Crime Pays If You Are Just an Average Hacker

This study investigates the effects of incentive and deterrence strategies that might turn a security researcher into a malware writer, or vice versa. By using a simple game theoretic model, we illustrate how hackers maximize their expected utility. Furthermore, our simulation models show how hackers' malicious activities are affected by changes in strategies employed by defenders. Our results indicate that, despite the manipulation of strategies, average-skilled hackers have incentives to participate in malicious activities, whereas highly skilled hackers who have high probability of getting maximum payoffs from legal activities are more likely to participate in legitimate ones. Lastly, according on our findings, reactive strategies are more effective than proactive strategies in discouraging hackers' malicious activities.

[1]  Orly Turgeman-Goldschmidt Hackers' Accounts , 2005 .

[2]  Gianfranco Walsh,et al.  Electronic Word-of-Mouth: Motives for and Consequences of Reading Customer Articulations on the Internet , 2003, Int. J. Electron. Commer..

[3]  G. Stigler The Economics of Information , 1961, Journal of Political Economy.

[4]  Christopher P. Krebs,et al.  Drug Control Policy and Smuggling Innovation: A Game-Theoretic Analysis , 2003 .

[5]  Su-Houn Liu WHY PEOPLE BLOG: AN EXPECTANCY THEORY ANALYSIS , 2007 .

[6]  Jacqueline D. Lipton What Blogging Might Teach About Cybernorms , 2010 .

[7]  Chris Kanich,et al.  Spamalytics: an empirical analysis of spam marketing conversion , 2009, CACM.

[8]  Rüdeger Baumann,et al.  Games of Strategy , 1982 .

[9]  Cormac Herley,et al.  Nobody Sells Gold for the Price of Silver: Dishonesty, Uncertainty and the Underground Economy , 2009, WEIS.

[10]  Lawrence E. Cohen,et al.  SELF-INTEREST, EQUITY, AND CRIME CONTROL: A GAME-THEORETIC ANALYSIS OF CRIMINAL DECISION MAKING , 1995 .

[11]  Charles Miller,et al.  The Legitimate vulnerability market: the secretive world of 0-day exploit sales , 2007, WEIS.

[12]  Johannes M. Bauer,et al.  The Role of Internet Service Providers in Botnet Mitigation an Empirical Analysis Based on Spam Data , 2010, WEIS.

[13]  Tyler Moore,et al.  Measuring the Cost of Cybercrime , 2012, WEIS.

[14]  Roderic Broadhurst,et al.  Developments in the global law enforcement of cyber‐crime , 2006 .

[15]  Sheng Gao,et al.  Knowledge sharing community in P2P network: a study of motivational perspective , 2004, J. Knowl. Manag..

[16]  M. Dufwenberg Game theory. , 2011, Wiley interdisciplinary reviews. Cognitive science.

[17]  Paul A. Taylor,et al.  Hackers: Crime in the Digital Sublime , 1999 .

[18]  Christopher Krügel,et al.  Is the Internet for Porn? An Insight Into the Online Adult Industry , 2010, WEIS.

[19]  R. Clarke,et al.  UNDERSTANDING CRIME DISPLACEMENT: AN APPLICATION OF RATIONAL CHOICE THEORY , 1987 .

[20]  Chris Kanich,et al.  No Plan Survives Contact: Experience with Cybercrime Measurement , 2011, CSET.

[21]  Tyler Moore,et al.  The Economics of Information Security , 2006, Science.

[22]  Cormac Herley,et al.  Why do Nigerian Scammers Say They are From Nigeria? , 2012, WEIS.

[23]  Cormac Herley,et al.  So long, and no thanks for the externalities: the rational rejection of security advice by users , 2009, NSPW '09.

[24]  Xinwei Wang,et al.  What Mobilizes Information Contribution to Electronic Word-of-Mouth System ? Explanations from a Dual-Process Goal Pursuit Model , 2005 .

[25]  Stefan Savage,et al.  An analysis of underground forums , 2011, IMC '11.

[26]  Niels Provos,et al.  All Your iFRAMEs Point to Us , 2008, USENIX Security Symposium.

[27]  Stefan Savage,et al.  Manufacturing compromise: the emergence of exploit-as-a-service , 2012, CCS.

[28]  J. Bauer,et al.  Economics of Malware: Security Decisions, Incentives and Externalities , 2008 .

[29]  N. Rubén,et al.  The Market for Lemons , 2011 .

[30]  Stefan Savage,et al.  An inquiry into the nature and causes of the wealth of internet miscreants , 2007, CCS '07.

[31]  Manfred Kochen,et al.  On the economics of information , 1972, J. Am. Soc. Inf. Sci..