Intention to Hack? Applying the Theory of Planned Behaviour to Youth Criminal Hacking

: Adolescents are currently the most digitally connected generation in history. There is an ever-growing need to understand how typical adolescent risk-taking intersects with the vastly criminogenic potential of digital technology. Criminal hacking in older adolescents (16–19-year-olds) was assessed using an adapted Theory of Planned Behaviour (TPB) model, a cohesive theoretical framework that incorporates cognitive processes and human drivers (informed by psychology, cyberpsychology, and criminology theory). In 2021, a large-scale anonymous online survey was conducted across nine European countries. Criminal hacking was assessed using data from 3985 participants (M = 1895, 47.55%; F = 1968, 49.39%). This study formulated a powerful predictive model of youth hacking intention (accounting for 38.8% of the variance) and behaviour (accounting for 33.6% of the variance). A significant minority, approximately one in six (16.34%), were found to have engaged in hacking, and approximately 2% reported engaging in hacking often or very often. Increased age, being male, and offline deviant behaviour were significant predictors of hacking behaviour. In line with the TPB, intention was the strongest individual predictor of hacking behaviour, which in turn was significantly predicted by cognitive processes accounted for by TPB constructs: subjective norms of family and peers, attitudes towards hacking, and perceived behavioural control. These TPB constructs were found to be significantly associated with human factors of risk-taking, toxic online disinhibition, offline deviant behaviour, and demographic variables of age and gender. Implications for future research, interventions, policy, and practice are discussed.


Introduction
Adolescence is a key psychosocial developmental phase, specifically regarding the development of identity, autonomy, intimacy, and also personal achievements.Three key indicators are universally observed in adolescence, pointing to an underlying biological mechanism, namely increased risk-taking, increased novelty-seeking, and increased peer association and affiliation [1].These indicators of adolescent risk-taking are well established; however, it is less well understood how these behaviours manifest in the digital space.Adolescents are currently the most digitally connected generation in history [2], reporting to spend over half of their waking hours (8.39 h) on their digital devices [3].Recent surveys have found that cyberdeviance and cybercrime are almost ubiquitous in the teen population.Recent large-scale research has identified that approximately two-thirds of the youth population self-report to engage in some form of cybercriminal or cyberdeviant behaviour, inclusive of hacking [4].Notably, rates increase with age.In a study conducted in Australia, rates of cyber risk-taking were high and increased over a three-year period from 79.6% in 2018 to 89.5% in 2021 within the same cohort of teens [5].It is imperative to not only understand the factors associated with cyberdeviance, but to design interventions to prevent harm arising from these behaviours in cyber contexts.
The term 'deviance' refers to the violation of established norms and approved rules, encompassing serious behaviours, including crimes and delinquent acts (crimes conducted by juveniles), and behaviours that are not always punishable by law, but that are either antisocial or harmful to the individual or others [6,7].The term 'cyberdeviance' refers to the intersection of these behaviours and digital technology and is inclusive of a wide range of behaviours that not only violate societal norms but also violate legally proscribed rules [8].
To what extent harmful online behaviours are considered a crime and how to conceptualise 'cybercrime' continues to be vigorously debated; however, the general consensus to date is that both terms (cybercrime and cyberdeviance) are considered to refer to what could be described as a broad spectrum of criminal and harmful cyber behaviours, a supposition now supported by recent empirical research [4].Importantly in the context of this study, a recent large-scale self-report survey found that approximately half (47.76%) of the sample (n = 7974) reported engaging in some form of cybercrime, and when taking into account cyberdeviant and potentially risky online behaviours, this number increased to just over two-thirds (69.1%) [4].
Both terms include behaviours unique to the cyber landscape, the transition of preexisting criminal behaviours occurring with the use of, or facilitated by, technology, as well as the new evolution of crime behaviours due to advancements in technology (for a discussion of definitional issues, see Phillips et al., 2022 [9]).Furthermore, these terms are used interchangeably to refer to the same spectrum of behaviours precisely to circumnavigate problems that arise from, for example, differences in cybercrime legislation across jurisdictions [9].
A particular cybercriminal behaviour relevant to researchers, policymakers, and law enforcement is that of criminal 'hacking.'This behaviour is entirely exclusive to the cyber landscape (i.e., it cannot occur offline or in the so-called real world), termed 'cyberdependent' [10], and is therefore unique compared to other forms of cybercrime and cyberdeviance.Whilst there is no offense of 'hacking', the term refers to a constellation of behaviours that affect the confidentiality, integrity, and availability of computer data and systems [11].Furthermore, legal systems define hacking (access, interception, interference, and misuse of computer data and systems) as an illegal act, irrelevant of motive, intent, or purpose [12].Hacking among youth populations is known to be prevalent, although exact estimates of perpetration rates vary across studies (dependent on the operationalisation of the term 'hacking,' research methodology, and sampling methodology), estimates range from approximately one in eleven [13], in a large-scale academic study, to one in four [14] (p.692), in a small industry study.

Understanding the Phenomenology of Hacking and Profile of Hackers
Foundational work concerning cybercriminality has identified a number of pertinent factors that may inform youth pathways into cybercrime, such as age, gender, computer literacy, interest in and aptitude for technology, willingness to engage in low-level illegal Internet-related activity, deriving intrinsic pleasure from increased challenges, and the need for affiliation, affirmation, and online peer networks that normalise and encourage illegal behaviour [15,16].Holt and Bossler (2015) [17] note that research regarding hacking has increased over the last two decades, specifically regarding insights into key predictors of hacking among adolescent and adult samples.Further, Back et al., 2018 [18], highlight that there is a large number of studies exploring hacker culture, characteristics, perceptions, types, and techniques [19][20][21][22][23][24][25][26].
Work concerning cybercrime perpetration is primarily descriptive and there exist proportionally few empirical research studies that are underpinned by established academic theory (see Bossler, 2019 [27], for an overview of the application of criminology theory to cybercrime).A promising model to explore cognitive processes explaining cybercriminal and cyberdeviant behaviours is that of Ajzen's (1985) [28] Theory of Planned Behaviour (TPB), and whilst some exploratory work has considered the relationship between the Theory of Reasoned Action (TRA) [29] and hacking behaviour [30], no study to date has applied TPB to adolescent criminal hacking.Furthermore, there is a paucity of studies exploring the 'human element' of hacking, particularly in youth populations, and factoring in cognitive processes that may underly cybercriminal intention.It is recognised in the literature that one of the most intractable threats to cybersecurity is the sociotechnical element, meaning the behaviour of those behind the technology.The 'human factor' has been recognised as being 'the weakest and most obscure link in creating safe and secure digital environments' [31] (p.338).Rather, for these forms of crimes, there is a focus on understanding their technical drivers and creating technical interventions (cybersecurity or infosec interventions); therefore, it is necessary to factor the human, and specifically youth, perpetrators into the cybercrime equation.The TPB bridges a gap in the literature by offering a cohesive theoretical framework for understanding cognitive processes and key human factors regarding hacking, with a corresponding analytical framework to determine the predictive power of these individual variables and how they interact.

Application of Academic Theory
Ajzen's 1985 [28] Theory of Planned Behaviour (TPB) is a cognitive theory that proposes that an individual's decision to engage in a specific behaviour, such as illegal hacking or cyberfraud, can be predicated by their intention to engage in that behaviour.Notably, 'intentions are assumed to capture the motivational factors that influence a behaviour; they are indications of how hard people are willing to try, of how much of an effort they are planning to exert, in order to perform the behaviour.As a general rule, the stronger the intention to engage in a behaviour, the more likely should be its performance [32]' (p.181).TPB has already been applied in research concerning risky online behaviours of adolescents, such as cyberbullying [33] and sexting [34].Owen, 2016 [30], has highlighted the theoretical potential utility of The Theory of Reasoned Action [29], in terms of intention, and the Theory of Planned Behaviour [32], in terms of 'the hacker's appraisal of whether the hacking is within their locus of control directly influences their hacking intentions and the subsequent hacking behaviour, termed as perceived behavioural control' [35] (p. 2), to understanding why individuals chose to engage in hacking behaviours.Moreover, the TPB also incorporates aspects of social influence, which is particularly salient during the period of adolescent development [1].

Research Aim
Given the above-identified potential risks of youth hacking and that engaging in these behaviours may set young people onto a trajectory of cyberdelinquency and criminality that can have life-altering consequences [15], it is vital to comprehensively understand the human factors that lead young people on these pathways in order to inform intervention mechanisms for policymakers and educators.The application of the TPB to youth hacking, in particular, provides a unique conceptual framework that can be adapted to incorporate both cognitive processes (TPB constructs of attitudes, subjective norms, perceived behavioural control, intentions) as well as key identified human factors (risk-seeking, toxic online disinhibition, and offline deviant behaviours, explained in greater detail under hypothesis development).The current study was conducted with older adolescents (ages [16][17][18][19], as these ages represent a transition from being a juvenile to legal adulthood and, therefore, to being held responsible for any illegal action taken.As such, the findings of our study may prove key to creating interventions and diversion from justice programmes.

Hypothesis Development
According to the TPB, intention is believed to directly account for the manifestation of the behaviour of interest, if that behaviour is under volitional control, which, in turn, is affected by attitudes towards the behaviour ('favourable or unfavourable evaluation or appraisal of the behaviour in question'), subjective norms (SNs, 'the perceived social pressure to perform or not to perform the behaviour'), and perceived behavioural control (PBC, 'the perceived ease or difficulty of performing the behaviour').Additionally, the TPB predicts that perceived behavioural control directly predicts the behaviour [32] (p.188).
Therefore, this study seeks to investigate the cognitive processes that underlie youth hacking by determining the factors that lead to intention (attitudes, SNs, and PBC), which can then lead to the behaviour.Additionally, this model will be complemented with demographic variables (i.e., age and gender), as well as psychological and criminological factors (i.e., risk-seeking, toxic online disinhibition, and offline deviant behaviours).There exist studies and literature linking these demographic and human driver variables as important predictors of deviancy, criminality, cyberdeviancy, and cybercriminality-youth hacking in particular-that are further discussed in later sections.Given the novelty of this approach, there is a lack of literature linking these variables to TPB constructs specifically; therefore, these variables will be incorporated within the proposed adapted TPB model to assess their association with TPB constructs.

Hacking Behaviour
Academic studies investigating hacking perpetration within youth age groups, defining hacking in a similar way, determined that the perpetration rate of hacking behaviour was 9.3% [13].However, there is some evidence that hacking rates have increased in the youth population during and following COVID-19 pandemic [36].For example, in the UK, the NCA, 2022 [37], reported that cyberattacks on school networks and websites by young people had, in fact, doubled during the pandemic.Therefore, arguably, it can be predicted that perpetration rates may also have increased since 2018.

Behavioural Intention
It has been suggested that intention to engage in a behaviour is the strongest predictor of exhibiting that behaviour, with the exception of when that behaviour is outside of one's behavioural control [32].Whilst there are some environmental constraints (e.g., availability of resources) and personal constraints (e.g., ability), which are accounted for by PBC measures, hacking is mainly considered a behaviour that is dictated by volitional control [32,38], similar to cyberbullying [33].We therefore propose the following hypothesis: Hypothesis 1 (H1): Intention to engage in hacking will be positively associated with hacking behaviour.

Attitudes
Criminological theory, namely drift, prescribes that 'techniques of neutralisation' will be employed when committing deviant behaviours, predicting that individuals will attempt to justify or neutralise wrongdoing through normalising of behaviours, denial of harm, or even placing onus on victims [39,40].Many hackers may not necessarily perceive hacking as illegal or wrong; this perception is arguably compounded by pro-social or activist portrayals of hackers within the media [41,42].Furthermore, the pervading narratives about hacking behaviour within hacker subculture strongly influence attitudes within this group, first outlined in the 'The Hacker Manifesto' [43].Those within the hacking community often hold positive attitudes towards hacking and hacking behaviours; a key ethos of the so-called 'hacker ethic' centres on free access to information and technology [41].Further, the meritocracy within hacker subculture can supersede the perception of morality or legality, meaning the only aspect of the behaviour that truly matters is the skill needed to complete the hack [41].We therefore propose the following hypothesis:

Hypothesis 2 (H2):
The more permissive young people's attitudes towards hacking, the higher their intention to engage in hacking.

Subjective Norms
Adolescence is considered a salient period of identity formation, where family and peers have a formative influence [44,45].One of the triad of behaviours universally observed in adolescence is the social shift towards more peer-based affiliations and interactions [1,46].Criminological research has demonstrated that exposure to and association with deviant peers is generally one of the strongest predictors of delinquency and criminality [41,47], as well as hacking, specifically [41,[48][49][50].We therefore propose the following hypothesis:

Hypothesis 3 (H3):
There will be a positive relationship between subjective norms and hacking intentions, meaning perceived permissive attitudes held by parents (H3a) and peers (H3b) are positively related to adolescents' hacking intentions.

Perceived Behavioural Control
PBC encompasses two constructs: one represents an internal belief, meaning the individual's own internal perception of their ability to carry out the behaviour, and the second represents the actual availability of resources to engage in a behaviour [32].Within this study, PBC items focus on intrinsic beliefs only, measuring the internal perception of skill, ability, and confidence to carry out hacking behaviours.There are arguably advanced skills or knowledge that need to be acquired to perform even minor hacking behaviours or access hacking forums, e.g., use of the Onion router (TOR) and programming skills.Furthermore, hackers pride themselves on their abilities and skills; a key characteristic of hackers is the desire for technological mastery [41].Therefore, arguably only those who engage in hacking, or intend to, could reasonably be expected to seek to increase their own skills and abilities and correspondingly exhibit a higher PBC.We therefore propose the following hypothesis:

Hypothesis 4 (H4):
There will be a positive relationship between PBC and hacking intention (H4a) and PBC and hacking behaviour (H4b).

Demographic Variable: Age
Academic research has identified that hacking behaviour tends to begin in adolescence and those heavily involved are typically young.This is in line with other types of offending according to the typical age-crime curve relationship between offending and age [19,21,41,51,52].The UK's National Crime Agency's (NCA) National Cyber Crime Unit (NCCU) has recently shared that many of the referrals regarding cybercrime are for children of secondary school age, as young as nine, but with a median age of 15 [37].
Additionally, longitudinal research conducted by Logos et al., 2021 [5], found that rates of any form of cyber risk-taking were high and increased over a three-year period from 79.6% in 2018 (13-14-year-olds) to 89.5% in 2021 (same cohort at 15-16 years old).Research has theorised that many young hackers often naturally desist by their mid-20s, which is again in line with youth offending in other areas [25,53,54]; however, as this is beyond the age group within this study, it is predicted that age will be related to increased hacking perpetration.We therefore propose the following hypothesis: Hypothesis 5 (H5): Increasing age will be associated with greater levels of hacking behaviour.

Demographic Variable: Gender
Qualitative research has observed that there is a gender gap in relation to hacking [21,41,54,55], and males are also more likely to self-report involvement in different types of hacking [41,48,50,56].There are longstanding speculative reasons for the gender gap, one being that it is reflective of the general gendering of technology use [54,57] and the other being that females are much less likely to engage in crime and delinquency, which is a well-established finding in traditional real-world crime [58].We therefore propose the following hypothesis: Hypothesis 6 (H6): Males will exhibit greater levels of hacking behaviour.

Human Factor: Risk-Seeking
Low self-control or impulsivity has been found to be a key personality trait associated with criminal behaviours.Gottfredson and Hirschi's 1990 [59] general theory of crime proposes that low self-control interacts with opportunity to constitute a major cause of criminal behaviour.Low self-control has been found to increase the likelihood of involvement in hacking in both college populations [48][49][50] and adolescent populations [18,41,56,60,61].A component of low self-control salient in adolescent years is that of risk-taking [1,46].Grasmick et al., 1993 [62], developed a scale to measure Gottfredson and Hirschi's, 1990 [59], theoretical conceptualisation of low self-control, including a subscale to measure riskseeking, which is used in the present study.We therefore propose the following hypothesis: Hypothesis 7 (H7): Greater levels of risk-seeking will be associated with greater levels of hacking behaviour (H7a).In addition, risk-seeking will be assessed for association with other TPB constructs; greater levels of risk-seeking will be associated with more positive attitudes towards hacking (H7b), more favourable subjective norms of parents (H7c) and friends (H7d), higher PBC to engage in hacking (H7e), and higher intention (H7f).

Human Factor: Toxic Online Disinhibition
The 'online disinhibition effect', first proposed by Suler (2004) [63], is used to describe the phenomenon whereby people may feel more liberated and able to express themselves when online.Suler (2004) [63] further differentiates between toxic and benign disinhibition.Benign disinhibition may be when individuals online overshare or become unusually kind or generous, whereas with toxic disinhibition, individuals become unusually unkind online (displaying rudeness, hate, making threats, etc.) or explore the deviant or criminal environments that can be found online, particularly on the Dark Web [63,64].Udris (2017) [65] used structural equation modelling to explore predictors of both offline and online deviance, and determined that toxic disinhibition was the strongest predictor of online deviance, whereas benign disinhibition was found to be unrelated to deviant behaviour.Therefore, the present study focuses on the relationship between toxic disinhibition and TPB constructs.We therefore propose the following hypothesis: Hypothesis 8 (H8): Greater levels of toxic online disinhibition will be associated with greater levels of hacking behaviour (H8a).In addition, toxic online disinhibition will be assessed for association with other TPB constructs: greater levels of toxic online disinhibition will be associated with more positive attitudes towards hacking (H8b), more favourable subjective norms of parents (H8c) and friends (H8d), higher PBC to engage in hacking (H8e), and higher intention (H8f).

Human Factor: Offline Deviant Behaviour
Foundational criminology theory, namely 'drift' [40], posits that delinquent values are held by the majority, but these values are suppressed through learned skills and adherence to subjective norms.While there is a higher tendency for delinquency when young, some 'drift' between conformity and deviance throughout their lives, using 'techniques of neutralisation' to justify their behaviour, e.g., denial of responsibility [40].The concept of 'drift' has been explored in digital contexts to explore cyberdelinquency [13,39,66].A key indication of 'drift' is the propensity to engage in different forms of delinquency, as indicated by engaging in both offline and online deviant behaviours.Brewer et al. (2018) [13] found moderate to strong correlations between online and offline delinquency, and risk-taking was equally correlated to both offline and online delinquency.Self-report surveys have found a significant overlap between online and offline delinquency.Those who engage in risky behaviours offline are 6.8 to 13 times more likely to have engaged in cyber risk-taking ( [5,67]).Furthermore, these studies determined that physical risk-taking (offline delinquent behaviours) was a strong predictor of online delinquency [5,67].We therefore propose the following hypothesis: Hypothesis 9 (H9): Greater levels of offline deviant behaviour will predict greater levels of hacking behaviour (H9a).In addition, offline deviant behaviour will be assessed for association with other TPB constructs: greater levels of offline deviant behaviour will be associated with more positive attitudes towards hacking (H9b), more favourable subjective norms of parents (H9c) and friends (H9d), higher PBC to engage in hacking (H9e), and higher intention (H9f).

Method 6.1. Participants
An online survey questionnaire was completed by 7974 participants aged 16-19 across nine European countries, representing a geographic spread of Europe.A quota sampling approach was used, and participants were recruited from existing panels via a research agency.The sample was recruited according to country or region with 1000 (12.5%) recruits in each of the seven countries and one region: namely the UK, France, Spain, Germany, Italy, the Netherlands, Romania, and the region of Scandinavia (comprised of 70% of participants from Sweden and 30% from Norway).Due to the smaller panel sizes in Sweden and Norway, both samples were combined to form a 'region'.Within each country, the sample was recruited to have an even split of the age range (25% 16-, 17-, 18-, and 19-year-olds) and even split of gender (50% male and female; participants with other gender identities were also recruited).
This study was conducted as part of the wider CC-DRIVER ('Understanding the drivers of cybercriminality, and new methods to prevent, investigate, and mitigate cybercriminal behaviour') research initiative and the H2020 research programme.The sample was divided within this study.For reasons of survey length, the questions related to hacking were presented and completed by 3985 (49.97% of the final sample) participants.The current analyses are based on this subsample.Descriptive characteristics of the sample are provided in Table 1.This study was conducted in accordance with the ethical standards of the British Psychological Association (BPS), with approval from (blinded for the review), as well as an independent CC-DRIVER Ethics Board.Data were collected with the strictest privacy and legal regulations and in adherence with data protection regulations (GDPR).

Procedure
Data collection took place over approximately three months (June-August 2021); the average time to complete was 32.29 min.All questions were in multiple-choice and forced-choice response format.The survey was uploaded to an online survey platform using Ex-plor Strat7 (a GDRP-compliant ResearchBods, Leeds, UK) proprietary-owned Communities platform).Before being able to access the survey, participants had to give informed consent, had to pass captcha, confirm they were between 16-19 years old, and accept cookies (to prevent multiple responses from one user).Participants were free to withdraw, by exiting, at any point in the survey.Only complete surveys were taken forward to analysis.Once completed, participants were debriefed and provided with support links.

Measures
The phenomenon of hacking was introduced as follows: 'On the Internet, some people engage in hacking.By hacking, we mean the unauthorised access and use of computer systems.This ranges from hacking into a system, to stealing personal information, to hacking someone's social media accounts.'The operationalisation of hacking was informed by legal statutes [11], academic literature [56,68], and an internal survey piloting process with the target age group.The measures were created following the recommendations of Ajzen, 2011 [69].All items and mean scores of the items are presented in Table 2.

Hacking Behaviour
Hacking behaviour was measured with a single item ('I have engaged in hacking.').Respondents could answer the question with 1 = never, 2 = rarely, 3 = sometimes, 4 = often, or 5 = very often.

Behavioural Intention
Three items measured intention to engage in hacking.The items were scored along a 7-point Likert scale ranging from 1 = totally disagree to 7 = totally agree.The internal consistency of the items was good (α = 0.94).

Attitudes
Respondents rated their attitude by means of six semantic differential 7-point scales, ranging from 1 to 7, shown in Table 2. Items were presented from positive to negative; therefore, higher scores indicate less positive attitudes.The reliability of the scale was good (α = 0.93).

Subjective Norm
The subjective norms of friends and parents was measured with two items each.The four items were assessed using a 7-point Likert scale, with item responses ranging from 1 = totally disagree to 7 = totally agree, including a null item (0 = 'Does not apply to me.').All scales were reliable, with α = 0.90 for friends and α = 0.78 for parents.

Perceived Behavioural Control
Three items measured participants' confidence that they are capable of performing the behaviour.All items were scored on a 7-point Likert scale, ranging from 1 = totally disagree to 7 = totally agree.The Cronbach's alpha of the scale was 0.91.

Toxic Online Disinhibition
Online disinhibition was measured with four items from the toxic disinhibition factor of Udris' online disinhibition scale (2014) [70].All items were scored on a 4-point Likert scale, ranging from 0 = disagree to 4 = agree.The Cronbach's alpha of the scale was 0.72.

Offline Deviant Behaviour
A subset of 10 items of the Deviant Behaviour Variety Scale (DBVS) [71] was adopted to measure offline deviant behaviour.All items were scored on a 4-point Likert scale, ranging from 0 = never to 4 = very often.The Cronbach's alpha of the scale was 0.96.

Risk-seeking
To measure risk-seeking, three items were used from a subscale of Grasmick et al.'s, 1993 [62], low self-control scale.All items were scored on a 4-point Likert scale, ranging from 1 = fully disagree to 4 = fully agree.The Cronbach's alpha of the scale was 0.80.

Data Analysis
To investigate the relationships among the TPB constructs, structural equation modelling was applied to the collected data using Mplus 8.7 [72].The analyses were carried out in the following way.Firstly, a measurement model was built and the authors examined whether the observed variables reliably reflected the hypothesised latent variables in the research model.Secondly, the authors estimated a structural model with attitude, subjective norms of parents and friends, perceived behavioural control, online toxic disinhibition, risk-seeking, and offline deviant behaviour as predictor variables and with behavioural intention and self-reported hacking behaviour as endogenous variables.Age and gender were included as covariates in the model.Given the low percentages of people who identified themselves in another way (2.31%) and those who declined to answer (0.75%), only male and female respondents were included in the analyses.Structural equation modelling results were obtained with maximum likelihood mean adjusted, because preliminary tests suggested that self-reported behaviour was a not normally distributed dependent variable.
The model fits of the measurement and path models were evaluated according to several fit indices.Given that the chi square is almost always significant and not an adequate test of the model fit [73,74], the authors also reported the Comparative Fit Index (CFI) [75], the Tucker-Lewis index (TLI) [76], the Root Mean Square Error of Approximation (RMSEA) [77], and the Standardised Root Mean Square Residual (SRMR) [74].The CFI and TLI range from 0 to 1.00, with a cut-off of 0.95 or higher indicating that the model provides a good fit and 0.90 indicating that the model provides an adequate fit [78,79].RMSEA values below 0.05 indicate a good model fit, and values between 0.06 and 0.08 indicate an adequate fit [80].The SRMR is a standardised summary of the average covariance residuals [74].A relatively good model fit is indicated when the SRMR is smaller than 0.08 [79].

Descriptive Findings
In total, 16.34% (n = 651) of the participants had engaged in the behaviour; one out of ten (9.91%, n = 395) indicated they had rarely engaged in hacking, 4.42% (n = 176) engaged in it sometimes, 1.46% (n = 58) did so often, and 0.55% (n = 22) did so very often.Table 3 displays the correlations between the research constructs used in the model.All constructs were significantly related to each other, with p < 0.001.

Fit of Measurement Model
The measurement model provided a good fit for the data; chi square (492) = 1368.25,p < 0.001; CFI = 0.98, TLI = 0.98, RMSEA = 0.022 (CI: 0.020-0.0023),and SRMR = 0.027.All variables were treated as latent constructs, with the exception of the single-item measure for behaviour.All factor loadings were significant and above 0.48.Gender and age were subsequently included as covariates in the analysis and examined for the relationships between age, gender, and the study variables.The structural model (presented in Figure 1) was adjusted for the influence of these variables.

Effect of Age and Gender on Model Constructs
Age was found to be significantly associated with hacking behaviour (β = 0.07, p < 0.001), supporting H5.In addition, age was found to be significantly associated with the subjective norms of parents (β = 0.05, p < 0.004) and offline deviant behaviour (β = 0.06, p < 0.001).Age was not found to be significantly associated with other model constructs.

Result Summary
Approximately one in six participants (16.34%) reported to have engaged in hacking.Compared to previous research [13], this study found a higher percentage of young people engaging in hacking.This could be due to methodological differences, in-person versus anonymous online survey data collection, or the finding that cybercrime is rapidly increasing, accelerated by the COVID-19 pandemic [36], and the fact that children of an increasingly young age are reportedly becoming involved in hacking [37].
In line with the TPB, intention was the strongest predictor of hacking behaviour, and PBC also had a significant influence on behaviour [32,38].This study, in line with other research, also identified that older adolescents (age) [5,19,21,41,51,52,81], males (gender) [21,41,48,50,[54][55][56]81], and higher incidence of offline deviant behaviour were also significantly associated with increased perpetration of hacking behaviour [5,13,67].Also, in line with the TPB [32], intention was significantly and most strongly predicted by TPB constructs, SNs of family and peers, attitudes, and PBC, in the hypothesised direction.Moreover, a higher incidence of offline delinquent behaviour and gender were also found to be significant predictors of intention; a higher incidence of offline delinquency predicted greater intention to hack, and males were more likely to have intentions to engage in hacking.
More positive attitudes towards hacking were significantly associated with higher levels of toxic online disinhibition, more offline deviant behaviour, and being male.This indicates that those who are more inclined to engage in risky and harmful behaviours may be engaging in 'techniques of neutralisation', as predicted by drift theory [39], and the general increased transgressive potential associated with male adolescents [82].More permissive attitudes from friends and family were significantly associated with increased risk-seeking, higher levels of toxic online disinhibition, more offline deviant behaviour, and being male.This is in line with wider literature that examines deviance in adolescence, e.g., alcohol misuse at young age, and that found liberal attitudes linked to increased deviant behaviours, increased family conflict, and lower levels of parental monitoring [83].
Greater perceived behavioural control, operationalised as perceived technical ability to commit a hack in this study, is significantly associated with increased risk-seeking, higher levels of toxic online disinhibition, more offline deviant behaviour, and being male.This indicates, as hypothesised, those wanting to engage in hacking (driven by a general propensity for risk-taking) may seek to increase their technical skills.
In addition, as adolescents age, they are significantly more inclined to engage in offline deviant behaviour.This is in line with other research [5] and, in general, the age-crime curve relationship between offending and age [19,21,51,52,81].Further, males were more likely to have higher levels of toxic online disinhibition.This is in line with other studies investigating online hate [84] and cyberbullying [70].Males are also more likely to engage in more offline deviant behaviour, which is again in line with previous research.One of the most consistent findings in criminology is that males are much more likely to commit offline crime and delinquency than females [58].

Limitations and Future Research
Notwithstanding this study's findings, the results should be considered in light of this study's limitations.First, as the survey used a cross-sectional design, future research could consider a longitudinal study to examine how behaviours and associated factors change over time.This would corroborate this study's cross-sectional findings about associated factors and add further understanding about changing motivations and how online risky behaviours escalate to criminal acts.
Second, this survey was a self-report measure, which can elicit answers that are influenced by social desirability; however, this was somewhat mitigated by the use of an anonymous online survey design.Future studies may consider a measure of social desirability as a moderating factor.Third, hackers are not one homogenous group; hackers differ according to the legality of their activity (i.e., illegal 'black hat' hackers and ethical 'white hat' hackers), their skill level, and their ideology [68].Given the heterogeneity in the hacker population, further work is needed to systematically explore what human factors apply to large groups (e.g., across multiple different hacker types), specific subtypes, or even small groups of individuals (e.g., high-profile female criminal hackers).Further TPB models that differentiate between different hacking behaviours or alternative methods, such as latent variable analysis or factor analysis, could help differentiate between the profiles of these different groups.
Fourth, the present study focussed on older adolescents (16-19-year-olds); however, there is evidence that hacking behaviours could start as early at nine years of age [37].Furthermore, when conceptualising youth populations, there is some evidence that the risk-taking typically associated with adolescence is in some part caused by brain maturation processes that continue into the mid-20s [1], therefore moving the conceptual age of adulthood to approximately 25.Therefore, extending the age range could test the age-crime curve relationship and the hypothesised natural desistance of the majority of hackers by their mid-20s [25,53,54].
Fifth, future studies may consider the incorporation of other factors, such as victimisation leading to perpetration [85], and a combined TPB model of both human factors and technical factors to concurrently assess and parse to what extent human and technical drivers are associated with criminal hacking.
Sixth, whilst this study was conducted in nine European countries, a limitation of this study is that the survey did not include former Soviet satellite countries, where organised criminal hacking (in groups) is more prevalent; arguably, this would be a very interesting follow-on study.
Finally, a future study could replicate this study with a smaller but probabilistic sample to assess to what extent our findings are generalisable to the wider population.By collecting these samples within multiples countries, future studies can definitively assess differences across countries.

Application of Findings
A unique contribution of this study was to determine that gender and offline deviant behaviours are strong predictors, being significantly associated with the majority of the constructs and covariates within this model, including hacking behaviour and intention, constructs within the TPB conceptual framework, as well as demographics and human factors.This is a unique finding, as the explanatory power of these predictors was assessed concurrently against other demographic variables and human factors.Therefore, this finding suggests that these two factors (gender and involvement in offline deviant behaviour) may prove salient mechanisms for intervention programmes for those already engaged in hacking behaviours.These findings have significant implications for both law enforcement and intervention mechanisms.Firstly, these findings indicate that there is little sharp division between offline and online crime; rather, these findings point towards a general propensity for engaging in risky and criminal behaviour.This suggests a significant shift in how cybercrime, in particular technical cybercrimes like hacking, are conceptualised, investigated, and legislated.Secondly, this finding suggests that targeted interventions should be directed at specific at-risk populations, in this case, delinquent young adult males.
With regard to reducing hacking intentions, and thereby the occurrence of the actual behaviour, aside from offline delinquency and gender, as previously identified, the adapted TPB Model of Criminal Hacking as a framework suggests there are many possible vectors to target to stage interventions, including directly addressing the cognitive processes themselves (TPB constructs: attitudes, subjective norms, and perceived behavioural control), as well as the factors significantly associated with these cognitive processes, including risk-seeking, online disinhibition, and age.A key observation (shown in Figure 1) is that the strongest predictor of intention within the TPB framework is the SN of parents.Therefore, educating parents about online risk may prove to be a particularly effective intervention methodology, in terms of education and awareness-raising initiatives.
Also, through the subjective norms of friends and internal attitudes and beliefs, the intention to hack could be further influenced, i.e., utilising the combined effect of TPB cognitive constructs.Therefore, it is imperative at the policy level to design education and awareness-raising initiatives for young people to be deployed within a formal educational setting.These initiatives should focus on educating young people about the risks associated with online crime; fostering appropriate beliefs and attitudes towards criminal behaviour online; and upskilling and encouraging young people to use technology in safe and legal ways.Furthermore, widespread awareness-raising campaigns should also focus on educating young people on these key issues.For example, the findings of this paper were translated into education and awareness-raising materials and were disseminated broadly through Europe, launched as part of Safer Internet Day 2023 [86].

Conclusions
Despite the complexity of the behaviour of interest (hacking), this study has formulated a powerful predictive model of youth hacking intention (accounting for 38.8% of the variance) and behaviour (accounting for 33.6% of the variance).Overall, the TPB conceptual framework proved to be a powerful paradigm to form an adapted TPB model to predict hacking intention and behaviour, incorporating and importantly being able to concurrently assess different cyberpsychological, psychological, and criminological factors.With regards to application, this approach has identified multiple possible vectors with which to stage interventions in relation to human factors, either to tailor interventions to most at-risk groups (e.g., older teen males) or to intervene on strong predictors of behaviours (e.g., parental attitudes or teens known to be engaging in offline deviancy).

Figure 1 .
Figure 1.An adapted TPB Model of Criminal Hacking.Note: all reported coefficients outside brackets are standardised values, adjusted for the influence of gender and age.Non-significant paths are not shown.** p < 0.01; *** p < 0.001.The results of the fit statistics of the subsequent model indicate an adequate model fit: chi square (548) = 3740.55,p < 0.001, CFI = 0.96, TLI = 0.96, RMSEA = 0.040 (C.I. 90%: 0.039-0.041),SRMR = 0.080.The authors' analyses reveal that attitude, subjective norms (friends and parents), perceived behavioural control, disinhibition, offline deviant behaviour, and risk-seeking, together with the covariates gender and age, account for 38.8% of the variance in hacking intention, and when combined with intention, explain 33.6% of the variance in young people's engagement in hacking.The results of the structural model are presented in Figure 1.

Figure 1 .
Figure 1.An adapted TPB Model of Criminal Hacking.Note: all reported coefficients outside brackets are standardised values, adjusted for the influence of gender and age.Non-significant paths are not shown.** p < 0.01; *** p < 0.001.The results of the fit statistics of the subsequent model indicate an adequate model fit: chi square (548) = 3740.55,p < 0.001, CFI = 0.96, TLI = 0.96, RMSEA = 0.040 (C.I. 90%: 0.039-0.041),SRMR = 0.080.The authors' analyses reveal that attitude, subjective norms (friends and parents), perceived behavioural control, disinhibition, offline deviant behaviour, and risk-seeking, together with the covariates gender and age, account for 38.8% of the variance in hacking intention, and when combined with intention, explain 33.6% of the variance in young people's engagement in hacking.The results of the structural model are presented in Figure 1.

Table 2 .
Item content and descriptive statistics.

Table 3 .
Correlations among the constructs.