The Economics of Cyber Criminal Attack

Why is cybercrime exploding? What incentives drive attackers? Both cyber-crime and cyber-defense are human endeavors, so we must focus on incentives to understand attacker actions.  Today one can argue that to attack is both cheaper and easier than to defend. Thus, an attacker has no economic incentive to stop.  Moreover, continued successful attacks create a financial incentive and market for the exchange of successful exploits and stolen data.

The global cybersecurity criminal attack (buy-side) market earns an $860B from online markets, $500B from intellectual property theft, $16B from data trading, $1.6B from crimeware-as-a-service, and $1B from ransomware[1]. Meanwhile, the global cybersecurity defense (sell-side) market is approximately $152.71 billion in 2018 to $248.6 billion by 2023 at a CAGR of 10.2% from 2018 to 2023[2].

As a result, organizations around the world have suffered the loss or theft of over 11.7 billion records in the past three years alone. The cybersecurity crisis is on the rise, and perimeter security doesn’t work. Today, an exploit is in the field for up to a year before detection, and within 20 to 40 minutes of the publication of a security patch, attackers will use the security patch as a template to create an exploit. The outcome? The average cost of a data breach in the U.S. has risen to $8.19 million in 2019[3].

These numbers show clearly that the attacker has an economic advantage over the defender, further that the seller of defense solutions is making a profit yet losing the war. Thus, those in the arms race win, the defender – the organization or individual under attack – loses.


The Incentive behind the attack?

What is the incentive to attack? What is the economic model? Why is defense costing so much, yet failing in the actual engagement?

Software hackers seek errors in code, while software vendors try to improve software security and quality and to reduce design and coding errors.   A software error causes a program to behave differently from its specifications, creating a vulnerability an attacker can exploit.  Now here’s the core problem all software applications of any meaningful size have bugs.  Just ask Alan Turing, who proved in 1936 that a general algorithm to solve all possible program-input pairs could not exist[4].

There’s more to the story.  For the bad actors, the real incentive is that a single vulnerability applies to all instances of a particular version of a piece of software. Why? All software today is distributed as a replica of a master image instance (Clones).  The attacker gains a massive economic incentive since the resources they expend to find a single cyber exploit can apply to millions of potential targets.


An example of attack incentives at play

Consider a simple example, a password management system. Humans are a herd animal:  by nature, we flock to the most successful product.

Due to the nature of current replicant software manufacturing processes, the most successful password management system is a prime target for attack. Why? The linear effort to crack it will yield exponential reward to the attacker:  every instance of the password application will be open to exploitation.

The same scenario applies to computer operating systems.  Attackers target Microsoft Windows for this reason.  It is the most popular operating system by deployment, so its exploitation garners the most significant economic reward. Many consider Linux to be more secure, yet this may not be for the perceived reason. It may only be due to the diversity of versions. As momentum grows within the Enterprise market for Linux, we see attacker interest growing; attackers focus on the leading candidate by usage. Why? Such action maximizes their return versus effort.


Financial Inhibitors and Potential Solutions

What is a potential solution? How can we change the economics of attack to reduce the reward of the attacker, and improve the outcome for the defender?

One option is to look to Nature. We already use biological analogies in the cyber domain.  We talk of “viruses” and “worms” since these attacks have analogs in Nature.  When building more advanced and automated cyber defenses, we can and should look to Nature.

In Nature, genetic diversity limits the spread of disease.  Each human’s DNA has much in common with every other human’s DNA, but there is enough diversity to ensure that an epidemic, while devastating, is not entirely apocalyptic.  We are all quite similar, yet as a race, we survive because we are not quite identical. The human species is not a monoculture.


Polyverse Approach:

At Polyverse, we mimic biological diversity in cyberspace.  Why? To eliminate the attacker’s asymmetric economic advantage at a fundamental level, we must change the costs to the attacker. At Polyverse, we make each operating system instance unique at a binary level.  Each running system instance functions appropriately, but there’s enough diversity to ensure that a single attack does not annihilate an entire “species” of operating systems or applications.

As a result, each attack must be unique, robbing the attacker of the economic incentive – and advantage. Any knowledge gained through the successful compromise of a single instance does not garner knowledge that can be applied in the next attack while also forcing the attacker to concentrate resources, which reduces their ability to attack multiple systems at once. Why? Each operating system is now different. The result? We provide a continually moving target for attackers that mitigates risk even when no patch is available. We remove constant patch panic by reducing risk from the unpatched systems and distributing software patches as soon as they are released, and we enable detection, defense, and deterrence as a packaged solution.

Our goals are simple – to simplify customer patching, remove security monitoring overhead, and stop exploits that can exist for over a year before detection and patching.

No changes to the operating system or application source code are required — only the binary image changes through recompilation.  Thus, we have no performance overhead since we are not observing the system to defend it.  All changes are transparent to the user and developer, and logging, debugging, and all other functions operate as usual.

To learn more:

To learn more about Polyverse, our approach and how you can deploy and use our solutions go to our web site


The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.