There’s an old saying – attributed to Ben Franklin – that “guests, like fish, begin to smell after three days.” Hospitality, Franklin realized, was a perishable commodity.
Well, it turns out that the same might be said for stolen data. New research on cyber criminal networks from The University of Massachusetts finds that “time” is the key element in understanding the behavior of cyber criminals and cyber criminal networks. Stolen data has a “sell by” date.
The research is presented in a new paper: “A Multiproduct Network Economic Model of Cybercrime in Financial Services.” The paper, by Professor Anna Nagurney of the Isenberg School of Management at the University of Massachusetts, Amherst, models cybercriminal networks by looking at the interplay between three factors: the supply price, the transaction cost, and demand price functions. Nagurney’s model is novel because it figures in the “average time associated with illicit product delivery at the demand markets” so that the demand price goes down over time.
The notion that the value of goods decreases over time isn’t unusual. Every butcher or grocer contends with that reality daily. But Nagourney may be the first to attempt to model how the value of stolen data decreases with its “freshness” – the proximity to the theft event.
Nagourney’s model maps sources of theft (financial products) to destinations (illicit markets) and attaches associated costs of illicitly acquiring the data and customers to purchase the stolen data. The price at which it is sold in the end must account for those built-in costs.
Her research puts weight behind the oft-stated (but not studied) notion that cyber criminals aren’t shadowy super villans, but simply rational, economic agents. They make decisions about which targets to pursue by calculating the difference between the demand price that products (such as credit and debit cards) fetch and the associated costs of stealing and transacting them.
The goal is to identify ways to make it harder to attack financial organizations, thus raising the cost of obtaining the data – or ‘increasing transaction costs’ to use the language of economics. Her model allows researchers to show, graphically, how increasing or decreasing demand for stolen goods will affect the functioning of the criminal enterprise, overall.
Nagourney’s research was funded by a grant from the National Science Foundation (NSF) and the Advanced Cyber Security Center (ACSC). Her findings were first presented in September 2014 at a Workshop on Cybersecurity Risk Analysis for Enterprises, held at the Sloan School at MIT.
As cyber criminal activity has skyrocketed in the last decade, it has become a priority for both law enforcement and policy makers to understand the size and functioning of the cyber underground. Investigations of incidents like the breach at retailers Target and Home Depot have found links back to the same cyber criminal groups that help explain aspects of specific breaches and attacks.
However, most studies that try to look at cyber criminal activity as a whole come from private firms in the information security industry and lack rigor. In recent years, other researchers have looked at the operation of cyber criminal markets to try to understand their functioning. Notably, Cormac Herley of Microsoft Research has studied efforts to “size” cybercriminal marketplaces. His research found fault with common measures of the size of cybercriminal activity that extrapolate the amount of economic activity by looking solely at the activity of sellers on the cyber black market.
About Paul Roberts
More from the Digital Guardian Data Security Knowledge Base:
Forrester Future of Data Security
Security pros must take a data-centric approach over a traditional perimeter-based approach to ensure that security travels with the data.
Related ArticlesIf You Want an Apple Password, Just Ask Nicely
If you’re an iPhone user, you’re likely well acquainted with the system dialog boxes that iOS spits out on a regularTax Fraud Two-Step Starts with Phishing for W2s
A spate of spear phishing attacks aimed at harvesting employees’ W2s has direct links to tax ID fraud.What a script! Detecting and analyzing a Flash drive-by attack (Screenshot Demo)
Flash drive-by downloads and malvertising continue to be common attack vectors for malware infections. Here's a look at how these attacks can be detected and stopped based on behavioral characteristics.