Since quite some time as Chief Security Advisor, I am working to support Law Enforcement. We are supplying training, giving technical support as needed and are staying in close contact as well as soon as we decide to file a criminal complaint. This happens especially if we are phished (we being Hotmail) or some other criminal activity happen towards Microsoft or our customers.
This lead me to the point where I started to think whether the work I am doing in this area is actually targeted enough (meaning, do we actually make the Internet a safer place) or is it just "operational hectic" – Am I just helping the person shouting the loudest.
Let's take a moment and think about it:
There is an old model of 10:80:10 (no, not the 80:20 rule J):
- 10% of the population would never commit a crime, no matter what.
- 80% of the population is opportunistic, meaning that if the value behind the crime is high enough and the risk of being caught low, they would commit a crime. Having this said, it is completely clear that the value and the risk are subjective an often different for different people.
- 10% of the population would always commit crime, no matter what.
I leave it now up to you to decide to which group you belong to but based on statistics I would assume that most of us are in the middle tier – depending on the stakes that are at risk.
Now, I said that the middle group would weight value vs. risk, s let's look at this a little bit closer. I recently discovered a formula on this subject:
Mb + Pb > Ocp + OcmPaPc
- Mb: Monetary benefit for the attacker
- Pb: Psychological benefit for the attacker
- Ocp: Cost of committing the crime
- Ocm: Monetary cost of conviction for the attacker
- Pa: Probability of being apprehended and arrested
- Pc: Probability of conviction for the attacker
This formula was published 1995 by Clark and Davies and in my opinion did not lose its significance in the time of the Internet.
This is the first time ever I have a call to action for you:
Whenever you are attacked, involve Law Enforcement and make sure that they start an investigation. This is the only way to make it riskier for the criminals to commit crime. If we just fight the attackers and closer vulnerabilities – what is the risk for the middle 80% in relation to the value? We have to change this equation and we have to do it together.
As my conclusion, I will continue my work with Law Enforcement to support their fight against the criminals I hope you join in