Security, Cybercrime and Scale

In a traditional threat model it is necessary and sufficient to protect against all attacks. While simple, and appropriate in high-assurance settings, we show that this model does not scale and is entirely inappropriate to the financially-motivated cyber-crime that targets two billion Internet users. The attackers who prey on Internet users are very constrained. The have finite gains, non-zero costs, and must make profit in expectation. Above all their techniques must scale. This means that they must have attacks with scalable costs or efficient ways of finding viable targets in a large population. We show that many technically possible attacks are economically infeasible. We show that incorporating target selection and monetization in addition to an attacker’s technical constraints offers new directions on how defense tradeoffs can be made.