For the past decade, we have been hearing, and reading those pesky insider, outsider threats coupled with the familiar "thou shall not hire a hacker" themes. In every single instance, the expert behind the statement offers some rationale behind it, some magical number, or the impression that the situation is just so dire. In my experience, the ones who have gone this route, are either they are selling you the latest in Data Loss Prevention (DLP) software, which of course minimizes the insider threat, or some Intrustion Prevention Software (IPS) to halt the outsider threat. Or some other form of tactical methodology or framework given to HR types so that they can avoid hiring former hackers. In any of the mentioned cases, no one has even taken a look at the statistics (to my knowledge) surrounding hacking cases.
I recently read: "Don't hire a hacker"  which offered nothing more than inconsistent ramblings that solve nothing, offer nothing, and enlighten us to the fact that many individuals are under-clued, in the case of the Don't Hire a Hacker article, a CEO of a security company offered his two cents without having anything other than his name. I have read: "Why hire a hacker"  where the gist of the article was conflicting: "While I´ve said there´s no reason why a rehabilitated hacker shouldn´t be employed, it does raise serious concerns - primarily, why did they get caught?" Which was equally confusing. Does that statement mean "it's ok to hire rehabilitated black hats, so long as they never got caught..." And then we have the ultra bizarre via way of analogies that have nothing to do with anything (these are the most common): "Would you hire a convicted pedophile to work at a day care center? Would you hire Bernie Madoff to manage your investment fund?"  In all three articles, not one gave any information to support any of their statements via way of hacking based crimes. The gist of those articles: "believe me I am an expert." No offense to Bruce Schneier on the third article as he also states: "many hacking convictions were unjust and unfair. And there's also a difference between someone's behavior as a teenager and his behavior later in life. Additionally, there might very well be a difference between someone's behavior before and after a hacking conviction. It all depends on the person. An employer's goal should be to hire moral and ethical people with the skill set required to do the job. And while a hacking conviction is certainly a mark against a person, it isn't always grounds for complete non-consideration" But even that begins with: "behavior as a teenager" which is wrong.
So what are the statistics behind hacking, recidivism, the insider and outsider threats? No one has taken a hard look at it until now. After not being able to locate any data containing anything of use, I decided to put together the numbers based on publicly available information. Sites I used for this research include: justice.gov, cybercrime.gov, justia.com, bloomberg.com using a boolean search for: U.S. District Court Dockets ("18:1030") OR ("computer fraud"), OR ("18 U.S.C. 1030") OR ("18 USC 1030") OR ("18 U.S.C. Â§ 1030") OR ("18 USC Â§ 1030")
From 2002 through 2013, a total of 322 cases were found relating to that search, and 127 random cases were also found without those terms. The final count was 375 total cases used for the data. To explain the anomaly between 449 total cases discovered, and the final 375 cases, it need be explained: Cases where someone was no convicted, were not included. This is because of the law: "innocent until proven guilty." There were cases that had absolutely nothing to do with "hacking," nor abuse, but yet the charge was made. For example: "Lori Drew, is charged with violating the Computer Fraud and Abuse Act (CFAA) by using a fictitious name and age on a MySpace account and using that account to make hurtful comments to a teenage girl. Tragically, the girl later took her own life. Federal prosecutors claim Drew broke federal law by violating MySpace's terms of service and that the MySpace communications were responsible for the girl's death."  Cases like these were removed, and there were many. It is also important to note that these statistics represent FEDERAL cases.
In any event, the numbers are as follows: There were 8 total re-offenses (2.13% recidivism rate), insiders accounted for 15.466% (of this, 38% were law enforcement or government employee insiders). Former employees accounted for 8.26%, third party contractors came in at 4%, and lastly, law enforcement and government abuse totaled 6.4%. The average age of a re-offender was 26.5, the average re-offense time occurred within one year.
Here is the low down:
- 2002: 84% male. 35.6 was the average age of an individual convicted. 42.5 was the average age of the insider threat (employee). 36.3 was the average age of the former employee. 35 was the average age of a third party contractor.
- 2003: 92% male. 29.03 average age of an individual convicted. 35.5 was the average age of the insider threat (employee). 29.6 was the average age of the former employee. 31 was the average age of a third party contractor.
- 2004: 93% male. 32.4 average age of an individual convicted. 31 was the average age of the insider threat (employee). 30.6 was the average age of the former employee. 34 was the average age of a third party contractor.
- 2005: 90% male. 35.6 average age of an individual convicted. 34 was the average age of the insider threat (employee). 34 was the average age of the former employee.
- 2006: 78.94% male. 29.8 average age of an individual convicted. 35 was the average age of the insider threat (employee). 38.5 was the average age of the former employee. 40 was the average age of a third party contractor.
- 2007: 80% male. 32.4 average age of an individual convicted. 41.5 was the average age of the insider threat (employee). 35.5 was the average age of the former employee.
- 2008: 79.4% male. 34.2 average age of an individual convicted. 41 was the average age of the insider threat (employee). 39.1 was the average age of the former employee. 41 was the average age of a third party contractor.
- 2009: 78.3% male. 31.4 average age of an individual convicted. 35.7 was the average age of the insider threat (employee). 26.3 was the average age of the former employee. 25 was the average age of a third party contractor.
- 2010: 84.6% male. 45 average age of an individual convicted. 36 was the average age of the insider threat (employee).
From 2011 - 2013, most statistics at this time are meaningless since some have not been convicted, data on arrests and the outcome is not clear. For example, in 2011 there were thirteen arrests associated with Anonymous and Paypal. Some data is available on some of the offenders, while other data is not. Most of the thirteen have not been convicted, so their statistics were never used.
The rest of the data is open for analysis and is split in two mind maps. They were rendered using Flash and Docear, so a Flash enabled browser is needed to view the data.
First Map: http://www.infiltrated.net/recidivism/
Second Map: http://www.infiltrated.net/recidivism/secondMap/
With that out of the way, time for some myth-busting. I initially commented on "hiring a hacker." In no case, was a former hacker, ever re-convicted of hacking into an employer's computer. So that myth has been debunked. The myth of the hacker being a teen, is also debunked, as the average overall age equates to 33.9 years old. I intended on pulling together more data, such as the average cost of the insider and outsider threats however, the data gets tricky and trivial. For example, in 2002, a Netsle employee exceeded access causing $5,000.00 worth of damage. In the same year, a Microsoft insider was accused of stealing $9,000,000.00 worth of software. It would not make sense to state: The average cost of an insider's damage was 4.5 million because it would not be accurate. With that said, the data shows what it shows.
If any student, professor, lawyer, etc., is interested in using the mind map itself, feel free to e-mail me. It was created using Docear, but should work on Freemind and others.