Skills, knowledge, resources, authority, and motives (SKRAM) is one of the methods security professionals assess potential threats. The following are some controversial arguments I make concerning SKRAMS efficacy.
“Do you think the SKRAM model is useful for understanding human factors and capabilities involved in cybercrimes?”
The analysis of an individual offender’s skills, knowledge, resources, authority, and motives, or SKRAM, I feel has a marginal level of usefulness; however, I would not consider it an exhaustive methodology of analyzing the potential threat an individual or group of individuals pose toward a network. The first inherent flaw of SKRAM would seem to be an over reliance on the traditional school of criminology, which relies on an individual to consider benefits versus rewards in a process of hedonistic calculus (McQuade, 2006, Schmalleger, 2009, ). The exclusion of the other schools of criminological thought really makes SKRAM unsuitable as a tool for sociological or criminological analysis of cause and effect. Take for instance last week’s assignment concerning cyberstalking; to believe that all cyberstalkers are calculating the risks and rewards of their behavior would be a fallacious assumption on our parts as a sadistic serial criminal would also engage in stalking behavior, be it in person or virtually, and would very likely be suffering from psychopathy, sociopathy, oedipal third, or nonattachment with a primary caregiver (Becker, Shoshani, & Shoshani, 2009, Greenall, 2007, Knoll, 2006, Schmalleger, 2009).
Furthermore, SKRAM seems to fail to factor in the element of time. It has been said that a room full of chimpanzees could, if given sufficient time and attempts, provide an entire manuscript of a Shakespearean drama. Realistically, all of our skills, knowledge, resources, and authority are developed out of the single resource which is time itself. The very time spent reading this post is evidence of transforming time into another resource such as knowledge. Now factor in that the tools needed to commit cybercrime are continuously becoming simpler and easier to use and that information on how to perform attacks abounds on the internet, even so far as having instructional videos on sites such as Youtube.com, and you really must change the threat analysis paradigm.
I propose that the actual threat against a system is an equation of time multiplied by determination. Any system will be compromised with enough time and determination, whether via brute force attack, cryptographic analysis, or through socially engineered methods. With that being said, the most reasonable way of preventing becoming the victim of cybercrime would seem to revolve around making oneself an unappealing target. A lion chasing after a herd of gazelles will catch and kill the slowest gazelle; likewise, most cybercriminals if given targets of equal worth but unequal security, they would attack the target with the lowest level of security.
“ What do you think is the most important factor in the SKRAM model?”
As I just mentioned, I do not feel the SKRAM model is in and of itself complete; however, were I to limit myself to the SKRAM model, I would be inclined to indicate that motivation is the most key ingredient when determining whether or not an individual cybercriminal is a threat to system security or not. There are countless individuals who have sufficient skills, knowledge, resources, and authority to commit cybercrimes, yet have no motivation to commit cybercrimes.
Could Kevin Mitnick, likely the most notorious cybercriminal in US history, still be a viable threat to system security? He still possesses the requisite skills, knowledge, resources, and authority; however, without the motivation to commit cybercrime, he is gainfully employed as a security consultant (US Department of Justice, 2000). Were an individual to be missing all but motivation, said motivation could be used as a starting point for accumulating the other factors listed within McQuade (2006).
“Is any of this helpful in investigating and prosecuting cybercrime?”
While it could be helpful in narrowing a list of suspects of a particular incident, SKRAM may not be entirely appropriate when prosecuting cybercrime. I believe this excerpt from my paper on the prosecution of cybercrime is pertinent:
“Consider Steve Wozniak the cofounder of Apple Computers and noted philanthropist; Kevin Mitnick, the once most wanted hacker in the world, is now a prolific writer on computer security, a security consultant, and has even testified before senate hearings on internet security; Kevin Poulson, who hacked the FBI databases and even managed to redirect toll free numbers aimed at providing information to Unsolved Mysteries about him, is now a journalist and has assisted law enforcement in prosecuting over 700 pedophiles and child pornographers on Myspace; or Robert Tapan Morris, creator of the first worm turned tenured professor at MIT (IT Security, 2007). Even the most infamous and notorious of cybercriminals can be made into upstanding citizens by serving relatively short sentences consisting of between a few hundred hours of community service to 4 years in prison.” (Johnson, 2010)
In short, skills, knowledge, resources, and authority can be used for criminal purposes or can be utilized as a weapon against cybercrime, even within the same individual. This leads to my further thoughts on the actual approach to prosecution of certain types of cybercriminals:
“The prosecution of domestic cybercriminals that are motivated by thrill, boredom, curiosity, or other such reasons are best dealt with by plea bargaining. Age plays a large factor in rehabilitation just as it does with general criminality; however, given that most cybercriminals in this category are intelligent and skilled, it is not difficult for them to find lucrative employment as computer security specialists or consultants despite young age, which in turn negates future criminal tendency (Samaha, 2009). Society stands a chance to benefit just as much or more from their expertise as it suffered from it.” (Johnson, 2010).
Essentially, very few people know better how to prevent cybercrime than a cybercriminal, and cybercriminals have shown to be less inclined to resort to cybercrime after incarceration; as such the public and private sectors should continue to recruit individuals who have attained skills, knowledge, resources, and authority through legitimate or nefarious means.
Becker, B., Shoshani, B., & Shoshani, M. (2009). On twisted coalitions and perverse–narcissistic configurations: from positivistic oedipal third to an existential relational third: a case study. Psychoanalytic Psychology, 26(2), Retrieved from http://csaweb112v.csa.com.ezproxy1.apus.edu/ids70/display_fulltext_html.php?SID=fgnj4c4ojndke1h6m13j1bhuo7&db=psycarticles-set-c&an=2009-04869-003&f1=0736-9735%2C26%2C2%2C134%2C2009&key=PAP%2F26%2Fpap_26_2_134&is=0736-9735&jv=26&ji=2&jp=134-157&sp=134&ep=157&year=2009&mon=04&day=0736-9735%2C26%2C2%2C134%2C2009
Greenall, P. V. (2007). Sexual offending and antisocial personality: exploring the link. The British Journal of Forensic Practice, 9(3), Retrieved from http://proquest.umi.com.ezproxy1.apus.edu/pqdlink?Ver=1&Exp=07-14-2015&FMT=7&DID=1370220761&RQT=309 doi: 1370220761
Johnson, I.A. (2010). Prosecuting Cybercrime. Retrieved from http://www.justiceguy.com/?p=92#more-92
Knoll, J. (2006). Serial murder: a forensic psychiatric perspective. Psychiatric Times, Retrieved from http://www.lexisnexis.com.ezproxy1.apus.edu/hottopics/lnacademic/?verb=sr&csi=8406&sr=lni(4JMN-0ND0-TX70-6375)
McQuade, S. C. (2006). Understanding and managing cybercrime. Boston, MA: Pearson Education
Schmalleger, F. (2009). Criminology today:an integrative introduction. Columbus, Ohio: Pearson.
US Department of Justice. (2000, July 18). Kevin mitnick sentenced to nearly four years in prison: computer hacker ordered to pay restitution to victim companies whose systems were compromised. Retrieved from http://www.justice.gov/criminal/cybercrime/mitnick.htm