When it comes to preventing insider threats, many people may think that harsher punishments are the best way to deter potential offenders. However, research shows that the certainty of getting caught and punished is far more important than the severity of the punishment in influencing criminal behavior. Unlike other insider risk management tools, this human behavior is what helps EchoMark proactively prevent leaks from happening in the first place. If every recipient knows they have received a personalized version with forensics watermarks hidden in the content, it increases their belief they will in fact get caught.
What is deterrence theory?
Deterrence theory is a theory of punishment that suggests that people are rational actors who weigh the costs and benefits of their actions before deciding whether to commit a crime or not. According to this theory, punishment is a way of imposing costs on criminal behavior and reducing its benefits, thereby discouraging people from breaking the law.
Deterrence theory distinguishes between two types of deterrence: general deterrence and specific deterrence. General deterrence refers to the effect of punishment on the general public, who learn from the example of others and avoid committing crimes for fear of facing similar consequences. Specific deterrence refers to the effect of punishment on the individual offender, who learns from his or her own experience and avoids repeating the same crime for fear of facing the same or worse consequences.
What are the dimensions of punishment?
Punishment can vary along three dimensions: certainty, severity, and celerity. Certainty refers to the likelihood of being caught and punished for the commission of a crime. Severity refers to the length or harshness of the sentence imposed on the offender. Celerity refers to the swiftness or speed with which the punishment is delivered after the crime.
What does research say about certainty and severity?
Research underscores the more significant role that certainty plays in deterrence than severity. It is the certainty of being caught that deters a person from committing crime, not the fear of being punished or the severity of the punishment. Studies show that for most individuals convicted of a crime, short to moderate prison sentences may be a deterrent but longer prison terms produce only a limited deterrent effect. Moreover, increasing the severity of punishment may have unintended negative consequences, such as increasing recidivism, reducing rehabilitation, and eroding public trust in the justice system.
One example of how certainty can be more effective than severity in deterring crime is the case of State Of H.P v. Nikku Ram (1995), where the Supreme Court of India upheld a sentence of life imprisonment for rape instead of death penalty, arguing that “the most effective way to prevent rape is not by awarding death sentence but by ensuring that rapists are arrested without delay and brought to trial without delay”.
Another example is the case of Project Exile, a federal program launched in 1997 in Richmond, Virginia, that targeted illegal gun possession and use by imposing mandatory minimum sentences of five years in federal prison. The program was credited with reducing gun homicides by 40% in its first year, not because of the severity of the punishment but because of the certainty and swiftness of prosecution.
What are some implications for policy and practice?
The findings from research on deterrence suggest that policy makers and practitioners should focus more on increasing the certainty of punishment rather than increasing its severity. This can be done by improving law enforcement strategies, such as increasing police presence, visibility, and responsiveness; enhancing surveillance and detection technologies; strengthening intelligence and information sharing; and promoting community policing and cooperation.
Furthermore, policy makers and practitioners should consider other factors that may influence criminal behavior, such as social norms, moral values, peer pressure, personal circumstances, and situational factors.
What are some implications for data security within companies?
The findings from research on deterrence also have implications for data security and insider risk within companies, which face increasing threats from cyberattacks, data breaches, and insider threats. Data security refers to the protection of data from unauthorized access, use, disclosure, modification, or destruction. Combining unauthorized access, with use and disclosure outside the business is commonly referred to as 'data exfiltration'.
Data security is essential for maintaining the confidentiality, integrity, and availability of data, as well as the trust and reputation of the company. Insider threats are a growing concern for companies of all sizes and sectors. They are also a type of threat that responds best to proactive measures by executives and information security practitioners.
One way to enhance data security within companies is to apply deterrence strategies, such as acceptance, protection, and deterrence.
Acceptance refers to the reduction of the threat by increasing the legitimacy and goodwill of the company among its stakeholders, such as customers, employees, partners, and regulators. This can be done by adopting ethical practices, transparent policies, social responsibility, and stakeholder engagement.
Protection refers to the reduction of the risk by reducing the vulnerability of the company to data breaches. This can be done by implementing technical measures, such as encryption, authentication, firewalls, antivirus software, forensic watermarking, and backups; organizational measures, such as policies, procedures, training, and audits; and legal measures, such as contracts, agreements, and compliance.
Deterrence refers to the reduction of the risk by containing the threat with a counter threat. This can be done by imposing sanctions, such as fines, lawsuits, criminal charges, or reputational damage; or by using diplomatic or political leverage, such as alliances, agreements, or negotiations.
However, deterrence strategies are not always effective or sufficient in ensuring data security within companies. Some challenges and limitations include:
- The difficulty of identifying and attributing the source of cyberattacks or data breaches
- The diversity and complexity of motivations and incentives of the attackers
- The ethical and legal implications of using offensive or retaliatory measures
Therefore, companies should also consider other factors that may influence data security behavior within their organization, such as:
- The awareness and knowledge of data security risks and best practices among employees
- The attitude and perception of data security as a priority and a responsibility among employees
- The behavior and habits of data security compliance and non-compliance among employees
- The culture and climate of data security within the organization
- The leadership and support for data security from top management
By taking a holistic and proactive approach to data security within companies, deterrence theory can be a useful tool but not a panacea for preventing data breaches.
How Does EchoMark Enhance Insider Risk and Insider Threat Deterrence Approaches?
EchoMark is building the last mile of information security. By implementing a number of approaches to watermark digital and analog information, EchoMark provides IT security teams with powerful tools for tracking down the sources of leaks. Further, EchoMark creates a sense of stewardship and accountability for those people who are trusted with the most sensitive information in the organization.
Deterrence through certainty of apprehension is the most effective way to reduce risk of insider threats and data leaks. EchoMark provides a compelling set of capabilities to ensure that insider threats are aware that they are likely to be caught, thereby significantly reducing insider risk.
- Five Things About Deterrence | National Institute of Justice. (2016). Retrieved from https://nij.ojp.gov/topics/articles/five-things-about-deterrence
- Deterrence (penology) - Wikipedia. (n.d.). Retrieved from https://en.wikipedia.org/wiki/Deterrence_%28penology%29
- Deterrence Theory as a Theory of Punishment - Law Times Journal. (n.d.). Retrieved from https://lawtimesjournal.in/deterrence-theory-as-a-theory-of-punishment/
- Deterrence: Actual Versus Perceived Risk of Punishment | SpringerLink. (n.d.). Retrieved from https://link.springer.com/referenceworkentry/10.1007/978-1-4614-5690-2_408
- Evidence on Deterrence and Incapacitation - Can offenders be deterred … (n.d.). Retrieved from https://www.justice.gc.ca/eng/rp-pr/csj-sjc/ccs-ajc/rr02_1/p4_1.html
- 4 Security strategies: acceptance, protection and deterrence. (n.d.). Retrieved from https://www.gisf.ngo/wp-content/uploads/2015/09/EISF_Security-to-go_guide_Module-4_Security-strategies_Acceptance-protection-and-deterrence-.pdf
- A Meta-Analysis of Deterrence Theory in Information Security Policy … (2019). Retrieved from https://link.springer.com/article/10.1007/s10796-019-09956-4
- Cyber Deterrence: The Past, Present, and Future | SpringerLink. (n.d.). Retrieved from https://link.springer.com/chapter/10.1007/978-94-6265-419-8_20