How much does it cost technically proficient adversaries to conduct successful attacks, and how
much do they earn? In Flipping the Economics of Attacks, sponsored by Palo Alto Networks, we look at the relationships between the time spent and compensation of today’s adversaries and how organizations can thwart attacks. As revealed in this research, while some attackers may be motivated by non-pecuniary reasons, such as those that are geopolitical or reputational, an average of 69 percent of respondents say they are in it for the money.
In this study, we surveyed 304 threat experts in the United States, United Kingdom and Germany.
We built this panel of experts based on their participation in Ponemon Institute activities and IT security conferences. They were assured their identity would remain anonymous. Twenty-one percent of respondents say they are very involved, and 79 percent of respondents are involved in the threat community. They are all familiar with present-day hacking methods.
Here are the key findings:
Attackers are opportunistic. Adversaries go after the easiest targets first. They won’t waste time on an attack that will not quickly result in a treasure trove of high-value information,
according to 72 percent of respondents. Further, attackers will quit when the
targeted company has a strong defense, according to 69 percent of respondents.
Cost and time to plan and execute attacks is decreasing. According to 53
percent of respondents, the total cost of a successful attack has decreased, driving
even more attacks across the industry. Similarly, 53 percent of respondents say
the time to plan and execute an attack has decreased. Of these 53 percent of
respondents who say it takes less time, 67 percent agree the number of known
exploits and vulnerabilities has increased, 52 percent agree attacker skills have improved and 46 percent agree hacking tools have improved.
Increased usage of low-cost and effective toolkits drives attacks. Technically proficient
attackers are spending an average of $1,367 for specialized toolkits to execute attack. In the
past two years, 63 percent of respondents say their use of hacker tools has increased and 64
percent of respondents say these tools are highly effective.
Time to deter the majority of attacks is less than two days. The longer an organization can
keep the attacker from executing a successful attack the stronger its ability to safeguard its
sensitive and confidential information. The inflection point for deterring the majority of attacks is less than two days (40 hours) resulting in more than 60 percent of all attackers moving on to
Adversaries make less than IT security professionals. On average, attackers earn $28,744
per year in annual compensation, which is about one-quarter of a cybersecurity professional’s
average yearly wage.
Organizations with strong defenses take adversaries more than double the time to plan
and execute attacks. The average number of hours a technically proficient attacker takes to plan and execute an attack against an organization with a “typical” IT security infrastructure is less than three days (70 hours). However, when the company has an “excellent” IT infrastructure the time doubles to an average of slightly more than six days (147 hours).
Threat intelligence sharing is considered the most effective in preventing attacks.
According to respondents, an average of 39 percent of all hacks can be thwarted because the
targeted organization engaged in the sharing of threat intelligence with its peers.
Investments in security effectiveness can reduce successful attacks significantly. As an
organization strengthens its security effectiveness, the ability to deter attacks increases, as
shown in this report.
The following are recommendations to harden organizations against malicious actors:
- Create a holistic approach to cyber security, which includes focusing on the three important
components of a security program: people, process and technology.
- Implement training and awareness programs that educate employees on how to identify and protect their organization from such attacks as phishing.
- Build a strong security operations team with clear policies in place to respond effectively to
- Leverage shared threat intelligence in order to identify and prevent attacks seen by your
- Invest in next-generation technology such as threat intelligence sharing and integrated
security platforms that can prevent attacks and other advanced security technologies.