Thursday, May 19, 2016

"The Business of Hacking" -- Recommended Reading for CEOs, Boards of Directors, Governance Leadership

What is your view of the "hacking community?"  Is it one of masked computer operators working in a darkened room or that of a white-coated laboratory technician?  Well, your views of the hackers working on new products and "services" to steal your information may be substantially changed after your read the most recent document from Hewlett Packard Enterprise entitled The Business of Hacking:  Business Innovation Meets the Business of Hacking.

http://www8.hp.com/us/en/software-solutions/hacking-report/index.html?jumpid=va_gpnq3t2xdw  
This document is an easy and compelling read for Chief Executive Officers, Chief Information Officers, Boards of Directors, Risk Analysts and cyber security students.  The article does an excellent job giving a straight-forward discussion regarding the "reality" of the cybercrime community and their "business models."

The HP whitepaper does a nice job clearly identifying "who" the "Bad Guys" are with a simple chart (shown below):


This is extremely helpful to those trying to understand cybercrime and cyber "hacking" because it shows there are different types of hackers with different motivations and capabilities.

The article almost reads like a Gartner report with a "Magic Quadrant" depiction of where the attackers are working relative to Payout and Effort/Risk to their "business."  The quadrant analysis is shown below:


Although the report doesn't go into details on how organized cyber crime is used by Nation-States, analysis has shown that some countries may be using organized cyber crime to do their cyber attacks thus giving the Nation-State the ability to offer "plausible deniability."

Finally, this report will reinforce to the CEO's, et al that the cyber crime business is just that...a business...where the hackers want to maximize profit and minimize risk...where the hackers need to do research and development and they need to have a finance minister to run their economic shop.

On a parenthetical note, in 2006 I wrote Chapter 1A, "Cybercrime's Impact on Information Security,"  in Cybercrime & Security edited by Pauline C. Reich.  In my article I discussed cybercrime as a business -- albeit nefarious - but with a CEO, COO, HR manager, VP of R&D, CFO, etc. and that their motives are focused on "....profit maximization and risk management..."

Key Take-Aways

This white paper from HP is a great educational piece to get to your Board of Directors, CEO, COO, CFO, CIO and cyber security students who need to realize that one way to hamper cyber crime is to alter the criminal's business operations .... raise their expenses and increase their risk.

###