“The profit is far higher for scalable attacks,” said Cormac Herley of Microsoft Research. “The rewards are growing linearly and the costs are growing sub-linearly. In that case, you attack everyone as often as possible.”

In a presentation on his paper titled “The Plight of the Targeted Attacker in a World of Scale,” Herley pointed out that scalable attacks are still relatively successful and do not require as much effort, making them more lucrative for cyber criminals.

“Non-scalable attacks have to be selective attacks. Every attack costs you something,” he said. “If the non-scalable attacks can’t match the return of the scalable attacks, she should change tactics. At equal costs, she needs a way better yield. But competing on yield makes no sense because when she extracts the same value per victim, there’s too much effort.”

The cost of creating a target attack dwarfs the gains, according to Herley.

“Elaborate non-scalable attacks fail to happen because the benefit to the attacker is far less than the cost we represent to the attacker,” he said. “Most users never see most attacks.”