The Economics of Cybercrime and the Law of Malware Probability
February 10th, 2009. Published under My Recent Reads. No Comments.
pulled from Google Reader (click on title for original post)
Sam Curry of RSA (here) and I will be presenting on this topic at Source Boston Security Conference March 11-13th (here). The lineup looks fantastic and I’m excited about the opportunity to share this research. In the meantime and since we haven’t really completed or fully published the paper here is enough to start the dialogue and to elicit early feedback from the community, of which we fully expect the thrashing, laughing, giggling, finger pointing and jeering comments that I would so generously heap on your paper =)
Abstract
This paper proposes a set of formulas for assessing the likelihood of a given method of security attack’s launch over the Internet and the relative probability that an exploit will occur. Understanding these formulas and their component variables lead to a proposed Law of Malware Probability. Basically, the Law of Malware Probability states that as the attractiveness of a set of computers and the data they contain to a potential attacker increases, the likelihood of an attack against these resources increases. By contrast, as the costs and risks of an attack to the attacker increase, however, the likelihood of an exploit decreases. This can be described as follows:
The paper then discusses the factors and variables that make up the formula, the relationship of the attractiveness of an infrastructure to an attacker versus the costs and difficulties of carrying out an attack, considerations in assigning values to variables, validating the Law against observed real-world behaviors and implications of the Law for owners and managers of computing resources. The paper also proposes area of further investigation that could contribute to improving understanding of attacker and malware behavior.
You can downlaod the full paper (towards-a-law-of-malware-probability1)
