Saturday, November 15, 2014

A Venture Capitalist Valuation of Cybercrime - why every compromise hurts everyone

I've decided that every compromise - J.P. Morgan, Target, Home Depot, Dairy Queen, USPS - hurts everyone. Why? Because every profitable compromise attracts more resources to cybercrime, raising the threat level that every organization has to deal with.

At the root of every enterprise is investment - to fund research and development, operations, and so forth. This got me thinking - at what level would a venture capitalist fund cybercrime and how would different levels of revenue affect that level of investment. Let's use $2.5 billion as our baseline revenue level, because that what Group iB, a cybercrime investigations and research company, has pegged the Russian cybercrime revenue at in their report.

The basic venture capital formula determines the level of investment based on the projected future value of the investment (Future Value), the required required rate of return (IRR), and the number of years until that future value is realized (years). It all comes together in the formula show below.

Let's say that an enterprising criminal proposed to our venture capitalist a cybercrime enterprise that would be generating $2.5 billion in 5 years. The venture capitalist, seeing the risk in the enterprise requires an annual return of 75% and assumes the enterprise will be worth three-times revenue. In such a scenario, our venture capitalist would be willing to invest about $1.4 billion.

Let's assume that the criminals boost their revenue forecast to $3.5 billion because organizations are failing in their defenses even more frequently. Our venture capitalist revalues her level of investment and now is willing to invest nearly $2 billion.

Alternatively, what if revenue dropped to $1.5 billion because companies are being more successful in defending their assets? Now our investor is only willing to invest $840 million.

The point is every profitable compromise attracts more resources pursuing profits.

The threat level that every organization has to deal with is directly proportional to the global resources being invested in cybercrime. So, when Target or HomeDepot or J.P. Morgan get compromised, everyone gets compromised because each of these events attracts more resources. These resources go towards development of new exploit methods, compromise operations, and cash out operations.

So what does this mean? Ultimately, we have to starve the criminals of revenue so that the investment trends will reverse from growth to decline. First, take care of your own house so that you aren't contributing to the cybercrime revenue. And second, help out your neighbors so that they don't get compromised - because it matters. Crime begets crime. And if you live in a neighborhood where there is a lot of crime, eventually you are going to get compromised.