Business managers use the term growing the pie to describe a scenario where the company’s actions increase the overall size of the market, for instance, by increasing the number of consumers willing to bye the product. In contrast, slicing the pie refers to the zero-sum game situation where the company pursues a market share solely at the expense of its competitors.
Consider the opposite dynamic—shrinking the pie—and how it might apply to online and computer crime. Is there anything we can do to make it less attractive, or perhaps more costly and risky, to participate in the online and computer crime ecosystem?
Slicing the Pie in Information Security
Most of the security mechanisms erected by organizations aim at making it harder to compromise the environment in the hopes that the attacker will find it more attractive to pursue another target. This is a slicing the pie situation, because the company hopes to decrease its own slice of the crime pie at the expense of increasing someone else’s.
For instance, but putting up a web application firewall, the organization makes it harder for the attacker to compromise the potentially vulnerable web app. If sufficient defenses exist to address other likely attack vectors, the cost of pursuing this target will exceed the attacker’s motivation, which will encourage him to go after another, less protected target. The enterprise improved its own security and, thusly, shrunk the size of its slice; however, the overall pie size didn’t change.
Shrinking the Pie in Information Security
In contrast, consider the activities in which we may engage that might dampen the growth of the online and computer crime ecosystem, thereby shrinking the whole pie. This is hard, but not impossible.
One way to shrink the pie is through more effective enforcement of computer crime laws. This might entail changing laws to make it easier to pursue suspects across jurisdictions and to encourage stronger international collaboration. For example, FBI’s Operation ACHing Mule made it more difficult to participate in online and computer crime by strengthening the deterrent and increasing criminals’ costs. That may have shrunk the pie a bit.
Another way to shrink the pie is by intervening with the flow of money in the crimeware ecosystem and increasing attackers’ costs. This approach was proposed in the paper Click Trajectories: End-to-End Analysis of the Spam Value Chain (PDF). The researchers’ goal was to:
“Identify any ‘bottlenecks’ in the spam value chain: opportunities for disrupting monetization at a stage where the fewest alternatives are available to spammers (and ideally for which switching cost is high as well).”
They showed that only “three banks provide the payment servicing for over 95% of the spam-advertised goods.” By refusing to settle certain transactions with a few high-risk banks, U.S. credit card issuing banks could dramatically increase the cost of sending spam. If it works, this would be an example of shrinking the pie of online and computer crime, and it would make all of us better off.