SAN FRANCISCO--Thanks to breathless news reports and over-the-top portrayals on TV and in movies, people tend to think of the dark web as a terrifying underground network frequented by master criminals who inexplicably only wear black hoodies while buying and selling truckloads of credit card numbers. The reality is much less interesting but represents a real threat to individuals and organizations and some researchers are beginning to look at it through the lens of economics rather than information security.
“I think of the dark web as a really big, really weird flea market. Cybercriminals think of themselves as entrepreneurs. They value freshness in the data they’re selling and customer service is very important. On the dark web, customer service is the currency,” Munish Walther-Puri, founder of Presearch Strategy, said in a talk on dark web economics and analytics at the Enigma conference here Tuesday.
For both enterprises and individuals, putting a value on their data can be difficult. Enterprises have information such as customer details, payment card data, employee records, and intellectual property that all has concrete value for attackers, and individuals have their own sensitive personal and financial information to protect. But there are also less-tangible things that are just as valuable, such as a corporate brand identity or the loss of personal privacy that comes with being the victim of a data breach or other intrusion. Putting a monetary value on those is much more difficult than it is for card data or Social Security numbers.
Walther-Puri suggested that researchers and the security industry need to change the way they think about data breaches, both in terms of their effects on victims and the value of the data to attackers.
“Our current model of how we think about sensitive data is outmoded and broken. Cybercriminals have created a market for how to value that data,” he said. “We need to reframe data breaches. Loss aversion can be more powerful than the urge to acquire something. People tend to think about privacy risk more seriously when it’s tied to financial risk.”
“You start talking about data, and people lose it."
To help move that shift in thinking along, Walther-Puri suggested enterprises and individuals consider five questions as they relate to their data:
How easily can it be changed? How unique is it? How does it relate to other data? How often is it updated? How detailed is it?
Criminals have their own criteria for valuing data, and they’re not necessarily the same as the ones individuals might have, or even the same across different criminal groups. But there’s definitely overlap. For example, criminals place high value on unique and highly detailed data. Information that can be changed easily, such as a username, isn’t quite as valuable. And there’s an emerging market for location data, one that Walther-Puri believes is likely to continue to expand.
“We continue to see location data as being very valuable. It’s a record and it’s constantly updated,” he said. “There’s a real sense of freshness there. We haven’t seen it yet with biometrics, but it might be only a matter of time.”
Walther-Puri said one of the issues with figuring out how to value data and privacy in general is that they’re abstract concepts and many people have a difficult time grasping them. He likened it to the problem of climate change and said there needed to be something concrete that people could identify with to help grasp the scope of the problem.
“You start talking about data, and people lose it. We need something like the polar bears for data breaches. If you wanted to design a problem that humans would not care about, you couldn’t do better than climate change,” he said. “It’s slow moving and gradual. But if you point to the polar bears and say we have to save them, people understand that. Control over privacy is very similar, People need something to hook on to the problem and grasp it.”