Legislation, financially driven attackers, and high profile breaches have changed the economics of security. We need to rethink the motivations of attackers and the new attacker economy given a growing stolen identity information trade and the rise of organized electronic crime. We need to study hackernomics. This is a new term so allow me to offer a definition:

Hackernomics (noun, singular or plural): A social science concerned with description and analysis of attacker motivations, economics and business risk. It is characterized by five fundamental laws and eight corollaries.

Law 1

Most attackers aren’t evil or insane; they just want something.

Some folks work on the premise that hackers are evil but in reality most attackers are looking for weak targets and the path of least resistance. This is actually very good news and leads us to Corollary 1.a.

Corollary 1.a.:

We don’t have the budget to protect against evil people but we can protect against people that will look for weaker targets

This tells us that security as well as security theater -- the appearance of security -- are critical in reducing business risk. Many companies struggle on what level of investment to put into security. Entry-level security means barely passing compliance audits but companies that just squeak by are unlikely to be spared from attacks if they hold valuable information. This means that entry-level security must be at least as high as industry norms, especially considering that if a breach does occur, the Federal Trade Commission will compare the victim’s security policy with industry “best practices."

Law 2

Attackers may attack you; auditors will show up.

Many organizations fear a compliance violation more than a breach. This is mainly because audits have created an impending event; someone will inspect security, which creates a much more compelling security business case than fear of a possible attacker.

Corollary 2.a.:

Security isn’t about protecting something completely; it’s about reducing a risk at some cost.

As an industry we don’t know how to make non-trivial systems 100% secure but we can mitigate risks by investing wisely in training, process improvement and tools.

Corollary 2.b.:

In the absence of metrics, we tend to over-focus on risks that are either familiar or recent.