Cyber Threat Actor Cultural and Psychological Factors: Part 3
Acknowledgement: I would like to express my thanks and gratitude to the Hofstede Insights Group and Philip Lafeber in particular, for the willingness to spend countless hours helping improve my understanding of the cultural dimensions theory. Without this collaboration I would not have been able to reasonably attempt correlation with basic cyberattack data.
In Cultural Diversity and Universal Ethics in a Global World (2013), Mele´ and Sa´nchez-Runde stated, “differences in race, sex, language, ethnicity, values systems, religion, and local practices are important aspects of the business environment in both domestic and international business.” This is a mirror reflection of the seminal work begun four decades earlier by Dutch social psychologist Professor Geert Hofstede whose mid-1970s studies analyzed how values in the workplace are influenced by culture.
National Culture Dimensions
Prof. Hofstede’s original work was derived through factor analysis of a worldwide survey of IBM employee values as expressed from 1967 to 1973. Since then it has been refined by Hofstede and others such as Gert-Jan Hofstede and Michael Minkov.
This theory outlines six dimensions of national culture including the power distance index, individualism versus collectivism, masculinity versus femininity, the uncertainty avoidance index, long term orientation versus short term normative orientation, and indulgence versus restraint. Together these are “the collective programming of the mind distinguishing the members of one group or category of people from others”, said Prof. Hofstede. Together these are referred to as national culture.
For law enforcement and cyber threat investigators the question is what, if anything, can be applied to assist with offender profiling or prosecution? It’s at this point where I will reiterate that the information included herein is for consideration and not prescriptive. Correlations will be proposed but the information presented is simply additional factors to be considered; the information is not being positioned as the silver bullet since cyberattack attribution is a complex process. Indeed, given an attacker’s typical behavior of masking their location the attack source data must be viewed with a degree of caution. Regardless, as noted, we are focused on considering the usefulness of national culture dimensions so for those entities that have strong confidence and high-fidelity data then the process of correlation may prove valuable.
As you read the information please also consider that for each dimension there are characteristics that are attributable to high and low dimension scores. At the same time, there are different characteristics of the various types of cybercrime. For example, probing honeypot attacks represents a different skill-set and motivation than a distributed denial of service (DDoS) attack.
The following chart shows the national culture scores per dimension (bars) for each of the countries that were identified in one or more of the industry attack source data from a respective vendor’s published report with the percentage of attacks attributed by the vendor for the attack type overlaid (lines and dots).
Power Distance Index (PDI) This dimension expresses the degree to which the less powerful members of a society accept and expect that power is distributed unequally. The fundamental issue here is how a society handles inequalities among people.
People in societies exhibiting a high degree of Power Distance accept a hierarchical order in which everybody has a place and accordingly a person should know their place. A person is responsible to learn from their superiors and a junior person would not challenge their superiors.
High Scores: Russia, Ukraine, China and Mexico.
In societies with low Power Distance, people strive to equalize the distribution of power and demand justification for inequalities of power. As such, a person will have a desire to obtain power and their behavior may be linked to the equalization of power.
Low Scores: Western European countries, Canada and United States
PDI Proposed Cybercriminal Correlation Russia, Ukraine, and China are countries often attributed to cyberattacks but, as shown, the type of attack varies per country. For example, China has the fourth highest score above but has the highest percentage of honeypot attacks. Does this indicate the Chinese criminal hackers are more interested in probing vulnerabilities that can be exploited by nation state advanced persistent threat (APT) than in causing disruptions? Past attacks would seem to support this, so the correlation seems to reasonably fit.
With that in mind, if you’re investigating a DDoS attack and the command and control evidence is pointing towards either Russia or Netherlands, where would you focus your investigation efforts?
Individualism versus Collectivism (IDV) The high side of this dimension, called Individualism, can be defined as a preference for a loosely-knit social framework in which individuals are expected to take care of only themselves and their immediate families.
High Scores: United States, United Kingdom, Canada and Netherlands
Its opposite, Collectivism, represents a preference for a tightly-knit framework in society in which individuals can expect their relatives or members of an ingroup to look after them in exchange for unquestioning loyalty. A society’s position on this dimension is reflected in whether people’s self-image is defined in terms of “I” or “we.”
Low Scores: Ecuador, China, Vietnam, Egypt and Russia
IDV Proposed Cybercriminal Correlation In countries with a high IDV score cybercriminal activity may be linked to self-centered survival (e.g. financially-motivated cybercriminals) whereas countries with low IDV scores loyalty may drive higher acceptance and participation at the national level (e.g. nation state actors). For example, China has a collectivist culture and targeting the United States to further the nation (or company) interests would be the norm. Hence, it’s highly improbable that China attackers would target China companies, however, it would not be unusual for an attacker in the United States to target a victim in the same country.
Masculinity versus Femininity (MAS) The Masculinity side of this dimension represents a preference in society for achievement, heroism, assertiveness, and material rewards for success. Society at large is more competitive.
High Scores: Japan, Austria, China, Germany, United States, and United Kingdom
Its opposite, Femininity, stands for a preference for cooperation, modesty, caring for the weak and quality of life. Society at large is more consensus-oriented.
Low Scores: Netherlands, Ukraine, Finland and Russia
MAS Proposed Cybercriminal Correlation Countries with a high MAS may lead members of its society to feel pressure to perform. If we look at the hacking sub-culture —black, white or gray— where having ‘cred’ is very important. Achieving some degree of notoriety often leads to the offender leaving their mark, which is a masculine trait. If we look at the Anonymous collective hacking group they position their activity as Robin Hood-like and designed to serve a greater societal goal (e.g. take downs of terrorism-related sites). It’s not unusual for the group to take credit for its activity but behind the group are individuals who are sympathetic to the cause(s). As a result, individual offenders of these ‘good for society’ attacks may likely come from low MAS countries.
Uncertainty Avoidance Index (UAI) The Uncertainty Avoidance dimension expresses the degree to which the members of a society feel uncomfortable with uncertainty and ambiguity. The fundamental issue here is how a society deals with the fact that the future can never be known: should we try to control the future or just let it happen?
Countries exhibiting strong UAI maintain rigid codes of belief and behavior and are intolerant of unorthodox behavior and ideas.
High Scores: Russia, Ukraine, Japan, France, Turkey and Mexico
Weak UAI societies maintain a more relaxed attitude in which practice counts more than principles.
Low Scores: China, Vietnam, United Kingdom and United States
UAI Proposed Cybercriminal Correlation High UAI scores may indicate that the pressure of rigid codes of conduct lead to a lower likelihood of cybercriminal behavior since it would be unusual to journey into the unknown of cybercriminal activity. In turn, low UAI scores may lead to more hacking since the ability to be successful would be viewed positive and the criminal element would be overlooked/forgiven.
If we again look at historical cyberattack events and focus on Russia we would find evidence of plenty of attacks, which is not a high UAI trait. This tells that each dimension rarely can be taken in isolation.
Knowing this, the Hofstede Institute has created clusters, which we will explore in closing shortly.
Long Term Orientation versus Short Term Normative Orientation (LTO) Every society maintains links with its own past while dealing with the challenges of the present and the future. Societies prioritize these two existential goals differently. In the business context, this dimension is referred to as short-term versus long-term.
Those with a culture which scores high take a more pragmatic approach: they encourage thrift and efforts in modern education to prepare for the future.
High Scores: Japan, China, Germany and Russia
Societies who score low on this dimension prefer to maintain time-honored traditions and norms while viewing societal change with suspicion.
Low Scores: Egypt, United States and Canada
LTO Proposed Cybercriminal Correlation High LTO scores may lead to less hacking as the culture is more pragmatic and a low LTO may lead to more hacking due to near-term, short-sighted satisfaction. However, we must take into consideration the type of attack. For example, while a phishing attack to collect banking credentials may lead to short-term benefits by selling the credentials (offender in a low LTO country) a nation state with a long-term view of the benefit of APT-like behaviors would be expected. Hence, a high or low LTO score may be useful when considering the type of attack.
Indulgence versus Restraint (IND) Indulgence stands for a society that allows relatively free gratification of basic and natural human drives related to enjoying life and having fun.
High Scores: Mexico, United Kingdom, Canada and United States
Restraint stands for a society that suppresses gratification of needs and regulates it by means of strict social norms.
Low Scores: Egypt, Ukraine, Russia and China
IND Proposed Cybercriminal Correlation Indulgence reflects a lack of self-control and a desire for short-term gratification. Offenders from high IND score therefore would be less likely to invest the time and patience required to develop advanced skills but would be more inclined to learn basic skills through a YouTube video to perpetrate a simple attack.
Conversely, the ability to execute a complex attack requires patience and skills; skills that often take years to develop so low IND countries may produce people with the requisite technical skills to carry out complex attacks.
National Culture Clusters Just like the whole of who you are can’t be surmised from one single characteristic no single dimension is adequate to give a clear vision of a nation’s overall culture. Clusters are a way of evaluating the scores across different dimensions to better get a feel for the whole of a nation. The Clusters (or mental images) were developed by Huib Wursten as a form of refinement of Prof. Hofstede's work.
Contest Cluster Characterized by competition and freedom; the people motivated by achieving measurable targets; peer and public recognition is encouraged. These countries do not focus on the details but maintain a high-level view.
Network Cluster This cluster is very similar to the Contest Cluster with the one exception of femininity, which results in cooperation, consensus and good, friendly relations. Members of these cultures are motivated by cooperation/contribution and recognition.
Family Cluster Members of this cluster are obliged to their employer and its leader; they seek change and harmony; no other cluster is better able to tackle highly complicated tasks. Being in the same societal group would indicate that criminal hackers in this cluster rarely work alone and rarely without a clear belief that the activity will make their leaders happy.
Pyramid Cluster This cluster is characterized by the need for a clear structure both in society and the work being performed. There is little focus on the cybercriminal’s individual contributions in terms of personal accomplishments; the reputation and success of the larger organization are what matter most.
Solar System Cluster In this cluster there’s a clear and unmistakable hierarchy, however, member of these cultures don’t necessarily feel compelled to be loyal to the structure. Alliances to professional or academic groups are more important than company ones. That said, leaders are respected —at least until they begin to micro-manage, which is highly demotivating to these highly individualistic workers.
(Well-Oiled) Machine Cluster Predictability is critical in this cluster as well as structure, however, the structure is to be understood and not imposed. Leaders in these cluster countries must be experts whose role is to step in when needed, and not before.
As you have read, national culture dimensions and clusters provide a unique perspective of a country, which may prove useful during cybercriminal offender profiling, cybercrime investigations and/or prosecution support. As with all the cultural and psychological factors being discussed, it’s prudent that any organization using these enlist a subject matter expert to ensure the proper use and applicability for the given use case.