Hacker Economics: Opportunity Costs and Attacker Attention Spans
Jan 7, 2014
When we think about criminal hackers, we picture a techie who lives and breathes code. The game player, puzzle solver, master of manipulation. But more recently, another picture comes to mind. When you get right down to it, hackers are people, too.
Too often, we focus on the technical side of online threats. We head straight down to the technique level of SQL injection, cross-site scripting (XSS), cross-site request forgery (CSRF), you name it. We think sessions, authorization, authentication, proxies, or query string manipulation. But we can tend too often to overlook the true root cause of the exploitation—which is less about the hack and more about the hacker.
Perhaps the time has come to start taking advantage of the human factor and to modify our perspective and perception. It's time to hit hackers where it hurts—and that's with their time and money. If there's one thing hackers don't like, it's dealing with tasks they perceive to be a waste of valuable time. And if there's one thing hackers usually don't have a lot of, it's patience. They want quick results, gain, and cash in their pockets.
So considering their economic motivation, what can we do? We can find ways to increase the time, effort and opportunity costs associated with compromising websites, data centers, and networks. We can employ an important, effective, and underutilized security tool, which is the ability to waste their time and devalue their efforts.