User Tools

Site Tools


Security Economics


Among the research topics of the Security Group the main stream of this research topic is to understand the various economic trade-off between different regulations and get a better understaing of the mechanisms behind malware markets.

  • Trade-off between regulation-based and risk-based security and compliance
  • Economics of black markets

The former is a project that mostly focuses on air traffic management case studies (for which se have some case studies through the SECONOMICS and EMFASE projects). The latter is based on exploration of black market forums.

See also our section on Predictive Models for Vulnerabilities and Malware Analysis.

Malware Markets

Many criminal activities in the “ordinary world” are motivated, empowered, and encouraged by “underground” markets in which stolen goods are traded and money laundering is a everyday service. Thomas C. Schelling, Nobel prize for Economics, refers to these markets as “those markets that we don’t like, that work entirely too well: for example, the market for stolen goods, that encourages burglary[..]” (from Micromotives and Macrobehavior).

The news is, cybercrime is itself (at least allegedly) organised and motivated by an underground economy, often referred in the news as the black markets of cybercrime. As with any illegal, non-regulated economic activity, assessing to what degree such a structure is effective in motivating, encouraging and supporting criminal activities is not straightforward. In the past, Cormac Herley et al. analysed some of these black markets, and concluded (in a publication that we liked a lot (PDF)) that traders are nothing but scammers that scam wanna-be scammers. However, their analysis aimed at a subset of the underground black markets: the Internet Relay Chat (IRC) markets. These are un-regulated, anonymous, feedback-less channels through which unaware “criminals” try to buy credit cards allegedly worth thousands of US Dollars for a few bucks.

But the black markets are not only banking information and recycled credit cards. Attacking tools such as Exploit Kits are traded in the cybercrime markets (see this report by Symantec), and these tools are reportedly responsible for 60% of the final user infections (as reported by Google (PDF)).

So, if those tools are available through the black markets, and are responsible for driving attacks against millions of computer world-wide, then maybe the black markets are not all scam machines for scammers.

With the purpose of better understanding the nature of these markets, in the last years we infiltrated many. We learned how these underground markets work, what are the trade dynamics, who are the major players, what are the products, the services and the prices that come along with the traded goods.

The above Figure is an excerpt taken from one of the black markets we are studying. In red a translation of the text for those who do not have a fluent Russian (most of those markets are, in fact, run almost exclusively in Russian language). In particular, this is the advertisement of a (back in 2011 and mid-2012) very popular exploit kit. The product description comes along with a list of vulnerabilities it can attack, prices and additional services that come along with the exploit kit.

We are now using this knowledge to understand and consequently model the economic-empowered and motivated attacker. As a first step, we used our knowledge from the black markets to build a decision model that predicts in which conditions a potentially malicious player decides to be a criminal (and join the black markets) rather than being a lawful person. Such a model can be an effective tool in the hands of policy makers that can make policies and laws specifically oriented at discouraging black market participation.

RAND Corporation recently released a report on cybercrime activities, for which the University of Trento has been involved as a domain expert.

For more information on our models see our paper and/or contact us directly. For a deeper insight on the attack tools traded in the black markets (we are testing them!) see our Malware Analysis page in this wiki. If you are interested in what vulnerabilities are traded in the black markets, we are monitoring those as well. Make sure to check out the Predictive Models for Vulnerabilities section!


The following is a list a people that has been involved in the project at some point in time.


This activity was supported by a number of project


  • M. De Gramatica, F. Massacci, W. Shim, A. Tedeschi, J. Williams. IT Interdependence and the Economic Fairness of Cyber-security Regulations for Civil Aviation. IEEE Security and Privacy Magazine. To appear. PDF
  • L. Allodi, W. Shim, F.Massacci. Quantitative assessment of risk reduction with cybercrime black market monitoring. In: Proceedings of the 2013 IEEE S&P International Workshop on Cyber Crime (IWCC'13), May 19-24, 2013, San Francisco, USA. PDF
  • V.H.Nguyen and F.Massacci. The (Un)Reliability of Vulnerable Version Data of NVD: an Empirical Experiment on Chrome Vulnerabilities. In: Proceeding of the 8th ACM Symposium on Information, Computer and Communications Security (ASIACCS)'13, May 7-10, 2013, Hangzhou, China PDF.
  • Woohyun Shim, Luca Allodi, Fabio Massacci. Crime Pays If You Are Just an Average Hacker. Proceedings of IEEE/ASE 2012 Cyber Security Conference. Complementary publication in ASE Journal 2012, Vol. 2, Best paper award. PDF
  • Woohyun Shim. An Analysis of Information Security Management Strategies in the Presence of Interdependent Security Risk, Asian Pacific Journal of Information Systems, vol. 22, no. 1, pp. 79-101.PDF
  • Woohyun Shim. Analysis of the Impact of Security Liability and Compliance on a Firm's Information Security Activities, Journal of Society for e-Business Studies, Korea, vol. 16, no. 4, pp. 53-73 PDF
  • Woohyun Shim. Vulnerability and Information Security Investment under Interdependent Security Risks: A Theoretical Approach, Asian Pacific Journal of Information Systems, vol. 21, no. 4, pp. 27-43 PDF

Talks and Tutorials

  • Luca Allodi. Crime Pays If You Are Just an Average Hacker. Presentation at the 2012 CyberSecurity Conference in Alexandria, Virginia (U.S.), 16 December 2012. Slides
  • Luca Allodi. Economics of cybercrime. Joint meeting with Ufa State Aviation University, Russia. Trento, Italy. 14 May 2012. Slides
  • Luca Allodi. Some preliminary analysis of the economics of malware kits and traffic brokers. Workshop on “Collaborative Security and Privacy Technologies”. Berlin. 25 April 2012. Slides
  • Viet Hung Nguyen. The (Un)Reliability of NVD Vulnerable Version Data An Empirical Experiment on Google Chrome Vulnerabilities Presentation at ASIACCS'13, May 203, Hangzhou, China. Slides
  • Woohyun Shim. An Analysis of IT Security Management Strategies in the Presence of Interdependent Security Risk. Paper presented at the 9th Annual Conference on Telecommunications and Information Technology (ITERA 2011), Indianapolis, IN, April 8–10, 2011 PDF
  • Woohyun Shim. The Effects of Managing Confidential Information on IT Security Investment Decision: An Empirical Analysis. Paper presented at the 9th Annual Conference on Telecommunications and Information Technology (ITERA 2011), Indianapolis, IN, April 8–10, 2011 PDF
  • Woohyun Shim. Types of Information Vulnerability and IT Security Investment: An Empirical Analysis of Businesses in Korea. Paper presented at the 7th Annual Forum on Financial Information Systems and Cyber Security: A Public Policy Perspective, College Park, MD, January 19, 2011 PDF
  • Woohyun Shim & Johannes Bauer. How Can Organizations Improve Cyber Security? Implementing Security Controls in the Presence of Moral Hazard. Paper presented at the 18th Biennial Conference of the International Telecommunications, Tokyo, Japan, June 27–30, 2010 PDF
security_economics.txt · Last modified: 2015/07/27 13:32 by