Why Regulation Cannot Prevent Cybercrime


by Chris Mark

    Data security and privacy regulation have increased significantly over the past 10 years. The U.S. now has 46 state breach notification laws and there have been numerous bills introduced in Congress that propose to regulate personally identifiable information and to dictate security of such data. In spite of this increasing regulation, data breaches continue to plague the industry. Some have proposed that more regulation is the answer. Unfortunately, regulation alone is inadequate to prevent data theft and protect data.
   At its core, data theft and network intrusions are crimes. At the risk of oversimplifying the work of criminologists, crime prevention can be summarized as using deterrents to affect protection of assets and prevention of theft. Protection applies to the ‘hardening’ of targets by implementing controls that increase the level of difficulty of perpetrating a crime. A vault is a good example of a protective measure. While no vault is completely impenetrable, vaults do provide significant protective value. Data security controls are protective measures. They are designed solely to limit attempts to obtain the target of value. Without a deterrence effect, criminals are free to attack companies at will without fear of retribution. This article will explore the value of deterrence in the prevention of crime.
   To understand the value and limitations of regulation in preventing crime it is important to have a working definition and basic understanding of the concept of deterrence. Deterrence has application in military and criminal areas and, as any parent can attest, has some value in dissuading children from doing things they should not. Deterrence, at its most basic level can be defined as: “the prevention of actions through the fear of retribution.” Deterrence theory rests on the premise that humans are, by nature, rational. It is this rationality that causes people to avoid actions that will result in retribution.
   The Rational Actor Theory posits that humans are rational and will take actions that are in their own best interests. Each decision a person makes is based upon an internal cost/benefit analysis. By altering the cost-to-benefit ratios, behavior can be changed accordingly. When put into the context of the definition provided above, deterring a data thief from attempting to steal data rests on elevating the “…fear of retribution...” to a point where it is no longer a rational choice to steal data from a company. While the concept is simple in theory, it can be somewhat more complex in practice.
   The saying, “the punishment should fit the crime” is an application of the theory of deterrence when used in crime prevention. If a person is faced with $100 fine for robbing a bank, a thief may decide that the risk of paying $100 for an act that will, on average, yield $3,000 is a risk worth accepting and they will attempt to rob a bank. If, on the other hand, a person is faced with 15 years in federal prison, the cost/benefit analysis changes and therefore behavior changes and the person does not rob the bank. While it works perfectly in theory, rationality has some potential pitfalls that will be covered briefly.
   To change the cost/benefit analysis it is critical to understand what it is that a particular person values. In general, it is possible to understand most people’s calculus of value, but it is not always accurate. Take the bank robbing example used previously. If a bank robber values the comfort of prison, then the threat of 15 years in prison would not change the cost/benefit analysis for that particular person. As it is impossible to know with absolute accuracy a particular person’s values, crime cannot be prevented, only mitigated.
   Criminal justice proposes two broad types of deterrence; general deterrence and specific deterrence. Both types of deterrence have application for preventing data theft. General deterrence is proactive and attempts to target potential crimes before they are committed. Examples of general deterrence may include “no trespassing” signs warning that trespassing is a crime and stating the particular law and penalty. Other forms of general deterrence include video cameras and armed guards in public view. The hope and belief is that the mere threat of retribution would be enough to dissuade a potential criminal from perpetrating a crime. If general deterrence was entirely effective bank robberies would be non-existent. Instead, in the U.S. alone, there are more than 10,000 bank robberies every year. Clearly, general deterrence has its limitations. Specific deterrence, on the other hand, is reactive and is focused upon punishing those that perpetrate crimes to set an example for others contemplating criminal acts.
   Specific deterrence is based upon the three principles of certainty, celerity and severity. Certainty applies to the likelihood of the threat (whether arrest, punishment or retribution) being carried out. Studies suggest that a certain, consistent level of certainty must be achieved to produce desired consequences of changing behavior. In short, if a law is all bark and no bite, the threat of a bite will have no impact on the cost benefit analysis required to change criminal behavior. The greater the likelihood of punishment for committing a crime, the greater the deterrence effect on the criminal. Celerity applies to the promptness of the threat being carried out. If there is the threat of immediate action as opposed to the threat of action at some point in the distant future, the deterrent will have greater effect. Finally, the severity of punishment is critical to any deterrent. As stated previously, the “punishment must fit the crime.” The increase in severity has a correlation to the effectiveness of the deterrent. In short, the greater the severity of the punishment, the less likely the prospective criminal is to perpetrate the act. An easy way to show the correlation is through the traditional model of risk analysis.
   Understanding risk and risk analysis allows people to make informed decisions about potential actions. Risk is commonly described as the probability or likelihood of a known loss.  Risk can be quantified or qualified. For our purposes, we will use a basic model to quantify risk simply to demonstrate the value of deterrence. Risk as a function of the following:

    The likelihood of an Event occurring and the resulting Impact should the event occur.   

For the purposes of this article, the Event is the deterrent. The likelihood applies to the certainty described earlier while the Impact applies to the severity of the act. Overarching each of these is the concept of celerity. In short, regardless of the probability and impact, if the threat cannot be realized immediately, there is little deterrence. A simple method of quantifying risk is to multiply the likelihood of an event occurring in a given time frame (expressed as a probability) by the expected impact should the event be realized.  The calculation can thus be expressed as:

(% of Event A occurring) X ($ Impact should Event A be realized) = Annualized Loss Expectancy (ALE)

    ?The following will demonstrate the use of this model to quantify a given risk. First, assume there is a 5% probability that an event will occur in a given year and the estimated damage will be $10,000. In this scenario the Annualized Loss Expectancy (ALE) is calculated at $500 per year (5% x $10,000). In a perfect world, actuarial and other information would be available to allow people to evaluate Risk with a great degree of accuracy. While the risk model described above quantifies risk it is presented as an easy way to understand the correlation between the concepts of certainty and severity as they apply to deterrence. For our purposes the model will be changed to the following:

(% of Event A occurring) X (Impact should event A be Realized) = Calculated Deterrence Expectancy (CDE)

    While we cannot quantify exact probabilities, we can provide a range of probabilities and impact using the following rankings:

    High - 3
    Medium - 2
    Low - 1

    These can be placed into a risk matrix that allows for a quick, yet accurate, analysis of the relative risk.

chart 1

    If the impact is high (3) and the probability is high (3), the CDE is calculated as high (3 x 3) and is demonstrated by having a greater product of the two components.
Risk tolerance describes the threshold of risk that a person is willing to tolerate given the potential ‘payoff’ if the act is successful.

chart b

    In general, if there is a high potential payoff and there is a high likelihood of an event occurring but there is little impact, the willingness to tolerate the event is high. Similarly if there is a high potential payoff and a low likelihood of an event occurring, yet a greater impact, the willingness to tolerate the impact is also high. If the likelihood increases relative to the impact or the impact increases relative to the probability the tolerance decreases. The tolerance to risk increases with the potential payoff. The old adage: “high risk, high reward” is very relevant when considering deterrence.
    The current state of data security relies upon little more than protective measures and general deterrence. There is little risk for a criminal who embarks on the theft of data as the probability of being caught is minimal and the penalties do not adequately fit the crime. For this reason, in spite of the increasingly stringent regulations and compliance mandates, we can expect to see criminals continue to target the payment card industry and will see continued data breaches.