New research has revealed the full extent of the economics involved in cyber crime, with UK malware makers earning less than their foreign counterparts.
It is often thought that successful cyber attackers are in line for a big pay day, but the report says that this is not the case. The researchers calculated a return of $14,711 for each successful attack, and put the average number of successful attacks per year at 8.26.
From this data, and the percentage of successful attacks, it extrapolated that on average attackers earn $28,744 a year from cyber attacks for an average of 705 hours work.
This is ¼ of the average earnings of cyber security professionals.The report said that "the fully loaded hourly labor rate for an experienced IT security professional is $60.36".
Despite this seemingly low financial return, 69% of attackers in the study said that they were motivated by money, perhaps holding out hope they could be in line for a big pay day.
Davis Hake, director of cybersecurity strategy at Palo Alto Networks said: "As computing costs have declined, so too have the costs for cyber adversaries to infiltrate an organization, contributing to the growing volume of threats and data breaches. Understanding the costs, motivations, payouts, and finding ways to flip the cost scenario will be instrumental in reducing the number of breaches we read about almost daily and restoring trust in our digital age."
The report also revealed the full extent of the opportunism involved in cyber crime. 72% of adversaries said that they would not bother with an attack that did not quickly bring in high-value information, and 73% said that they looked for "cheap" easy targets.
Consequently, the report said that increasing the time it takes to conduct a successful attack is a powerful deterrent that organisations could employ. It found that an increase of 40 hours could eliminate up to 60% of attacks.
One of the ways to increase the time is to create a strong security posture. The research found that if an organisation has an "excellent" IT infrastructure, it can take 147 hours for a technically proficient cyber attacker to plan and execute an attack, double the 70 hours that it takes against those organisations with just a "typical" security setup.
The researchers found that, on average, after 209 hours attackers would quit an attack.
"The survey illustrates the importance of threat prevention. By adopting next-generation security technologies and a breach prevention philosophy, organizations can lower the return on investment an adversary can expect from a cyberattack by such a degree that they abandon the attack before it’s completed," said Dr. Larry Ponemon, chairman and founder, Ponemon Institute
The Ponemon institute surveyed 304 participants in Germany, the UK, and the US, with 79% of those respondents saying they were involved in the hacker community.