Cybercrime Doesn't Pay As Much As You'd Think

Cybercrime may be where the money is, but the average cybercriminal doesn't make big bucks: He or she brings in about $30,000 per year, according to a new study by the Ponemon Institute. That's about one-fourth the average salary of a legitimate security professional, the study says.

The "Flipping The Economics of Attacks" report, published today and commissioned by Palo Alto Networks, surveyed more than 10,000 hackers across the white hat, grey hat, and black hat realms. The report is based on a sample of more than 300 respondents, who hailed mainly from the US, UK, and Germany and, according to Ponemon, are skilled hackers -- some of whom had converted to the white hat side. It's likely that some respondents were from other parts of the world, including Eastern Europe, however, Ponemon says.

Larry Ponemon, chairman and founder of the Ponemon Institute, says a criminal hacker's income was definitely much lower than he had expected. "The perception by some is that they do this 'work,' make a lot of money and then retire at an early age. But they have to work very hard for a small income," he says.

The top of the cybercrime hierarchy, typically organized crime syndicates, profit most from cyber attacks. "That's maybe about one percent. The vast majority doing the day-to-day stealing aren't making the big money," says Scott Simkin , senior threat intelligence manager at Palo Alto Networks. "The truth of the matter is they are not all going to make hundreds of thousands of dollars."

But Tom Kellermann, chief cybersecurity officer at Trend Micro, says some data in the study may be a bit skewed since it doesn't appear to include data from hackers in Russia, Brazil, and China, for example. "They are the ones that leverage the most pernicious targeted attacks," he says. The report appears to be drawn more from "opportunist" attackers than organized cybercrime gangs going after the Fortune 1000, for example, he says.

Nearly 75% of the hackers in the survey say attackers look for weak, easy, and less costly targets to hit, and a skilled attacker after about one week will halt his hack against a target if he doesn't score a successful attack in that timeframe. An attacker takes about 147 hours to plan and pull off an attack against a well-secured enterprise, but only 70 hours to execute one with "typical" security.

"It's getting easier for a large percent of attackers" because of their improving skills, and free and widely available tools, Ponemon says.

Still, even if an attacker gives up on his target, he can try coming through a link in the target's supply chain, notes Trend Micro's Kellermann.

Think retailer Target, whose HVAC vendor was the weak link that doomed the big-box store in its epic data breach.

"Spear phishing still represents the majority of attacks. The rest are leveraged through watering hole attacks, malvertising, and mobile," Kellermann says.

More than half of the hackers in the survey say sharing threat intelligence is one of the best ways to prevent or thwart an attack, and some 40% of attacks can be stopped with the sharing and deployment of threat intel. The full report is available for download.