Abstract
Cyber threats incidents continue to escalate, and public and underground conversations about such incidents abound. Understanding this discourse is critical for cybersecurity policy, can help tackle important public issues and aid creation of defense mechanisms against cyber threats. Yet investigations of such conversations are scarce as discourses remain fragmented across platforms, limiting holistic understanding. This study applies Routine Activity Theory (RAT) to analyze 1.23 million posts from Twitter (now X), HackForums, and dark web. Using natural language processing, we map discourse to RAT components and compare its distributions across communities. Results show Twitter emphasizes offenders visibility, reflecting a narrative focused on attackers but with little discussion of defense. HackForums combines offender methods, target identification, disposal, and functions as a trading venue. Dark web highlight targets and disposal, treating stolen data as commodities in transactional discourse. Across platforms, guardianship discussions are scarce, underscoring a systemic communication gap. Our findings demonstrate each platform operates as distinct cyberthreat communication ecosystems. The study uses RAT to design a Cyber Threat Intelligence aggregator with implications for cybersecurity intelligence, and public communication strategies.
Recommended Citation
Bhatt, Paras; Valecha, Rohit; and Rao, H Raghav, "Analysis of Public and Underground Discourse for Cyber Threat Intelligence: A Routine Activity Theoretic Approach" (2025). WISP 2025 Proceedings. 14.
https://aisel.aisnet.org/wisp2025/14