Clark and Davis’s theory provides a good framework
evaluating the forces in play in securing assets against threats. Here is their
formula in mathematical notation:
Mb + Pb > Ocp +
OcmPaPc
The Criminal Benefit –
Mb +
Pb
The benefit a person expects to receive from committing a
crime is the sum of the expected monetary benefit (Mb) and the
expected psychological benefit (Pb). Thus a person will commit a
crime if the combination of the two factors yields a value greater than their
expected cost of committing the crime. As we’ll demonstrate later, the vast
majority of cyber crimes are financially motivated. However, while relatively
few, some cyber crimes are psychologically driven.
The Criminal Cost – Ocp + OcmPaPc
The expected total cost of committing a crime is the sum
of the cost of actually committing the crime (Ocp) and the cost of
legal defense and incarceration (Ocm) factored by the likelihood
that the perpetrator will be hauled in to court (Pa) and the likelihood
that he will be incarcerated at all in convicted (Pc).
In September 2008 a member of an organized crime group
going by the name of Erick Volonski took a job at an Arco gas station in
Redondo Beach, CA. Shortly after beginning his employment he planted a card
skimmer on the point of sale system. Eight months later Erick disappeared and
he and his accomplices began draining money through ATMs from the accounts of
thousands of Arco customers. [1]
This is a good example of where the benefit is clearly
greater than the cost and the benefit was all monetary.
·
Monetary Benefit (Mb) – High. Using
the stolen ATM card data, the perpetrators were able to withdraw at least $300
to $500 at least once form over 1000 accounts.
·
Psychological Benefit (Pb) – Low.
There are no indicators that this was a crime of revenge against the station
owners. Further, it is unlikely that the criminal suffered much remorse from
committing the crime given that on his last day at the station he made off with
$1000 in cash, a laptop, and cigarettes along with the data.
·
Cost of Crime Perpetration (Ocp) –
Low. In this case, the criminal was actually paid for perpetrating the crime
through his employment at the gas station. The hardware used to capture card
data is inexpensive and easily obtained.
·
Cost of Legal Defense and Incarceration – Low.
The criminal managed his likelihood of being caught well by using fake ids,
always walking to work, and never revealing person details. He avoided being
photographed except for in one case where he asked the photographer to delete
the photo.
Of course, not all criminal behavior is rational. I'll cover that in another post.
[1] http://www.laweekly.com/2009-06-18/news/russian-or-armenian-mob-used-quot-model-employee-quot-con-at-pch-arco/1