Simple Economics is the Answer to Cyber Attacks

This was written by Michael W. Cheek on Wednesday, June 9, 2010, 9:51.

Carefully crafted targeted attacks using social engineering can be extremely difficult for users to detect. However, despite the rise in the use of social engineering, most people are still receiving generic spam campaigns instead. Why? Economics provides the answer, according to a Microsoft researcher speaking at the at the WEIS 2010 workshop.

“The profit is far higher for scalable attacks,” said Cormac Herley of Microsoft Research. “The rewards are growing linearly and the costs are growing sub-linearly. In that case, you attack everyone as often as possible.”

In a presentation on his paper titled “The Plight of the Targeted Attacker in a World of Scale,” Herley pointed out that scalable attacks are still relatively successful and do not require as much effort, making them more lucrative for cyber criminals.

“Non-scalable attacks have to be selective attacks. Every attack costs you something,” he said. “If the non-scalable attacks can’t match the return of the scalable attacks, she should change tactics. At equal costs, she needs a way better yield. But competing on yield makes no sense because when she extracts the same value per victim, there’s too much effort.”

The cost of creating a target attack dwarfs the gains, according to Herley.

“Elaborate non-scalable attacks fail to happen because the benefit to the attacker is far less than the cost we represent to the attacker,” he said. “Most users never see most attacks.”