research-article

Free Access

Security, cybercrime, and scale

Author:
Cormac Herley

Microsoft Research, Redmond, WA

Microsoft Research, Redmond, WA
View Profile

Authors Info & Claims

Communications of the ACM Volume 57 Issue 9September 2014pp 64–71https://doi.org/10.1145/2654847

Published:01 September 2014Publication History

Communications of the ACM

Abstract

Defense begins by identifying the targets likely to yield the greatest reward for an attacker's investment.

References

Anderson, R., Barton, C., Böhme, R., Clayton, R., van Eeten, M. J.G., Levi, M, Moore, T., and Savage, S. Measuring the cost of cybercrime. In Proceedings of the 11^th Annual Workshop on the Economics of Information Security (Berlin, June 25--26, 2012).Google Scholar
Caballero, J., Grier, C., Kreibich, C., and Paxson, V. Measuring pay-per-install: The commoditization of malware distribution. In Proceedings of the USENIX Security Symposium. USENIX Association, Berkeley, CA, 2011. Google ScholarDigital Library
Dwork, C. and Naor, M. Pricing via processing or combatting junk mail. In Proceedings of Crypto 1992. Google ScholarDigital Library
Elmore, J.G., Barton, M.B., Moceri, V.M., Polk, S., Arena, P.J., and Fletcher, S.W. Ten-year risk of false positive screening mammograms and clinical breast examinations. New England Journal of Medicine 338, 16 (1998), 1089--1096.Google ScholarCross Ref
Florêncio, D. and Herley, C. Is everything we know about password-stealing wrong? IEEE Security & Privacy Magazine (Nov. 2012). Google ScholarDigital Library
Florêncio, D. and Herley, C. Sex, lies and cyber-crime surveys. In Proceedings of the 10^th Workshop on Economics of Information Security (Fairfax, VA, June 14--15, 2011).Google Scholar
Graff, L., Russell, J., Seashore, J., Tate, J., Elwell, A., Prete, M., Werdmann, M., Maag, R., Krivenko, C., and Radford, M. False-negative and false-positive errors in abdominal pain evaluation failure to diagnose acute appendicitis and unnecessary surgery. Academic Emergency Medicine 7, 11 (2000), 1244--1255.Google ScholarCross Ref
Herley, C. The plight of the targeted attacker in a world of scale. In Proceedings of the Ninth Workshop on the Economics of Information Security (Boston, June 7--8, 2010).Google Scholar
Herley, C. Why do Nigerian scammers say they are from Nigeria? In Proceedings of the 11^th Annual Workshop on the Economics of Information Security (Berlin, June 25--26, 2012).Google Scholar
Kanich, C., Weaver, N., McCoy, D., Halvorson, T., Kreibich, C., Levchenko, K., Paxson, V., Voelker, G.M., and Savage, S. Show me the money: Characterizing spam-advertised revenue. In Proceedings of the 20^th USENIX Security Symposium (San Francisco, Aug. 8--12). USENIX Association, Berkeley, CA, 2011. Google ScholarDigital Library
Lampson, B. Usable security: How to get it. Commun. ACM 52, 11 (Nov. 2009), 25--27. Google ScholarDigital Library
Mitnick, K. and Simon, W.L. The Art of Deception: Controlling the Human Element of Security. John Wiley & Sons, Inc., New York, 2003. Google ScholarDigital Library
Pfleeger, C.P. and Pfleeger, S.L. Security In Computing. Prentice Hall Professional, 2003. Google ScholarDigital Library
Schneider, F. Blueprint for a science of cybersecurity. The Next Wave 19, 2 (2012), 47--57.Google Scholar
van Trees, H.L. Detection, Estimation and Modulation Theory: Part I. John Wiley & Sons, Inc., New York, 1968.Google Scholar

Index Terms

Security, cybercrime, and scale

Recommendations

Cybercrime, identity theft, and fraud: practicing safe internet - network security threats and vulnerabilities
InfoSecCD '06: Proceedings of the 3rd annual conference on Information security curriculum development

Computer networks and computer systems are experiencing attacks and threats from many areas. Threats are also extended to include the individual user's computer assets and resources. Information will be presented on the categories of security and ...
Read More
Cybercrime, Cyberterrorism, and Cyberwarfare
Read More
Cybercrime
Read More

Reviews

Reviewer: De Wang

This article analyzes the traditional threat model for cybersecurity and proposes a new model that considers scalability and financial motivation. In the new threat model, the author splits cybercrime into two categories: financial and non-financial. The financial category further divides into scalable and non-scalable. The author presents a formula for financially motivated attackers and concludes that “the average gain minus average cost of an attack must be positive.” The author points out, “when we ignore attacker constraints, we make things more difficult than they need to be for defenders.” Some potential attacks should be minimally addressed, since they will be threats that pose no gain for financially motivated attackers. Through an analysis of “the difficulties of profitably finding targets and monetizing them,” the author presents a new approach to analyzing potential cybercrimes. I recommend this article to researchers in the cybercrime area since it provides a potentially useful new threat model. If we adopt the new threat model, we will be able to save on costs by defending attacks at scale and also be able to fully understand the motivations of attackers. Online Computing Reviews Service

Access critical reviews of Computing literature here

Become a reviewer for Computing Reviews.

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

Published in
Communications of the ACM Volume 57, Issue 9
September 2014
94 pages
ISSN:0001-0782
EISSN:1557-7317
DOI:10.1145/2663191
Editor:
Moshe Y. Vardi
Association for Computing Machinery, New York, NY
Issue’s Table of Contents
Copyright © 2014 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 1 September 2014
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Qualifiers
- research-article
- Popular
- Refereed
Conference
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 5
  Total Citations
  View Citations
- 2,769
  Total Downloads
- Downloads (Last 12 months)70
- Downloads (Last 6 weeks)22
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF Chinese translation

eReader

View online with eReader.

eReader

HTML Format

View this article in HTML Format .

View HTML Format

Security, cybercrime, and scale

Communications of the ACM

Abstract

References

Cited By

Index Terms

Recommendations

Cybercrime, identity theft, and fraud: practicing safe internet - network security threats and vulnerabilities

Cybercrime, Cyberterrorism, and Cyberwarfare

Cybercrime

Reviews

Access critical reviews of Computing literature here