situations in which individualsdemonstrate higher amounts of time spent online, higher useof internet banking or online purchases, and have overall morerisky online behavior. Furthermore, RAT provides an expla-nation that in absence of capable guardianship, the costs ofcommitting the crime are relatively low, which then increasesthe benefits. Capable guardians are usually translated into lackof security measures such as lack of antivirus, low malwareprotection, or inadequate network security in the organization-al context (Reyns 2013). In all these situations, higher victim-ization can be expected as a consequence of a lack of actionson the victim’s side. Consequently, the costs for hackers toperform illegal activities are relatively low as they have toinvest much less of resources to conduct hacking.

Thus, it is one thing to be angry and have a general moti-vation for criminal hacking—a necessary but insufficient startfrom general strain theory—but a potential hacker needs asuitable target for which they can believe they can reasonablehack to express their anger—it cannot be just any target.Meanwhile, the “capable guardian” component of hacking isespecially crucial in calculating the risks and uncertainties. Asillustration, suppose a hacker is angry by the US government’spolicies and activities in the Middle East. Unless the hackerhas unusual capabilities, and a network of similarly mindedhackers, he/she probably would not consider hacking thePentagon’s computers to be a realistic target or one for whichhe/she could manage his/her nerves. This is because the“guardians” (and associated technologies) that protect the

Pentagon’s computer are among the best in the world.Instead, it would be more realistic to hack a regional newspa-per website that is considered pro-US in its coverage.

Overall, general strain theory explains that different strainsare impacting hacker’s emotional state motivating him/her tocrime, whereas RAT explains the crime context in which the“virtual proximity” is the main facilitator of the criminal be-havior. Applying these theoretical lenses in our context, blackhat hackers, when committing a cybercrime where costs andbenefits of their acts are evaluated, manage their nerves dif-ferently than other more standard types of crimes (e.g. drugsmuggling). In the next section, we conceptualize nerves anddiscuss nerve management from a hacker’s perspective.

2.2 Nerve Management

In this section, we explain how nerve management works forhacker’s in respect to both general strain theory and RAT.Overall, nerve management can be a useful technique thathackers can use to intervene into their cognitive reasoning tomoderate and mitigate the fear that they may experience dur-ing their criminal acts. Nerve management is about managingthe uncertainty and providing more clarity to their owndecision-making space they create in their psychological andmental states when they engage in criminal activity. However,the technical knowledge (higher or lower) to hack in the sys-tem may not be enough to “manage the intense emotionsbrought on by crime, while maintaining some minimal levelof composure” (Cherbonneau and Copes 2006, p.206). This isbecause without proper nerve management, it may not bepossible to succeed in accomplishing the crime. Ironically, thismay be why many black hat hackers eventually become whitehat hackers. In a hacker’s context, the manifestation of nervesoccurs when hackers engage in risky illegal behaviors (e.g.,illegally obtaining data, penetrating a target system, acquiringunauthorized access, and the like). Such risky and illegal ac-tivities can lead the hacker to be recognized by their peers(Levy 2001). However, many such hackers actually care aboutpotential negative outcomes arising from their acts. For somehackers, it is not acceptable to ask for any ransom or to behavein an unethically acceptable way—leading to what is referredto as “white hat” hacker behaviors. It is evident that in all ofthese situations that emotions play an important role.

This criminal context in which negative emotions can leadto anger and frustration is well explained by the general straintheory (Agnew 1992). Strain theory explains that “When le-gitimate solutions are not available, non-economic strain re-sults in non-compliant behavior (Agnew 1999)” (Wall et al.2016, p. 51). Such non-economic strains are typically stressorslike anger and negative emotions, and deviance is a way ofdealing with or escaping from these stressors (Agnew 1999).Crucially, the relationship between emotions and nerve man-agement needs to be better understood as the concept of

Inf Syst Front

nerves is closely related to negative emotion (Jacobs andCherbonneau 2017), which is a consequence of an anger frus-tration situation. This anger/frustration dimensions, the corepremise of general strain theory (Agnew 1992, 1999), suggestthat an offender will rely on these two factors to build thenegative emotion and will, in turn, commit a crime.

Meanwhile, RAT theory argues that criminal behavior isthe result of an opportunity. Although crime can be attractiveto commit (Katz 1988), there is often an explanation for crimeaccomplishment because it provides an opportunity to commitan illegal act due to the absence of capable guardian (Reyns2013) or simply due to the ‘virtual proximity’ context inwhich hacking is greatly facilitated.

Research explains that nerve develops as part of the groupprocess, in which peer pressure is usually high (Hochstetler2001). This leads to the negative act commitment by all indi-viduals who are part of the group (Hochstetler 2001). This istypically true in the black hat context, because hackers withinthe same hacking group will want to show to their ‘peers’ thatthey can handle their nerves and commit an illegal act. Thisallows them to gain recognition and get access to a largercommunity, since they were able to deliver on their acts bydemonstrating strong technical skills and knowledge. As illus-tration, “one of the most effective ways of gaining respect is tomanifest nerve. A man shows nerve by taking another person’spossessions, messing with someone’s woman, throwing thefirst punch, ‘getting in someone’s face,’ or pulling a trigger”(Anderson 2000, p. 92).

Thus, to these hackers, nerve management becomes a keygoal or objective, so that they can prove their abilities to thegreater group (Hochstetler 2002). This process appears to behappening frequently, with repetitive phases, where offendersdemonstrate “a sense of ‘being on autopilot’ or ‘on automat-ic,’ as they proceed from target to target” (Hochstetler 2002,p. 63). It is not surprising that many black hat hackers usesecurity tools (e.g., Metasploit Framework or nmap) to try tohack in an automated way. We also note that many hackers donot use out-of-the-box tools, but rather develop custom toolsand approaches that can be difficult to detect by modern anti-virus or other security tools. Regardless of the approachesused, hacking has become shockingly ubiquitous: A typicalWeb server on the Internet is attacked more than a quarter of amillion times in a day (Vaughan-Nichols 2018).

3 Method

Again, our study used a qualitative research method based ongrounded theory (Corbin and Strauss 2008). Grounded theoryaims at uncovering social relationships and behaviors ofgroups, known as social processes (Crooks 2001).Importantly, by uncovering these processes, theory emergesfrom the data through an incremental and systematic approach

(Parks et al. 2017; Urquhart et al. 2010). Grounded theory isparticularly useful for deeply examining emerging issuescaused by new sociotechnical phenomenon (Parks et al.2017). Consequently, grounded theory has been used effec-tively in several hacker related studies (e.g., Turgeman-Goldschmidt 2005; Turgeman-Goldschmidt 2008), in whichthe outcome of the grounded theory is “a social constructionof the social constructions found and explicated in the data”(Charmaz 1990, p. 1165).

Our data was collected from in-depth interviews (Table 1)with 16 black hat hackers. Since one of the paper’s authorswas a former white hat hacker, we had easier access to theinitial sample of seven black hat hackers, who when asked,suggested 11 informants. All of the interviewees contactedwere black hat hackers who had committed at least one illegalact during their hacking career. Institutional Review Board(IRB) approval of the primary investigator was obtained priorto the project start to remove any possible ethical concernrelated to this project. Other recruitment criteria included thefollowing: 1) the hacker is still active (did not switch to whitehat); 2) the hacker is part of a group and does not act on theirown (this makes it easier to verify if the hacker really belongsto a specific hacking group and is what he/she claims to be)and 3) the hacker is “present” for more than six months (wewanted to exclude novice and inexperienced hackers). Weremoved two informants that did not meet all of these criteria.

To increase the likelihood that the participants were legiti-mate black hat hackers, we conducted ethnographic observa-tions on the Internet sources (e.g., forums) that were revealedby participants during the interview. This was done to increasethe likelihood that no fake participants were interviewed butalso to make sure that the claims advanced by participants(such as being black hat hacker) were true. By analyzing postsand interactions present on the identified sources were able toaccurately confirm hacker’s background and their claims (al-though we anonymized hackers real names/nicknames in thepaper, the ethnographic investigation was done using their realpseudonyms).

The mean age for respondents was 22, with a range from 18to 25 years of age. Detailed demographics are presented inTable 2.

All of the interviews were semi-structured (they took placebetween January 2017 and February 2018) and followed anopen-ended approach. The interviews were between 42 and61 min long (an average of 55 min). Due to the sensitivenature of the topic and since all interviewees wanted to pre-serve their complete anonymity, all of the interviews wereconducted through secured fully encrypted communication(most of the time using skype). Interviewees did not receiveany financial compensation for their participation (this wasexpected, since hacking involves showing to others their ac-complishments through a “feeling of power” that hackerswant to express (Leeson and Coyne 2005). All of the

Inf Syst Front

interviews were recorded. Four interviewees decided toscramble their voice to minimize any potential identification.The interview guideline (Appendix A) was pretested with oneinformation security professional and one white hat hacker.Minor modifications were implemented to better formulatequestions. The interview started with some generic questionsfor the participants, asking them their hacker name, how theybecame hackers, etc. The interview then focused on their mo-tives to commit criminal activities and the way they managetheir nerve, fear and emotions (e.g., a sample question weasked was: “Can you describe how you feel in the presenceof a threat to be caught?” or “Are you afraid to be arrested bythe police?”). The names the hackers used were not secret, andthus the interviewees did not have any objections against ourusing them. Therefore, in the following sections, we refer totheir actual publicly available names.

Following Strauss and Corbin (1994)‘s recommendationson conducting grounded theory building, we first started withinitial open coding.. We proceeded with an axial coding byreducing and clustering different categories that we identified.Finally, we conducted selective coding by detailing andselecting the identified categories. In particular, we usednVivo software (nVivo is a graphical qualitative data analysiscomputer software package) to analyze the qualitative data,identify different information, patterns, and relationships pres-ent in the interviews. We combined or analyzed different cat-egories and subcategories based on their relationships andthen tested the theoretical propositions by referring back tothe data. For example, we grouped different ideas based ongeneral behavior patterns that emerged from interviews andthe corresponding hacking activities that participants detailedduring the interview process.

3.1 How Are Hackers’ Nerves Managed?

In a typical crime situation, fear behind the act of committingthe crime is associated with increased heart rate, faster breath-ing (Warr 2000) or the release of adrenaline into the blood.Physical agitation accompanied by nervousness, decrease inbody temperature, mouth dryness or even psychological sig-nals such as anger, frustration, outrage, are the main signs offear (Ferraro and Grange 1987). Fear can be seen as “an in-hibitory emotion” that should, in most cases, prevent and mit-igate criminal offenses (Topalli and Wright 2013, p. 52).Because the emotion of fear drives deterrence (Beccaria2009), it is expected that the perceived risk of getting caughtor sanction risk will be the result of the fear (Gibbs 1975). ForCusson (1993, p. 55) “fear is obviously at the heart of deter-rence,” but “is not a calculated risk.” It would, therefore, beexpected that hackers behave the same and manage theirnerves accordingly. However, hackers are a different type ofoffender, since they are usually hiding their identity behindtheir computers. Therefore, they are usually not facing thevictim, as is the case with street crimes. It is still expected thatthe fear generated by the thought of the possibilities of appre-hension, would influence the way nerves are managed in thehacker’s mind. However, in reality, the way this cognitiveprocess is managed is different from other criminal situations(e.g., robbery).

3.1.1 From Cognitive Distortion to Broken Windows: Shuntingand Minimization Techniques

Cognitive distortion refers to rationalizing attitudes, beliefs orthoughts about one’s own or other’s social behavior (Barriga

Table 1 Interview detailsHacker (name) Interview length (min) Age Hacking focus Hacking life (in years)

Voodoo 45 22 – Phishing / Denial of Service 5

Phantasm 58 23 – ClickJacking Attacks 2

Trinity 54 25 – Malware, Virus, Trojan 4

L@ky 58 24 – System penetration / intrusion 3

LucNb 54 21 – System penetration / intrusion 6

NotoriusX 61 24 – Malware, Virus, Trojan 8

NbG 42 23 – Ransomware 5

JustiX 57 24 – Phishing / Denial of Service 8

Mr.trojan 60 22 – System penetration / intrusion 7

Crypto 59 23 – Social engineering 6

Hig Hacker 48 18 – Stealing financial data 3

B14D3 49 19 – Phishing / Denial of Service 4

M3M0RY 59 25 – Phishing / Denial of Service 9

Mr Binary 57 22 – Phishing / Denial of Service 4

Yuliux 55 20 – Ransomware, Malware 5

White Devil 60 20 – System penetration / intrusion 6

Inf Syst Front

and Gibbs 1996). In the hacking context, a particularly suit-able cognitive distortion is minimizing or mislabeling, wherethe antisocial behavior is followed by the mentality where theoffender believes that no harm is really done, and that his/heractions can even be seen and accepted as admirable. Whenasked how they felt about their acts, whether it is somethingthey consider to be dangerous, illegal or criminal, they allexpressed the same feeling that it was a ‘non-violent’ actwhich did not harm anyone. For example, Voodoo said:

“…this is just harmless exploration. It's not a violent actor a destructive act. It's nothing.”

Phantasm explained that his/her acts are not violent at all,since it is all about learning:

“Not at all. Well, first of all, I was just looking around,playing around. What was fun for me was a challenge tosee what I could pull off.”

All of the interviewees confirmed the belief that there wasnothing really wrong in what they were doing. The cognitivetactic employed in this context can be referred to as shunting.This is similar to but slightly different from neutralization(Sykes and Matza 1957). Shunting involves only thinkingabout the positive outcomes and putting aside any fear thatmay arise from the action (Jacobs and Cherbonneau 2017).Lord Nikon explained that he/she is not even thinking aboutany negative consequences. He/she sees it as something pos-itive, where he/she will get a new ‘power’ through his/heracts:

“Well, it's power at your fingertips. You can control allthese computers from the government, from the military,from large corporations. And if you know what you'redoing, you can travel through the internet at your will,with no restrictions. That's power; it's a power trip.”

Trinity has a slightly different view when asked about whathe/she considers to be illegal:

“At the first time when I came into the headlines for mybreach…, I was a little bit afraid that I was gettingcaught…I did not leak all the database only a little bitto make them aware of it. If it's legal? In my opinion, it is

legal when you only leak a little bit database to makethem aware of it.”

Several others confirmed Trinity’s position that only doing[leaking] a little is not a problem. This sort of minimizationtechnique is an interesting method that hackers use to cogni-tively minimize the severity of their acts.

Another interesting method used by hackers has its originsin the Broken windows theory (Wilson 2003), which suggeststhat policing methods that target minor crimes are welcome.This is because a fast reaction will most likely prevent biggercrimes to happen. However, these “minor” crimes in thehacking milieu are usually not sanctioned. This provides jus-tification for hackers to continue with their acts, which couldlead to more harmful actions. One hacker explained thatrisks are low, as the cost of their acts is also low.Therefore, they do not expect the police to chase themfor small losses. L@ky commented:

[It seems like a lot of risk for the $2K you've made sofar]”…Well, that is publicly. And in less than a month. Itis no risk for me, as they can't do anything. Like I said,quick easy cash in about a month.”

Another hacker explained

“I’m never hacking a company based in my country – nopolice will come and take me down for such a small cost– If I steel few millions, it would probably be different –but I’m cautious about the amount.”

Clearly, nerves are managed through calculated risks that eachhacker weighs to understand possible gains and losses,but this ‘calculation’ may not be as rational as the hack-er believes it to be. This behavior can be associated tobounded rationality, as seen in security contexts in gen-eral (e.g., D’Arcy and Lowry 2019), because the decisionshackers make are ‘bounded’ by their cognitive limitationsand also influenced by their emotions. As illustration, onehacker (LucNb) boldly claimed that

“only inexperienced or novice hackers do not pay atten-tion to the risks vs fear to get caught – so they makeerrors and cross the line…I never do that.”

3.1.2 Plan B, Thrill and Lens Widening Techniques

Interestingly, most of the interviewed hackers claimed thatthey do not worry too much about being apprehended, wheth-er their illegal acts are small or large. The majority of theinterviewees claim to have some sort of a backup plan. Forexample, Trinity said

Table 2 Demographics

Summary Variable Mean Value Standard deviation

Mean age 22 2.0

Average interview length (in min) 55 5.5

Average hacking life (in years) 5.3 1.92

Inf Syst Front

“Well, it is a little more complicated than that, but I haveplans in case something happens.”

Others also highlighted that they usually have a backup plan,in case things go wrong. They emphasized the importance ofhaving a Plan B. For example, L@ky explained:

“I’m not afraid. In case something goes wrong – I’mready and I know what I will do…I don’t worry somuch.”

This ‘Plan B scenario’ thinking is important in nerve manage-ment. Having a Plan B, reduces the psychological discomfortassociated with uncertainty (Shin and Milkman 2016). It notonly it drives a hacker’s state of mind regarding removing ormitigating the risk factors, it also contributes to a better focuson the Plan B scenario. These hackers feel more comfortablein the way their nerves are managed, since they do not fullyperceive the inherent risks. This is because they convincethemselves they are somehow “secured” by the Plan B sce-nario that they have put in place. However, when hackers wereasked what exactly their Plan B is, most of the them gave avague and unclear answer. Several of them did not want toclearly explain their back up plan. A few others tried to ex-plain it, but their answers were generic. As illustration, onenoted that his/her plan B is:

“I will co-operate and turn to white hat hacker…I’msure I will not go to prison not pay any penalties…thisis anyway not big deal…I did not harm to anyone.”

Another important technique used by hackers to manage theirnerves is experiencing the thrill. Thrill corresponds to a socialentertainment method used by hackers to satisfy their innerpsychological needs (Turgeman-Goldschmidt 2005). Thrill isa positive, powerful emotion that they thus use to cover up thenatural fear that should be resulting from the huge risks theyare taking. For example, NotoriusX commented:

“I was just in it for the thrill” and Ley2x added “To behonest, there is a thrill in knowing that what I do wouldbe illegal except for a legal document that says I’mallowed to do it without getting in trouble.”

Hiding behind the thrill, provides an opportunity for hackersto go after novelty and intense sensations, as a result of achiev-ing their goal (e.g., breaking into a system). This pursuit ofnew experience for its own sake, despite the risks, shows hownerves can be more effectively managed.

Lens widening refers to a technique, in which offendersbelieve that their acts are not that dangerous (Jacobs andCherbonneau 2017). This allows them to believe that there isreally no reason to be nervous. It is a “bigger picture” view, in

which offenders compare their acts against other illegal activ-ities and by doing so, they attribute a lower score to the seri-ousness of their acts. For example, NbG explained:

“what I do is nothing; there are people that get killeddaily and all I do is just sneaking around a bit andlooking what is behind the curtain; the risk of gettingcaught is minimal…I will not go to jail for that.”

A similar behavior can also be found in neutralization theoryvia the ‘denial of injury technique,’ in which an offender in-sists that his/her actions did not cause any meaningful harm ordamage (Sykes and Matza 1957).

Another hacker added that most of the time hacking acts donot get reported. This is because companies are afraid of theimpact that the hacking may have on their image. This sup-ports the lens widening view of the majority of the inter-viewees, who highlighted that their acts are rarely reported.When they are reported or when an investigation takes place,they seem to be “protected” by the gravity of their acts, whichin their view, is not that high. Consequently, they should notbe punished or risk some more serious consequences. This isbecause there are so many more serious crimes, compared totheir hacking activities. They serve a good cause, as explainedby JustiX:

“all I do is to help companies…when I find a bug I tosend them an email informing them about my findings…of course, I learn a lot from their security issues…and Iwill not get caught – why should I? I just helped them byinforming them about the security vulnerability Idiscovered.”

4 Discussion

Our study used grounded theory building approach, supportedby the theoretical lens we applied from general strain theory(Agnew 1992) and RAT (Cohen and Felson 1979), to betterunderstand the theoretical importance of nerve managementby black hat hackers. In particular, we sought to understand,through theory building process, how black hat hackers man-age their nerves and which techniques they use in theirdecision-making process before and after committing a crime.

Drawing from a sample of 16 hackers, we investigated howhackers manage their nerves during illegal hacking activities.According to Jacobs and Cherbonneau (2017), nerves andnervousness are recognized but relatively understudied partsof the offender decision-making process. In that context,“nerve management is, therefore, best considered to be anintervening exercise in the threat perception process, thatmoderates the fear-offending relationship through its effecton nervousness” (Jacobs and Cherbonneau 2017, p. 14).

Inf Syst Front

Through our grounded theory study, we identified five broadertechniques that hackers use to better manage their nerves,including: shunting, minimization, Plan B, thrill and lens wid-ening techniques.

As can be seen from the five techniques described earlier,these hackers are essentially trying to trick themselves to bet-ter manage their nerves by implementing different strategiesthat should help them better cope with the threat. All of theidentified techniques have a common purpose, which is tominimize the fear of sanctions, in such a way that offendersfeel better and minimize the threat-perception process.

From a theoretical perspective, our research offers severalnew insights. First, we addressed the calls to further investi-gate black hat research (Mahmood et al. 2010) to better un-mask the mystery of the hacker world (Crossler et al. 2013),by gaining access to real known hackers as the subjects of ourstudy. This addresses one of the primary challenges in thehacking research. By doing so, we contribute to expandingthe existing theoretical basis of general strain theory (Agnew1992) and RAT (Cohen and Felson 1979), by highlightingtheoretical justifications that each of these theories offer tobetter understand hacking in a nerve management context.In particular, the stressors that hackers experience are impor-tant factors that drive their emotional states. Also, the “virtualproximity” together with absence of capable guardians pro-vide explanations of why hacking is unique as a criminalactivity and highlights the importance of these two dimen-sions for research and prevention. We further propose newlyuncovered techniques that contribute to the frustration or an-ger phenomenon, which is occurring in the hacker’s mindset.All five techniques (i.e., shunting, minimization, Plan B, thrill,and lens widening) contribute at different levels, to bettermanage nerves when experiencing strains or stressors. Thesetechniques are well-positioned within past research that hascalled to further understand the psychological predispositionsbehind criminal acts (Schell and Holt 2009), and in particular,the emotional states of hacker’s minds. In such a context, ourfindings bring new theoretical insights on top of the alreadyestablished criminological theories. This adds new dimensionto the existing cybercrime knowledge which was in need ofbetter understanding of hacker’s motivations and the applica-bility of traditional theories of crime to virtual offenses (Holtand Bossler 2014).

Because negative emotions influence the way nerves aremanaged, emotions are better controlled in the presence ofshunting or minimization techniques. This is because of-fenders will try to escape reality and try to minimize or shedtheir negative thoughts and emotions. Parallel to that process,as suggested by RAT, crime is the result of an opportunity, inwhich the motivated offender will create Plan B and will usehis/her thrill and lens widening techniques to control the fear.As a result, they will be better able to manage their nerves.That is, hackers are weighing costs and benefits and use the

suitable technique to reduce and minimize the negative out-comes in their minds. However, the hackers are deludingthemselves somewhat as in reality they are operating with‘bounded rationality’ influenced by emotions, and do not fullyrationally calculate costs and benefits. This process results inunconscious decisions that downplay the risks and increasebenefits, such as: “there is no big risk in getting caught”;“Plan B exists and will save me if I get into trouble”; or,“This is a small act that I’m doing…it’s no big deal in reality.”This sheds light on the inner motivational states that hackersare going through, when trying to manage their nerves moreeffectively.

Our research thus offers valuable new insights on the psy-chological reasoning in the hacker’s decision-making process,during their crime life cycle. By using different techniques,hackers are indirectly trying to convince themselves that theiracts, which are digital crimes, are not as important as otherphysical crimes (e.g., robbery). Therefore, they delude them-selves into thinking that the inherent risks cannot be the sameand should not be seen in the same way. This is an importantinsight, since it suggests that the seriousness of their acts is notclearly understood, communicated, or explained. Notably, wecontribute to having a clearer understanding of a hacker’scognitive profile, which should contribute to a better under-standing of hacker’s criminal actions and behaviors.Although, this may not be the perfect representation of theblack hat hacker as even within the same hacking group thereare notable differences in their skills and abilities to conducthacking (Holt and Bossler 2014; Holt et al. 2012) our studyprovides some initial insights into psychological structure ofhacker’s motivational states.

Notably, some of the interviewees eventually recognizedthe gravity of their acts, but only after having negative expe-riences with the police. We thus argue that policy makers (e.g.,government officials, legal and justice system policy makers)should learn from this when building and defining criminallaws in respect to hacking. Part of the issue here is that author-ities need to change the calculus that hackers apply to theirnerve management, such that they see greater risk and fear,and thus are less likely to have the nerve to go through withthe act. Here, broadly warning and communicating potentialhackers of specific and severe consequences for specific typesof hacking, versus vague consequences would be a step for-ward. Crucially, this communication needs to be reframedfrom the typical obscure legalese of lawyers to the actual lan-guage used by hackers.

For these reasons, they should try to better communicatenot only the risks for hackers, but also the harm of the hackers’acts for their victims —not only for companies but also forpeople’s lives whose data is exploited (such as their privacyand identity theft). Moreover, they should communicate themonitoring and policing efforts they are doing, especially onthe dark Web, to increase a sense of ‘guardianship’ to decrease

Inf Syst Front

the hacker’s belief they are anonymous and cannot get caught,or that if they do get caught it will actually be a ‘big deal.’Better communication and sensibility toward the hackingcommunity should thus create positive effects in mitigatinghacker’s criminal objectives and goals. Education can be lev-eraged in which ex- black hat hackers could be used to spreadthe message and teach new and existing hackers on the pos-sible consequences of their crimes. Highlighting the fact thatthere are small or large acts, could be one opportunity to beexplored by the policy makers. It would strengthen the mes-sage that no matter how small the financial impact canbe, the hacking crime can have similar consequences interms of the sanctions and punishment, as the othertypes of crimes. Also, policy makers need to understandthis activity as more than mere “hacking” but under-stand it can involve identity theft, stolen currency, dis-abling mission-critical systems that not only can lead todevasting economic consequences but can threaten human life(e.g., traffic control systems, industrial control systems, utilitysystems, military systems.

Furthermore, it is important to explain to hackers that theirPlan B is not what they think of. In reality, Plan B is usuallygoing to prison or paying high fines. Interestingly, this area ofjustice system was highlighted by Holt and Bossler (2014) asbeing one of the important areas that should providemore insights on how the courts and correctional systemshould react when confronted to cybercrime situations.In particular, Plan B, in this context, should be correctlypositioned within the correctional system to account forthe recent evolution and past experiences of offendingthrough technological means. Further understanding ofthis relationship of two opposite sides, offender vs jus-tice system, we could further “understand how the larger crim-inal justice system is responding to cybercrimes at all levels”(Holt and Bossler 2014, p. 34).

Moreover, this improved communication can come fromthose who actively manage and protect servers. The calculusis clearly different in considering hacking a Pentagon comput-er versus the Web site of a small-town newspaper. Here, per-ceptions of the strength of the US government may be just asimportant as the actual strength of the guardianship and tech-nologies involved protecting the computers. Thus, one ap-proach for lesser-known entities would be to leverage the rep-utation and explicitly communicate the guardianship of abetter-known entity (e.g., IBM, Oracle).

Future research could further extend our initial findings onthe importance of hackers managing their nerves and fear insuch a way that future studies could, for example, study thepassage from black hat (illegal) crimes to white hat (ethicalhacking) activities. This could provide some new insights onhow the hacker’s inner psychological motivations are drivenand what motivates them to become good one day. Our re-search is also limited by the fact that we could not verify with

100% certainty that the hackers we interviewed are who theypretend to be; however, we did conduct ethnographic obser-vations to verify the participants’ hacker identity and theirbehaviors as ‘black hat.’ Unfortunately, we could not collectany detailed demographics about the interviewees, due to thenature of their activities. This is a substantial challenge whenstudying any serious criminal behavior. Another challengerelates to the actual definition of the black hat hacker.Although provide a definition in this paper, in reality, thedefinition of who exactly is and is not a black hat hacker is achallenging topic that is not easy to address. Finally, asmotivations of black hat hackers can be different onesranging from state-sponsored attacks to hacktivism, theway their nerve is managed can also be impacted dif-ferentially. For example, if a black-hat hacker is sup-ported by a State and a large group of professionalhackers, their nerve management calculus is going to be quitedifferent than for a lone black-hat hacker. Thus, future re-search should look at nerve management for these differentkinds of motivations.

Overall, in this research, we have investigated the theoret-ical importance of nerve management in the unique hackingdecision-making offender context. We contribute to the cur-rent state of cybercrime scholarship by providing new theo-retical insights into the complex psychological and motiva-tional reasoning behind hacking illegal activities. In particular,we identified five cognitive and presentational tactics thatblack hat hackers use to shape their nerve management.This has important implications on how the perceptionof threat is managed and provides important insights onwhy hacking, as one type of the crime, is differentlyapproached and management from emotional and fearperspectives when compared to more traditional crimecontexts (e.g., street crime). These insights provide valuableinsights to different stakeholders (e.g., legal and justice sys-tem) which should benefit from our findings as it suggestshow fear, and consequently nerve, is managed in the uniquehacking context.

5 Conclusion

Our study investigated how black hat hackers managetheir nerves when conducting crime activities. We iden-tified five techniques they use: shunting, minimization,Plan B, thrill, and lens widening techniques. Each ofthese techniques helps hackers to better manage theirnerves and consequently, learn how live with their fear.During their psychological decision-making processes,hackers turn to these five techniques to create a newmindset. It allows them to hide with the objective of minimiz-ing and mitigating the inherent risks they incur during theircriminal activities.

Inf Syst Front

Appendix 1: Interview Guideline

Introduction

The interview will not take more than 1 h. I will be recordingthe session because I don’t want to miss any of yourcomments. All comments and responses will be keptstrictly confidential which means that your responseswill be shared only with research team members andwill ensure that any information from the report doesnot identify you as the respondent. Do you have any questionsat this stage?

Introductory questions

1. Can you tell us your name (hacker nickname), gender andage?

2. Can you briefly describe who you are and when youstarted to hack?

3. Can you confirm which type of hacker you are and whatdoes that mean to you?

About Hacking

4. Can you provide more information your hacking debutsand how did you learn?

5. What motivates you to hack? What attracted you to blackhat hacking?

6. Is what you do illegal?7. What is the scope of your hacking activities? On which

online sites (e.g., forums) you are active?

Hacking vs Fear

8. What is your perception regarding risks behind hackingactivities? Please explain.

9. How do you see the criminal side related to your activi-ties? Please explain.

10. Do you worry about being apprehended? Please explain.11. Do you have any backup plans? Please explain.12. Do you have any bad feelings when hacking? Please

explain.13. How do you manage your fear? Please explain.

Outlook / Interview Closing

14. What are the challenges in doing the hacking job? Pleaseexplain.

15. How do you see your future in hacking? Please explain.

Interview closing

a) Would you like to add anything else?b) If not, I will analyze all information provided together

with other interviews in the following weeks and wouldbe happy to send you a copy to review if you are interest-ed. Thank you very much for your time!

General probes used during the Interview

& Would you give me an example?& Can you elaborate on that idea?& Would you explain that further?& I’m not sure I understand what you’re saying.& Is there anything else?

References

Agnew, R. (1992). Foundation for a general strain theory of crime anddelinquency. Criminology, 30(1), 47–88.

Agnew, R. (1999). A general strain theory of community differences incrime rates. Journal of Research in Crime and Deliquency, 36(2),123–155.

Anderson, E. (2000). Code of the street: Decency, violence, and the morallife of the inner city. New York, NY: WW Norton & Company.

Bandura, A., & Walters, R. H. (1977). Social learning theory. New York,NY: General Learning Press.

Baron, S. W. (2004). General strain, street youth and crime: A test ofAgnew's revised theory. Criminology, 42(2), 457–484.

Barriga, A. Q., & Gibbs, J. C. (1996). Measuring cognitive distortionin antisocial youth: Development and preliminary validation ofthe “how I think” questionnaire. Aggressive Behavior, 22(5),333–343.

Beccaria, C. (2009). On crimes and punishments and other writings.Toronto Buffalo, London: University of Toronto Press.

Benjamin, V., Li, W., Holt, T., & Chen, H. (2015). Exploring threats andvulnerabilities in hacker web: Forums, IRC and carding shops.Paper presented at the 2015 IEEE international conference on intel-ligence and security informatics (ISI), Baltimore, MD, USA.

Benjamin, V., Zhang, B., Nunamaker, J. F., Jr., & Chen, H. (2016).Examining hacker participation length in cybercriminal internet-relay-chat communities. Journal of Management InformationSystems, 33(2), 482–510.

Benjamin, V., Valacich, J., & Chen, H. (2019). DICE-e: A framework forconducting darknet identification, collection, evaluation with ethics.MIS Quarterly, 43(1), 1–22.

Blackburn, R. (1993). The psychology of criminal conduct: Theory, re-search and practice. Oxford, England: John Wiley & Sons.

Chandler, A. (1996). The changing definition and image of hackers inpopular discourse. International Journal of the Sociology of Law,24(2), 229–251.

Charmaz, K. (1990). ‘Discovering’chronic illness: Using grounded theo-ry. Social Science & Medicine, 30(11), 1161–1172.

Cherbonneau, M., & Copes, H. (2006). ‘Drive it like you stole it’: Autotheft and the illusion of normalcy. British Journal of Criminology,46(2), 193–211.

Inf Syst Front

Cisco. (2018). 2018 Annual Cybersecurity Report. Retrieved from https://www.cisco.com/c/en/us/products/security/security-reports.html.Accessed 13 Jan 2018

Cohen, L. E., & Felson, M. (1979). Social change and crime rate trends:A routine activity approach. American Sociological Review, 44(4),588–608.

Corbin, J., & Strauss, A. (2008). Basics of qualitative research:Techniques and procedures for developing grounded theory. InLondon: Thousand oaks. CA: Sage.

Cornish, D. B., Clarke, R. V., & Wortley, R. (2008). The rational choiceperspective (Vol. 21). Cullompton, UK: Willan Publishing.

Crooks, D. L. (2001). The importance of symbolic interaction in ground-ed theory research on women's health. Health Care for WomenInternational, 22(1–2), 11–27.

Cross, T. (2006). Academic freedom and the hacker ethic.Communications of the ACM, 49(6), 37–40.

Crossler, R. E., Johnston, A. C., Lowry, P. B., Hu, Q., Warkentin, M., &Baskerville, R. (2013). Future directions for behavioral informationsecurity research. Computers & Security, 32, 90–101.

Cusson, M. (1993). Situational deterrence: Fear during the criminal event.Crime Prevention Studies, 1, 55–68.

D’Arcy, J., & Lowry, P. B. (2019). Cognitive-affective drivers of em-ployees’ daily compliance with information security policies: Amultilevel, longitudinal study. Information Systems Journal, 29(1),43–69.

Davis, R. W., & Hutchison, S. C. (1997). Computer crime in Canada: Anintroduction to technological crime and related legal issues.Canada: Carswell Legal Publications.

Deci, E. L., & Ryan, R. M. (2010). Self determination theory CorsiniEncyclopedia of Psychology. Online: Wiley Online Library.

EY. (2018). 21st EY Global Information Security Survey. Retrieved fromhttps://www.ey.com/Publication/vwLUAssets/ey-global-information-security-survey-2018-19/$FILE/ey-global-information-security-survey-2018-19.pdf

Ferraro, K. F., & Grange, R. L. (1987). The measurement of fear of crime.Sociological Inquiry, 57(1), 70–97.

Gibbs, J. P. (1975). Crime, punishment, and deterrence. New York, NY:Elsevier New York.

Gottfredson, M. R., & Hirschi, T. (1990). A General Theory of Crime:Stanford University press.

Groff, E. R. (2008). Adding the temporal and spatial aspects of routineactivities: A further test of routine activity theory. Security Journal,21(1–2), 95–116.

Hochstetler, A. (2001). Opportunities and decisions: Interactional dynam-ics in robbery and burglary groups. Criminology, 39(3), 737–764.

Hochstetler, A. (2002). Sprees and runs: Opportunity construction andcriminal episodes. Deviant Behavior, 23(1), 45–73.

Holt, T. J. (2009). The attack dynamics of political and religiously moti-vated hackers. NewYork: Paper presented at the CyberInfrastructure Protection.

Holt, T. J., & Bossler, A. M. (2014). An assessment of the current state ofcybercrime scholarship. Deviant Behavior, 35(1), 20–40.

Holt, T. J., Strumsky, D., Smirnova, O., & Kilger, M. (2012). Examiningthe social networks of malware writers and hackers. InternationalJournal of Cyber Criminology, 6(1), 891–903.

Hu, Q., Zhang, C., & Xu, Z. (2011). How can you tell a hacker from ageek? Ask whether he spends more time on computer games thansports. Blacksburg, Virginia: Paper presented at the DeWaldInformation Security Research Workshop.

Jacobs, B. A., & Cherbonneau, M. (2017). Nerve management and crimeaccomplishment. Journal of Research in Crime and Delinquency,54(5), 617–638.

Kallman, E. A., & Grillo, J. P. (1998). Ethical decision making andinformation technology: An introduction with cases. Collingdale:DIANE Publishing Company.

Katz, J. (1988). Seductions of crime: Moral and sensual attractions indoing evil. New York, NY: Basic Books.

Kshetri, N. (2006). The simple economics of cybercrimes. IEEE Securityand Privacy, 4(1), 33–39.

Leeson, P. T., & Coyne, C. J. (2005). The economics of computerhacking. JL Econ. & Pol'y, 1, 511.

Levy, S. (2001). Hackers: Heroes of the computer revolution (Vol. 4).New York, NY: Penguin Books New York.

Lichstein, H. (1963). Telephone Hackers Active. The Tech, 43(20), 20.Lowry, P. B., Zhang, J., Wang, C., & Siponen, M. (2016). Why do adults

engage in cyberbullying on social media? An integration of onlinedisinhibition and deindividuation effects with the social structureand social learning (SSSL) model. Information Systems Research,27(4), 962–986.

Lowry, P. B., Dinev, T., & Willison, R. (2017). Why security and privacyresearch lies at the Centre of the information systems (IS) artefact:Proposing a bold research agenda. European Journal of InformationSystems, 26(6), 546–563.

Mahmood, M. A., Siponen, M., Straub, D., Rao, H. R., & Raghu, T.(2010). Moving toward black hat research in information systemssecurity: An editorial introduction to the special issue. MISQuarterly, 34(3), 431–433.

Parks, R., Xu, H., Chu, C.-H., & Lowry, P. B. (2017). Examining theintended and unintended consequences of organisational privacysafeguards enactment in healthcare. European Journal ofInformation Systems, 26(1), 37–65.

Patchin, J. W., & Hinduja, S. (2011). Traditional and nontraditional bul-lying among youth: A test of general strain theory. Youth & Society,43(2), 727–751.

Phukan, S. (2002). IT ethics in the internet age: New dimensions. Paperpresented at the proceedings of informing. Cork, Ireland: Science &IT Education Conference.

Probasco, J. R., & Davis, W. L. (1995). A human capital perspective oncriminal careers. Journal of Applied Business Research, 11(3), 58.

Reyns, B. W. (2013). Online routines and identity theft victimization:Further expanding routine activity theory beyond direct-contact of-fenses. Journal of Research in Crime and Delinquency, 50(2), 216–238.

Rogers, M. K. (2006). A two-dimensional circumplex approach to thedevelopment of a hacker taxonomy. Digital Investigation, 3(2), 97–102.

Schell, B. H., & Dodge, J. L. (2002). The hacking of America: Who'sdoing it, why, and how. Westport, CT, USA: Greenwood PublishingGroup Inc..

Schell, B. H., & Holt, T. J. (2009). A profile of the demographics, psy-chological predispositions, and social/behavioral patterns of com-puter hacker insiders and outsiders Online consumer protection:Theories of human relativism (pp. 190–213). Online: IGI Global.

Shin, J., & Milkman, K. L. (2016). How backup plans can harm goalpursuit: The unexpected downside of being prepared for failure.Organizational Behavior and Human Decision Processes, 135, 1–9.

Skinner, B. F. (1972). Beyond freedom and dignity. New York: BantamBooks.

Smith, A. D., & Rupp, W. T. (2002). Issues in cybersecurity; understand-ing the potential risks associated with hackers/crackers. InformationManagement & Computer Security, 10(4), 178–183.

Strauss, A., & Corbin, J. (1994). Grounded theory methodology.Handbook of Qualitative Research, 17, 273–285.

Sykes, G. M., & Matza, D. (1957). Techniques of neutralization: A theoryof delinquency. American Sociological Review, 22(6), 664–670.

Teske, N. (1997). Beyond altruism: Identity-construction as moral motivein political explanation. Political Psychology, 18(1), 71–91.

The-Honeynet-Project. (2004). Know your enemy: Learning about secu-rity threats. Boston, Massachusetts: Addison-Wesley Professional.

Inf Syst Front

Topalli, V., & Wright, R. (2013). Affect and the dynamic foreground ofpredatory street crime Affect and cognition in criminal decisionmaking (Vol. 42). New York, NY.

Turgeman-Goldschmidt, O. (2005). Hackers' accounts: Hacking as a so-cial entertainment. Social Science Computer Review, 23(1), 8–23.

Turgeman-Goldschmidt, O. (2008). Meanings that hackers assign to theirbeing a hacker. International Journal of Cyber Criminology, 2(2),382.

Urquhart, C., Lehmann, H., & Myers, M. D. (2010). Putting the‘theory’back into grounded theory: Guidelines for grounded theorystudies in information systems. Information Systems Journal, 20(4),357–381.

Vaughan-Nichols, S. J. (2018). Your website is under constant attack.Retrieved from https://www.zdnet.com/article/your-website-is-under-constant-attack/. Accessed 13 Jan 2019

Wall, J. D., Lowry, P. B., & Barlow, J. (2016). Organizational violationsof externally governed privacy and security rules: Explaining andpredicting selective violations under conditions of strain and excess.Journal of the Association for Information Systems, 17(1), 39–76.

Warr, M. (2000). Fear of crime in the United States: Avenues for researchand policy. Criminal Justice, 4(4), 451–489.

Wikström, P.-O. H. (2004). Crime as alternative: Towards a cross-levelsituational action theory of crime causation. Beyond Empiricism:Institutions and Intentions in the Study of Crime, 13, 1–37.

Wikström, P.-O. H. (2006). Individuals, settings, and acts of crime:Situational mechanisms and the explanation of crime. New York:Cambridge University Press.

Willison, R., & Lowry, P. B. (2018). Disentangling the motivations fororganizational insider computer abuse through the rational choiceand life course perspectives. The DATA BASE for Advances inInformation Systems, 49(April), 81–102.

Willison, R., Lowry, P. B., & Paternoster, R. (2018). A tale of two deter-rents: Considering the role of absolute and restrictive deterrence ininspiring new directions in behavioral and organizational security.Journal of the Association for Information Systems, 19(12), 1187–1216.

Wilson, J. Q. (2003). Broken windows: The police and neighborhoodsafety James Q. Wilson and George L. Kelling CriminologicalPerspectives: Essential Readings (Vol. 400, pp. 29038). London:SAGE.

Yar, M. (2005). Computer hacking: Just another case of juvenile delin-quency? The Howard Journal of Crime and Justice, 44(4), 387–399.

Young, R., Zhang, L., & Prybutok, V. R. (2007). Hacking into the mindsof hackers. Information Systems Management, 24(4), 281–287.

Publisher’s Note Springer Nature remains neutral with regard to juris-dictional claims in published maps and institutional affiliations.

Mario Silic is a post-doctoral researcher at the Institute of InformationManagement, University of St. Gallen, Switzerland. He holds a Ph.D.from University of St Gallen, Switzerland. His research motivation fo-cuses on the fields of information security, open source software, human-computer interaction and mobile. He has published research in Journal ofManagement Information Systems, Security Journal, Information &Management, Computers & Security, Computers in Human Behavior,and others.

Paul Benjamin Lowry is the Suzanne Parker Thornhill Chair Professorand Eminent Scholar in Business Information Technology at the PamplinCollege of Business at Virginia Tech. He is a former tenured FullProfessor at both City University of Hong Kong and The University ofHong Kong. He received his Ph.D. in Management Information Systemsfrom the University of Arizona and an MBA from the Marriott School ofManagement. He has published 220+ publications, including 120+ jour-nal articles in MIS Quarterly, Information Systems Research, J. of MIS, J.of the AIS, Information System J., European J. of Information Systems, J.of Strategic IS, J. of IT, Decision Sciences J., Information &Management, Decision Support Systems, and others. He is a departmenteditor at Decision Sciences J. He also is an SE at J. of MIS, J. of the AIS,and Information System J., and an AE at the European J. of InformationSystems. He has also served multiple times as track co-chair at ICIS,ECIS, and PACIS. His research interests include (1) organizational andbehavioral security and privacy; (2) online deviance, online harassment,and computer ethics; (3) HCI, social media, and gamification; and (4)business analytics, decision sciences, innovation, and supply chains.

Inf Syst Front

Reproduced with permission of copyright owner. Further reproductionprohibited without permission.