Program Goals/Components The presence of a warning banner or surveillance message in an attacked computer system is intended to influence computer system trespassers’ engagement during system-trespassing incidents. System trespassing occurs when a trespasser (also known as a hacker) illegally gains unauthorized access to a computer system by exploiting or defeating security vulnerabilities or security barriers. The goal of the warning banner was to deter trespassers from further engagement with the attacked computer system and to prevent subsequent infiltration.
Access may be illegally gained locally, through physical access, or remotely, by logging into the Internet. Once in the attacked system, trespassers may perform any number of active manipulations by entering commands directly into the console of the compromised/attacked system. The attack may be harmless, such as exploring the Internet, or more dangerous, such as reading/modifying privileged data, using the system to attack other computers, or installing a backdoor that will allow for easier access to the targeted computer system in the future (McQuade 2006; Maimon et al. 2013).
A warning banner is implemented to deter system trespassers from entering computer commands into an attacked system. Upon each entry into a computer system, a message is displayed, as a banner on the screen, conveying that the system is under surveillance. Warning banner messages vary in length. A short message may include the following language: “This system is under continuous surveillance. All user activity is being monitored and recorded” (Wilson et al. 2017, 838). A long message may include the following more detailed language: “The actual or attempted unauthorized access, use, or modification of this system is strictly prohibited. Unauthorized users are subject to institutional disciplinary proceedings and/or criminal and civil penalties under state, federal, or other applicable domestic and foreign laws. The use of this system is monitored and recorded for administrative and security reasons. Anyone accessing this system expressly consents to such monitoring and is advised that if monitoring reveals possible evidence of criminal activity, the Institution may provide the evidence of such activity to law enforcement officials” (Maimon et al. 2014, 41).
The presence of a surveillance message in an attacked computer system is believed to deter trespassers’ system engagement based on restrictive deterrence theory (Gibbs 1975). Restrictive deterrence is a process whereby an individual who commits a crime is not wholly deterred from engaging in crime, but instead modifies his or her behavior to reduce the probability of detection and punishment.
Restrictive deterrence theory is a subset of the broader deterrence theory, which understands individuals as rational actors who are susceptible to the influence of sanctions, as they weigh the potential costs and benefits of committing a crime (Bentham  1970). Therefore, it is believed that the presence of a surveillance message will deter computer system trespassers from committing a crime, given the presence of incriminating evidence against them.
Wilson and colleagues (2015) found no statistically significant impact on measures of crime deterrence. The presence of a surveillance banner did not deter trespassers from entering computer commands during the first system trespass, and it did not deter trespassers from trespassing repeatedly.
First System Trespass
There were no statistically significant differences in entering of computer commands during the first system-trespassing event between the treatment group and the control group.
Repeated System Trespass
There was no statistically significant difference in frequency and probability of repeated trespassing events between the treatment and control groups.
Maimon and colleagues (2014) found minimal to no impact of a warning banner on termination, frequency, and duration of trespassing sessions. There was no statistically significant change in termination and frequency; however, there was a small statistically significant change in duration of trespass incidents. Overall, the preponderance of evidence suggests the program did not have the intended effects.
Termination of Trespass Incidents
There was no statistically significant difference in the immediate termination of trespass incidents between the surveillance-banner treatment group and control group.
Frequency of Trespass Incidents
There was no statistically significant difference in frequency of trespass incidents between the treatment and control groups.
Duration of Trespass Incidents
The results showed that the warning banner reduced the duration of system-trespassing incidents on target computers. when compared with the duration of system-trespassing incidents on control computers.
Wilson and colleagues (2015) used a randomized controlled trial in their evaluation of the deterrent effect of a warning banner in an attacked computer system on further system engagement. The experiment took place in a large, public university in the United States.
Three hundred public Internet protocol (IP) addresses were employed and designed to simulate real computer systems with vulnerable entry points. The computers were deployed over a 7-month period (from April 4, 2013 until November 3, 2013), during which time researchers waited for trespassers to find the computers and attempt to compromise them. To simulate a genuine computing environment, computers were set to reject the login attempts by system trespassers until a predefined threshold of attempts was reached. When this threshold was met, the login credentials used were treated as legitimate credentials for the system. System trespassers then had to input these credentials into the target computer to allow further access to the attacked system. Once intruders gained access, they were randomly assigned to one of four conditions. The first condition involved displaying the following surveillance banner upon each entry to the system: “This system is under continuous surveillance. All user activity is being monitored and recorded” (Wilson et al. 2017, 838). The second condition involved running surveillance software without the banner. The third condition involved both the presence of the surveillance banner, upon each entry to the system, as well as the surveillance software. The final control condition did not involve displaying a banner or running the surveillance software. Trespassers were allowed to work with their assigned computer for a 30-day period. At the end of the 30-day period, trespassers’ access to the computer was blocked.
Over the 7-month experimental period, 660 computers were successfully compromised and retained at least one system-trespassing event. This included 155 computers, which received just the surveillance banner; 164 computers, which received just the surveillance software; 169 computers, which received both the surveillance banner and software; and 172 computers from the control condition, which received neither the surveillance banner nor the software. Computers experienced 2,942 trespassing incidents during the experimental period with computer commands entered on the attacked system in 1,318 of these incidents. Demographic characteristics of the sample were not collected, given that the study’s unit of analysis was at the computer level.
Outcome measures included the presence of any commands having been entered in the target computer during the first system-trespassing incident, whether computers had more than one recorded trespassing event, and the presence of any commands entered in the target computer during the second system-trespassing incident. For analytic purposes, the four conditions were consolidated into a banner group (which included the surveillance banner-only group and the surveillance banner plus software group) and a no-banner group (which included the software-only group and the no-surveillance banner and no-software group). Differences in probability were calculated for each measure across the four conditions.
Maimon and colleagues (2014) used a randomized controlled trial in their evaluation of the influence of a warning banner on the progression, frequency, and duration of system-trespassing incidents. The experiment took place at a large university in the United States.
Eighty public IP addresses were employed, and specialized software (Sebek keylogger) was used to collect data on different components of system-trespassing incidents. The computers were deployed for a 2-month period (April 1 to May 20, 2011) during which time researchers waited for system trespassers to find the computers and infiltrate them. To simulate a genuine environment, the computers were modified to reject login attempts until a predetermined number of login attempts had been reached. Once the predetermined number of login attempts had been reached, users were given access and were assigned to a warning computer, which displayed a surveillance message, or to a no-warning computer, which did not display a surveillance message. The surveillance message was as follows: “The actual or attempted unauthorized access, use, or modification of this system is strictly prohibited. Unauthorized users are subject to institutional disciplinary proceedings and/or criminal and civil penalties under state, federal, or other applicable domestic and foreign laws. The use of this system is monitored and recorded for administrative and security reasons. Anyone accessing this system expressly consents to such monitoring and is advised that if monitoring reveals possible evidence of criminal activity, the Institution may provide the evidence of such activity to law enforcement officials” (Maimon et al. 2014, 41). System trespassers were allowed to engage with the infiltrated computer for a 30-day period. After 30 days, access was blocked, and the computer was cleaned and redeployed. Over the 2-month course of the experiment, 86 target computers were deployed and infiltrated, and 42 of these had a warning banner installed. A total of 971 system-trespassing incidents were recorded; 451 of these were recorded on the no-warning computers, and 520 sessions were recorded on the warning computers.
Outcome measures included immediate incident cessation, which was determined by measuring whether the trespassing incident ceased after 5 seconds. The second measure, incident duration, was measured by the elapsed time in seconds between the beginning and end of the trespassing incident. The third measure, frequency of incidents, was measured by determining the average number of repeated system-trespassing incidents. A Cox proportional-hazard regression was used as well as a t-test.
Maimon and colleagues (2014) also conducted a moderator analysis to test whether different system configurations, such as RAM size and bandwidth capacity, might moderate the effects of a warning banner on the duration of system-trespassing incidents. However, the results showed that there was no statistically significant impact on outcome measures even when controlling for different system configurations.
These sources were used in the development of the program profile:Study 1
Wilson, Theodore, David Maimon, Bertrand Sobesto, and Michel Cukier. 2015. “The Effect of a Surveillance Banner in an Attacked Computer System: Additional Evidence for the Relevance of Restrictive Deterrence in Cyberspace.” Journal of Research in Crime and Delinquency
Maimon, David, Mariel Alper, Bertrand Sobesto, and Michel Cukier. 2014. “Restrictive Deterrent Effects of a Warning Banner in an Attacked Computer System.” Criminology