When Does Targeting Make Sense for an Attacker?
IEEE Security and Privacy
How do so many Internet users escape harm? The range of attacks is enormous and growing; we know that most users neglect even very basic defense measures. Yet things somehow muddle along: two billion people use the Internet and seem to derive more good from it than harm. If security is only as good as the weakest link why don't worst-case outcomes happen regularly? Why isn't everyone hacked every day? The answer may lie in economics rather than technology. Scalable and Non-scalable attacks
... alable attacks Let's segment attacks into two types, those that scale and those that don't . Scalable attacks have costs that grow much slower than linearly in the number, N, of users attacked. Doubling the number attacked causes the costs to increase by far less than a factor of two: (2N) << 2 (N). Thus, the cost of a scalable attack scarcely grows at all with the number attacked. Phishing is scalable, as is any attack that uses spam as the spread vector. Drive-by download attacks, self-replicating viruses and anything that can be completely automated would be scalable, as the cost has very little dependence on the number attacked. Scalable attacks have similar economics to a software product or information good in that first-copy costs dominate . Non-scalable attacks, by contrast, are everything else. Generally they have a linear cost dependence on N. Doubling the number attacked doubles the cost: (2N) ≈ 2 (N). Anything that requires per-user effort is non-scalable. Attacks that involve knowledge about the target aren't scalable. For example, the majority of the social engineering attacks described by Mitnick  require elaborate target-specific effort. That certainly doesn't scale unless the information can be gathered by a script. Thus, learning the likely answers to backup authentication questions is not scalable. It is far from simple to gather the pet's name, favorite sports team or name of the favorite high-school teacher for a million users in an automated way. Physical side-channel attacks, which require proximity, aren't scalable: getting close to a million people costs a lot more than getting close to one. This segmentation into scalable and non-scalable attacks is obviously a simplification. Even spam has a linear cost component (e.g. gathering target addresses, finding enough machines and IP addresses to do the sending). However, first-copy costs dominate, so that doubling the