Rationally, we might assume that hackers will calmly and logically calculate the likelihood of being busted and compare that to the possible rewards for breaking the law when deciding which side of the line they want to operate on. Of course, there are ethical elements to consider too, but in terms of the risk vs reward, the conversation is a difficult one, especially if you happen to live in a country that is outside of the remit of the companies and countries you might be targeting.
If you’re a graduate from an American computer science program, however, the dilemma may be a bit harder to tackle, especially if you look at things in purely economic terms. The media is awash with hackers earning millions, but things aren’t as straightforward as that. Those media stories tend to focus on the spectacular bounties, which while undoubtedly real, are nonetheless at the high end of the income distribution. The majority of cybercriminals will earn significantly less.
The criminal economy
Research from the RAND Corporation describes the cybercriminal underground as a 'hacker's bazaar,' with a thriving marketplace of suppliers, intermediaries, and end-buyers. Prices are surprisingly transparent, with stolen credit card numbers going for somewhere between $5 and $45 each. Full exploit kits that are able to automate attacks typically go for between $200 to $600 a week. Remote access trojans, which give attackers persistent control of compromised machines, can be purchased for under $100.
It’s a picture that portrays cybercriminals not so much as entrepreneurs as workers in a supply chain, each earning a modest amount that is irregular at best. Indeed, research from University College London puts the typical monthly income for participants in forums on the Dark Web at just $1,250 ( $15,000 per year). To put that into perspective, that’s about the same as a minimum-wage job in many Western cities. The headline-grabbing ransomware operators who earn millions are the equivalent of hedge-fund managers in a world full of bank tellers.
By contrast, the legitimate cybersecurity jobs market has been enjoying a sustained boom. For instance, there are an estimated 3.5 million vacancies in the global cybersecurity workforce, with this shortage driving up wages across the sector. In the United States, for instance, a typical salary for an information security analyst can easily approach $150,000. Senior penetration testers, threat-intelligence analysts, and cloud-security architects can earn considerably more.
The likes of bug-bounty programs have added new revenue streams for talented cybersecurity researchers as well. Platforms such as HackerOne and Bugcrowd allow researchers to report vulnerabilities in exchange for cash rewards. Google's Vulnerability Reward Program has paid out more than $50 million since its founding in 2010. In 2023, a researcher was awarded $605,000 for a single vulnerability in Chrome. Apple is similarly generous, offering up to $2 million for the most critical iOS security vulnerabilities via its Security Research Device Program.
Comparing like with like
Suffice it to say, any comparison between white and black hat researchers is always going to be a pretty blunt instrument. Cybercrime carries a host of risks that simply aren’t present in legitimate cybersecurity work. The income is also inevitably irregular. A ransomware criminal may get a good bounty one year, but then absolutely nothing the next. With law enforcement always on the hunt to shut down income streams, a guaranteed income it is certainly not.
Research in the Journal of Cybersecurity made the case that after the full costs of cybercrime are included, the rational case for engaging in cybercrime is much weaker than previously thought. Despite this, the financial pull of cybercrime remains considerable, especially in countries where tech skills are strong but legitimate salaries are low.
In countries like Russia and Romania, for instance, there is a disproportionate number of cybercriminals as a proportion of their overall tech workforce. This isn’t a sign of ethical deficit in these countries, but is a sign of labor-market arbitrage. When the same skills that could earn you a relatively meagre income in the legitimate workforce could earn you much more than that in criminal endeavors, it’s much harder to criticize people for choosing the dark path.
The reality is that while many jurisdictions look to law enforcement interventions to try to reduce and deter cybercrime, the more effective approach might be to increase the availability of well-paid roles in the legitimate cybersecurity workforce. Markets, as usual, have something useful to teach law enforcement.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked