• United States



From Cool to Cash – An economic perspective on Cyber Crime

Jul 29, 20092 mins
Business ContinuityCareersData and Information Security

As the sophistication of cyber crime exploits has increased, the security industry has applied a technical and process mindset when dealing with them.  These efforts have been frustrated by the variability, availability, and affordability of these exploits.  These product characteristics point to an economic dimension of the cyber battlefield.

Microsoft’s Roger Halbheer observed that the economic incentives of cyber attacks are enhancing the related profit motive.  “Today these attacks are not about vandalism any more, today it’s about cash.”  The increasing number of unemployed information security professionals who use their skills to compromise security underscores Mr. Halbheer’s comments.

Peter Guerra’s presentation “How Economics and Information Security Affects Cyber Crime and What It Means in the Context of a Global Recession” will outline the economic factors influencing cyber crime and the implications for security professionals.  In spite of legislative attempts to control aspects of cyber crime, such as the CAN-SPAM act, there are factors that continue to create incentives for criminals to exercise these tools:

Low barrier of entry into the crime marketReady-made exploits are readily available at a reasonable price.  Given this low cost of entry into the market, the opportunity cost of not getting involved is significant.Business metrics focus on the availability of data, not the other components of the CIA triad.Cyber criminals profit from their target’s information.  While some criminals have opted to perform Denial of Service attacks on their targets, this tactic diminishes the long term potential of attacking the integrity and confidentiality of that information.

As assurance professionals, we are charged with the protection of knowledge assets.  We must consider all the factors that create incentives for our adversaries.  This knowledge is critical for creating effective controls to counter the threats.  By applying a different way of thinking about the cyber crime risk, we might find novel solutions.


Steven F. Fox provides security guidance to ensure compliance with Federal standards and requirements as a Senior Security Architecture and Engineering Advisor for the IRS. Fox contributes to multiple working groups including the IPv6 transition team, Developer Security Testing workgroup and the Security and Privacy workgroup. He brings a cross-disciplinary perspective to the practice of information security; combining his experience as a security consultant, an IT Auditor and a systems engineer with principles from behavioral/organizational psychology to address security challenges. He is a syndicated blogger covering IT Governance, Risk Management and IT-Business fusion topics. He also volunteers his time to the Ponemon Institute and Security BSides Detroit. Follow him on Twitter - Join his LinkedIn network -