Why Willie Sutton Robbed Banks: the real answer,

and what it has to do with the Sony hack

Willie Sutton was one of the most
notorious American bank robbers of
the twentieth century, spending two
years on the FBI's list of Ten Most
Wanted Fugitives.
Sutton is also the subject of one of
the most frequently cited - and
bogus - anecdotes in all of security
(we're talking everything from
physical security to information
security and cybersecurity). At just
about every security conference that
I've attended, someone has used
some version of the following:
"When a reporter asked the bank
robber Willie Sutton why he robbed
banks, Sutton replied: "Because
that's where the money is.""
Before we look at what Sutton really said, please note that if you like this anecdote, you
can still use it with one small change to the wording:
"When a reporter asked the bank robber Willie Sutton why he robbed banks, Sutton is
said to have replied: "Because that's where the
money is.""
That's right, according to Sutton's autobiography he
never said he robbed banks because that's where
the money is. The reality, claims Sutton, is that a
reporter fabricated the exchange (Sutton, 1956).
Here's what Sutton really thought:
"Why did I rob banks? Because I enjoyed it. I loved
it. I was more alive when I was inside a bank,
robbing it, than at any other time in my life."
You don't have to be a criminologist to find that
answer both illuminating and fascinating, maybe
even frightening. That's because the bogus "where
the money is" anecdote supports the Rational
Choice Theory of criminal behavior underpinning
Situational Crime Prevention programs that are a
major component of crime reduction policy in some
countries (notably the U.K.).
Willie Sutton's Autobiography

At security conferences and in security writing (Felson and Clarke, 1998) the Sutton
anecdote is presented as both amusing and educational, implying that security should
focus on protecting the most valuable and convertible assets. (In fairness to Felson and
Clarke, they use the "said to have said" version.)
In fact, I have used the anecdote myself, for example: "Why do [criminal hackers] seek
unauthorized access to networks and digital devices? Because that's where the data is,
and data is the new currency." However, in that same 2011 SC Magazine article I also
noted Sutton's true motivation, and not just to be snarky.
The serious message here is that the reality of Sutton robbing banks because he enjoyed
it is immediately recognizable to anyone who has studied the thrill of hacking and the
phenomenon of hacktivism. In other words, Sutton may be a poster boy for expressive
crimes, those "containing a high emotional or expressive element" (Hayward, 2007);
these are crimes in which reason plays only a small role, if any. Expressive crimes are
potentially immune to crime prevention measures based on Rational Choice Theory and
Classical criminology.
Which brings us to late 2014 and the multiple hacking attacks on Sony, both the
destruction of data at Sony Pictures and the sustained denial of service attack on the
PlayStation Network (PSN). We already know that the latter was perpetrated by a group
of people going by the name of Lizard Squad and motivated, first and foremost, by the
fun of it (see interview transcripts such as this one).
While many organizations focus IT security efforts of protecting data that can be readily
converted to cash, Sutton and Sony remind us that for some criminals, the thrill of the
crime is the primary motivator. And if the fear of apprehension and detention is not
stronger than the love of the crime act, the chances of creating an effective deterrent are
slim.

Stephen Cobb, CISSP

References
Felson, M., Clarke, R. (1998) Opportunity Makes the Thief: Practical theory for crime
prevention, Police Research Series, Paper 98, Editor: Webb, B. Home Office Policing and
Reducing Crime Unit Research, Development and Statistics Directorate, U.K.
FBI, Famous Cases and Criminals: Willie Sutton: http://www.fbi.gov/aboutus/history/famous-cases/willie-sutton.
Hayward, K. (2007) "Situational Crime Prevention and its Discontents: Rational Choice
Theory versus the Culture of Now" Social Policy & Administration (3): 232-250.
Sutton, W. and Linn, E. (2004). Where the Money Was: The Memoirs of a Bank Robber.
Broadway Books. New York City. (First published 1976 Viking Press, New York City, New
York), p. 160.