The Plight of the Targeted Attacker in a World of Scale

WEIS |

Despite neglecting even basic security measures, close to two billion people use the Internet, and only a small fraction appear to be victimized each year. This paper suggests that an explanation lies in the economics of attacks. We distinguish between scalable attacks, where costs are almost independent of the number of users attacked, and non-scalable (or targeted) attacks, which involve per-user effort. Scalable attacks reach orders of magnitude more users. To compensate for her disadvantage in terms of reach the targeted attacker must target users with higher than average value.

To accomplish this she needs that value be both visible and very concentrated, with few users having very high value while most have little. In this she is fortunate: power-law longtail distributions that describe the distributions of wealth, fame and other phenomena are extremely concentrated. However, in these distributions only a tiny fraction of the population have above average value. For example, fewer than 2% of people have above average wealth in the US. Thus, when attacking assets where value is concentrated, the targeted attacker ignores the vast majority of users, since attacking them hurts rather than helps her requirement to extract greater than average value.

This helps explain why many users escape harm, even when they neglect security precautions: most users never experience most attacks. Attacks that involve per-user effort will be seen by only a tiny fraction of users. No matter how clever the exploit, unless the expected value is high, there is little place for per-user effort in this world of mass-produced attacks.