From Cool to Cash - An economic perspective on Cyber Crime

As the sophistication of cyber crime exploits has increased, the security industry has applied a technical and process mindset when dealing with them.  These efforts have been frustrated by the variability, availability, and affordability of these exploits.  These product characteristics point to an economic dimension of the cyber battlefield.

Microsoft's Roger Halbheer observed that the economic incentives of cyber attacks are enhancing the related profit motive.  "Today these attacks are not about vandalism any more, today it's about cash."  The increasing number of unemployed information security professionals who use their skills to compromise security underscores Mr. Halbheer's comments.

Peter Guerra's presentation “How Economics and Information Security Affects Cyber Crime and What It Means in the Context of a Global Recession” will outline the economic factors influencing cyber crime and the implications for security professionals.  In spite of legislative attempts to control aspects of cyber crime, such as the CAN-SPAM act, there are factors that continue to create incentives for criminals to exercise these tools:

Low barrier of entry into the crime marketReady-made exploits are readily available at a reasonable price.  Given this low cost of entry into the market, the opportunity cost of not getting involved is significant.Business metrics focus on the availability of data, not the other components of the CIA triad.Cyber criminals profit from their target's information.  While some criminals have opted to perform Denial of Service attacks on their targets, this tactic diminishes the long term potential of attacking the integrity and confidentiality of that information.

As assurance professionals, we are charged with the protection of knowledge assets.  We must consider all the factors that create incentives for our adversaries.  This knowledge is critical for creating effective controls to counter the threats.  By applying a different way of thinking about the cyber crime risk, we might find novel solutions.

Copyright © 2009 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline