Informal Economics of Information Threats

Abstract. This paper attempts to define shadow information economics as a domain of knowledge that aims at designing and implementing information threats (e.g. malware, DDoS attacks, etc.). This paper also analyzes and explores economical basis of shadow information economics functioning. An economical model of information threats is proposed.
Keywords: information security, information economics, shadow information economics.
1. Introduction
The phenomenon of shadow information economics is, according to our opinion, not sufficiently studied, even though it remains an important problem in the computer era, where cybercrime becomes a problem, that every user has come across. This paper tries to draw researchers’ attention to the problem of shadow information economics.
2. Definition
We define shadow information economics as all the individual and collective unlawful activity, related to design, production, distribution, support, and use of components of information and communication technologies that is hidden from society. In other words, shadow information economics is all the criminal information products, services and processes based on IT or using IT. The main economical elements of this domain are unlawful economical relationships, illegal business, which is related to production, distribution and use of prohibited goods and services, sphere of illegal employment. It is important to note the fact that this kind of economics merges unlawful goods and services production, prohibited by national legislations, unlawful sale and purchase of goods and services, and consume of aforementioned unlawful goods and services. Therefore, we can conclude that the main reason of shadow economics existence is a set of conditions that makes it profitable to conduct unlawful activity in the domain of information technologies.
3. The Threats
A threat in information security is possible danger of a vulnerability being used to overcome system defense and cause damage. ISO 27005 defines a threat as follows: “a potential cause of an incident, that may result in harm of systems and organization”. NIST defines a threat as: “Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, or individuals through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service. Also, the potential for a threat-source to successfully exploit a particular information system vulnerability”. Therefore, we can derive the following categories of threats:
– unauthorized access
– destruction
– disclosure
– modification of information
– denial of service
A research by Spy Ops, Technolytics, and Intelomics defines the following cyber threats:
– Logic Bomb
– Computer Virus
– Rabbit
– Bacterium
– Spoofing
– Sequential Scanning
– Dictionary Scanning
– Digital Snooping
– Spamming
– Tunneling
– Scavenging
– Counterfeit Equipment
– Counterfeit Software
– Software Malfunction
– Botnets
– Trap / Back Door
– TEDs / EPFCs / EMP
– Insider Threat
– Trojan Horse
The research defines a rating and a color code for each of the threats.
Threats may be classified by their type (physical damage, natural events, loss of essential services, information compromise, technical failures, and function compromise) and origin (deliberate, accidental, and environmental).
Another research, by Digital Forensics Association, covering 28 countries and 3700 incidents, shows that the main vectors of information breaches are hacks, removable storage, web, fraud (social engineering), and lost laptops.

More article: Informal Economics of Information Threats