Illegal Roaming and File Manipulation on Target Computers: Assessing the Effect of Sanction Threats on System Trespassers’ Online Behaviors

Alexander Testa, University of Maryland at College Park
David Maimon, Georgia State University
Bertrand Sobesto, University of Maryland at College Park
Michel Cukier, University of Maryland at College Park

To learn more about the Andrew Young School of Policy Studies and Evidence-Based Cybersecurity Reaserch visit and


Research Summary: The results of previous research indicate that the presentation of deterring situational stimuli in an attacked computing environment shapes system trespassers’ avoiding online behaviors during the progression of a system trespassing event. Nevertheless, none of these studies comprised an investigation of whether the effect of deterring cues influence system trespassers’ activities on the system. Moreover, no prior research has been aimed at exploring whether the effect of deterring cues is consistent across different types of system trespassers. We examine whether the effect of situational deterring cues in an attacked computer system influenced the likelihood of system trespassers engaging in active online behaviors on an attacked system, and whether this effect varies based on different levels of administrative privileges taken by system trespassers. By using data from a randomized experiment, we find that a situational deterring cue reduced the probability of system trespassers with fewer privileges on the attacked computer system (nonadministrative users) to enter activity commands. In contrast, the presence of these cues in the attacked system did not affect the probability of system trespassers with the highest level of privileges (administrative users) to enter these commands. Policy Implications: In developing policies to curtail malicious online behavior committed by system trespassers, a “one-policy-fits-all” approach is often employed by information technology (IT) teams to protect their organizations. Our results suggest that although the use of a warning banner is effective in reducing the amount of harmful commands entered into a computer system by nonadministrative users, such a policy is ineffective in deterring trespassers who take over a network with administrative privileges. Accordingly, it is important to recognize that the effectiveness of deterring stimuli in cyberspace is largely dependent on the level of administrative privileges taken by the system trespasser when breaking into the system. These findings present the need for the development and implementation of flexible policies in deterring system trespassers.