The Work-Averse Cyber Attacker Model: Theory and Evidence From Two Million Attack Signatures

The typical cyber attacker is assumed to be all powerful and to exploit all possible vulnerabilities. In this paper we present, and empirically validate, a novel and more realistic attacker model. The intuition of our model is that an attacker will optimally choose whether to act and weaponize a new vulnerability, or keep using existing toolkits if there are enough vulnerable users. The model predicts that attackers may i) exploit only one vulnerability per software version, ii) include only vulnerabilities with low attack complexity, and iii) be slow at introducing new vulnerabilities into their arsenal. We empirically test these predictions by conducting a natural experiment on attack data collected against more than one million real systems from Symantec's WINE platform. Our analysis shows that mass attackers' fixed costs are indeed significant and that substantial efficiency gains can be made by individuals and organizations by accounting for this effect.