QOTD - Economics of Targeted Attacks

The cost of non-scalable attacks is such that very few users are targeted. It further suggests a security investment strategy for Internet users: all scaleable [i.e. non-targeted] attacks should be addressed first. Consider the case where Alice’s [a potential victim] email account can be harvested for value $200 by a non-scalable attacker [i.e. a targeted attack]. Alice’s avoidance of harm depends not so much on her security investments, but on the relative worthlessness of other email accounts, from which hers cannot be distinguished. -- Cormac Herley of Microsoft Research, who presented a paper entitled "The Plight of the Targeted Attacker in a World of Scale," at the 2010 Workshop on the Economics of Information Security.

Src: Ninth Workshop on the Economics of Information Security (WEIS 2010) program (PDF)

No comments: