Often when we talk about cybercrime and cybercriminals, we discuss how much money is being made by the bad guys or how valuable your information is on the black market. But have we thought much about the real economics behind cybercrime?
Researchers at Palo Alto Networks and Ponemon Institute decided to investigate that question. The report “Flipping the Economics of Attacks” looked at issues such as the average earnings of a cyberattacker, the amount of time attacks typically take, and how to prevent successful data breaches by increasing the cost of conducting them.
The takeaway may be this: Cybercrime doesn’t pay – at least not as much as we think – from the cybercriminal perspective. As the report discovered, cybercriminals would be better off turning their knowledge toward white hat activities. The average cybercriminal earns less than $30,000 annually, about a quarter of a cybersecurity professional’s average yearly wage.
And since I’m pulling out clichés, here is another that can be used with this study: Time is money. The study found that:
The longer an organization can keep the attacker from executing a successful attack, the stronger its ability to safeguard its sensitive and confidential information. The inflection point for deterring the majority of attacks is less than two days (40 hours) resulting in more than 60 percent of all attackers moving on to another target.
Cybercriminals go after easy targets, as 73 percent of the respondents said they search for easy, “cheap” targets. Seventy-two percent of survey respondents said they won’t waste time on an attack that will not quickly yield high-value information, and attackers will give up and move on to another target after spending approximately a week (209 hours) without success. As Dr. Larry Ponemon, chairman and founder, Ponemon Institute, said in a formal statement:
The survey illustrates the importance of threat prevention. By adopting next-generation security technologies and a breach prevention philosophy, organizations can lower the return on investment an adversary can expect from a cyberattack by such a degree that they abandon the attack before it’s completed.
Benjamin Franklin is credited with the theorem “an ounce of prevention is worth a pound of cure.” It certainly fits this idea of a preventive approach to cybersecurity – if the tools and systems are in place that discourage the bad guys and make it harder to enter your network, they may just go away because they’ll find that it just isn’t economically worth their while.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba.