TY - JOUR TI - Cybercrimes against the electricity infrastructure DO - https://doi.org/doi:10.7282/T33R0RVX PY - 2012 AB - The US electricity infrastructure uses Industrial Control Systems (ICS) to oversee its operations. These systems are connected online for better efficiency, making them susceptible to cyberattacks. Current research has extensively addressed ICS vulnerabilities that can be exploited by cybercriminals. Vulnerabilities, however, are only one of the many factors influencing offender decision-making in cyberattacks. Furthermore, numerous conceptions of threats, vulnerabilities, and consequences exist, which further complicate ICS security assessments. This exploratory study therefore has two main goals. First, it seeks to compare industry and hacker perceptions on electricity ICS threats, vulnerabilities, and consequences. Second, it seeks to identify a broader set of factors that influence offender decision-making in ICS cyberattacks. Routine activity and rational choice theories guided this study. Nine preliminary offender decision-making factors were organized to create the PARE RISKS framework: Prevention Measures; Attacks and Alliances; Result; Ease of Access; Response and Recovery; Interconnectedness and Interdependencies; Security Testing, Assessments, and Audits; Knowledge, Skills, Research and Development; and System Weaknesses. A total of 323 participants from both industry and (ethical) hacking communities completed PARE RISKS surveys, which were analyzed using non-parametric statistical tests and exploratory factor analysis. Seven interviews were conducted and subjected to a thematic analysis to supplement survey findings. The hypotheses that guided this research were all confirmed. It was found that hackers and industry experts differed in their perceptions of threats, consequences, system vulnerabilities and prevention measures. Hackers were more likely than industry respondents to believe that cybercriminals accessed hacking forums, exploited internet and email access, and exploited poor password practices. Industry respondents were more likely than hackers to believe that the desired outcomes of cyberattacks included information corruption, inaccurate information processing, and denial/disruption of service. The PARE RISKS framework was also found to be useful in identifying factors in the pre-attack and attack-in-progress environments that influenced offender decision-making. Hackers and industry respondents believed that cybercriminals engaged in extensive research to select targets; used an assortment of techniques; operated in anonymous, compartmentalized groups; required adequate skills, money, and time; and employed cost-benefit analysis and strategic attack plans both before and during attacks. KW - Criminal Justice KW - Electric industries--Equipment and supplies KW - Hacktivism--United States KW - Cyberterrorism--United States LA - eng ER -