Misunderstanding the Economic Factors of Cybercrime

A new study by Cambridge Cybercrime Centre titled Cybercrime is (often) boring: maintaining the infrastructure of cybercrime economies concludes that cybercrime is boring and recommends authorities change their strategy to highlight the tedium in order to dissuade the growth of cybercrime.

Warning: Full-blown rant ahead, as I am frustrated with reports such as this 

Limited focused research, which does not look at the big picture as it evolves, leads readers to poor conclusions that are oversimplified and not couched in reality.

Do these researchers really think that cybercrime is driven by motivations about it being sexy, a fun work environment, or exciting?  This report suggests that if we market cybercrime roles as being tedious, then people will not go down that path.  Ha!

Wake up!  The vast majority of cybercrime is motivated by personal financial gain.  Period.  Additionally, the massive number of new followers of digital crime won’t care about tedium or the opinions of people that live a lifestyle where convenience plays a significant role in how to put food on the table.

Throughout history organized crime has aligned to a pyramid model where the greatest number of participants are at the bottom, doing grunt jobs.  They are poorly compensated, take on more risk, terribly treated, and generally suffer in their daily grind.  Most don’t aspire to be there, rather they do it because there are not better options. 

This report misses the bigger picture!

Consider that one million people join the Internet every day.  The majority of the next billion that will come online will be from economically struggling regions where people hustle to scratch a living every day.  Unemployment is high and there are almost no opportunities to make money.  Half the world makes less $10 a day and over 10% live on less than $2 a day.  Even a basic job as a mule, social engineer, CAPTCHA reader, ransomware distributor, phishing scammer, etc. will make many of these people more money than they could otherwise.  The people in warehouses that support click-farming, earning pennies, aren’t there because they want to be. They simply don’t have many options to earn a wage.  They do what is necessary to subsist.  Much of the next billion people joining the internet will see connectivity as a doorway for more opportunities to stay afloat. 

Unfortunately, cybercrime will see an explosion over the next few years as people with the greatest needs see the Internet as an opportunity to sustain their family. Some estimates are as high as $6 trillion in overall impact.  Cybercrime-as-a-Service is positioned for tremendous growth as it allows for people to join the support base of online criminal groups, without any requirements for hacking skills.  The pay is low and the work is grinding, but the rewards may far exceed what is available to them otherwise.  It does not matter if law enforcement communicates that such roles are boring for the majority of those joining the bottom ranks.

Discussions from people, in economically wealthy countries, about tedium is irrelevant and myopic when the greater scale is evaluated.  For many millions of people, cybercrime will be an avenue for subsistence.  For these people, the economics of survival and scarcity of alternative opportunities will drive decisions. This is the realistic risk we must address. 

Interested in more? Follow me on LinkedIn, Medium, and Twitter (@Matt_Rosenquist) to hear insights, rants, and what is going on in cybersecurity.

Image by Colin Behrens from Pixabay