Intel’s McAfee Security and The Center for Strategic and International Studies (CSIS) released a new report: Tilting the Playing Field: How Misaligned Incentives Work Against Cybersecurity (PDF). After surveying 800 cybersecurity professionals, the authors concluded there is a major misalignment of incentives that give cybercriminals a huge advantage. Some examples are:
- Structured corporate bureaucracies are unable to react fast enough to keep up with free-wheeling criminal enterprises;
- A disconnect exists between strategy and implementation of cybersecurity programs; and
- Different incentives for senior executives and those managing cybersecurity programs.
The report goes into detail about why each incentive gives cybercriminals an edge. Something else of interest is the report’s in-depth look at cybercriminals and why they have leapfrogged traditional corporate cybersecurity.
SEE: Ebook: IT leader’s guide to the Dark Web (Tech Pro Research)
The black-hat hacker workforce is booming
The report’s authors state that, unlike above-ground businesses and their inability to find qualified cybersecurity professionals, cybercriminals have no trouble finding a willing and capable workforce. “The black hats have clearly designed incentives created by market forces, not by organizational fiat,” write the paper’s authors.
The underground economy also has an advantage when it comes to products. “The market economy of the criminal hacker ecosystem facilitates innovation, rapid adaption, and channels resources efficiently to the lowest cost and most profitable criminal enterprises,” write the authors. “Unlike the defensive market, in which the strictures of corporate hierarchy affect priority setting and decision making to create a slow, bureaucratic process (even in the best of companies), the criminal market is competitive, commoditized, and decentralized.”

The superior quality of black-hat hacker products
Having sufficient qualified people to steal and/or create black-hat products, one might expect digital underground markets to be flourishing, and they are. Something that’s not expected is the quality of the products. The report suggests that’s because the market is open and decentralized, forcing black-hat operators to create, steal, and sell only superior products in order to stay in business.
The authors add, “The top tier of the black market is comprised almost exclusively of elite technical specialists selling highly coveted zero-day vulnerabilities, intermediaries who specialize in high-dollar-value exploits that serve as brokers between buyers and sellers, and governments.” (Source)
That said, the less-elite, lower-tier black-hat markets are not doing that badly. There are plenty of buyers for stolen financial information, counterfeit goods, “exploits-as-a-service,” and spamming services.
SEE: How hackers steal EHR data and sell it on the Dark Web (TechRepublic)
Why cybercriminals are looking for specialists
Like above-ground security experts, cybercriminals recognize the need to employ specialists. The complexity of a corporate infrastructure, improved security systems, and increased awareness by potential victims make it difficult for cybercriminals to be proficient in all aspects of their trade. The report suggests the following are the most common specialties/professions:
- Programmers to develop malware;
- Web designers to create malicious sites;
- Tech experts to maintain the criminal infrastructure (servers, databases);
- Hackers to exploit system vulnerabilities and break into computer networks;
- Fraudsters to devise social engineering schemes (phishing, spam); and
- Intermediaries to collect data stolen from users, advertise it to other cybercriminals, and sell or exchange it for money or other illegal actions.
Also, like above-ground cybersecurity teams, having to employ specialists means less money for the criminal masterminds. “Profits from criminal businesses are then divvied up among these specialists,” note the paper’s authors. “According to one law-enforcement expert, 80 percent to 90 percent of proceeds typically go to the supporting technical specialists and money mules, not to the criminals that devise the schemes.”
SEE: 4 tips to help your business recruit, and keep, cybersecurity pros (TechRepublic)
Vulnerabilities are highly sought after
One reason black-hat hacker markets are nimble and adaptable is that’s what it takes to leverage vulnerabilities before they are discovered and patched. “One study found that 42 percent of disclosed vulnerabilities are exploited by criminals within 30 days of disclosure, meaning that as these vulnerabilities are disclosed publicly, the criminal underground quickly adopts them into new attacks,” write the paper’s authors.
Figure A depicts the steps in a vulnerability’s life cycle from being discovered, exploited, and finally patched.
Figure A

That’s not to say publicly disclosed vulnerabilities, even those that have been known about for a while, are not leveraged. “Criminals are also opportunistic and focus their energies on the lowest-hanging fruit,” explain the paper’s authors. “Instead of investing in costly vulnerability research and exploit development, they take advantage of publicly disclosed vulnerabilities to exploit unpatched systems.”
What the good guys need to do
The report’s authors suggest what organizations need to do to catch up to cybercriminals.
- Security-as-a-Service can provide the necessary flexibility to counter Cybercrime-as-a-Service operations.
- Specialized consultants can augment the in-house team with expertise and focused resources when necessary.
- Performance incentives and recognition can encourage stronger defenses and faster patch cycles.
- Experimentation is necessary to determine the right mix of metrics and incentives for each organization.
An optimistic outlook for the cybersecurity problem
The good news, according to the report’s authors, is that most companies recognize the seriousness of the cybersecurity problem and are willing to address it. Still, the authors caution, “These processes [i.e., the tools suggested in the paper] will usually be slower and less nimble than the market forces that drive attackers. This is in some ways inevitable, but it can be minimized through organizational innovation.”