This article analyzes the traditional threat model for cybersecurity and proposes a new model that considers scalability and financial motivation. In the new threat model, the author splits cybercrime into two categories: financial and non-financial. The financial category further divides into scalable and non-scalable. The author presents a formula for financially motivated attackers and concludes that “the average gain minus average cost of an attack must be positive.”
The author points out, “when we ignore attacker constraints, we make things more difficult than they need to be for defenders.” Some potential attacks should be minimally addressed, since they will be threats that pose no gain for financially motivated attackers. Through an analysis of “the difficulties of profitably finding targets and monetizing them,” the author presents a new approach to analyzing potential cybercrimes.
I recommend this article to researchers in the cybercrime area since it provides a potentially useful new threat model. If we adopt the new threat model, we will be able to save on costs by defending attacks at scale and also be able to fully understand the motivations of attackers.