Humans tend to engage in criminal enterprises when the rate of return on investment is high and the risk of loss is low. This calculation is made every day on the part of cybercriminals, and they have concluded it is profitable to continue committing fraud, stealing financial information and hacking into networks worldwide.
When personal computer technology was relatively new, and networks were first becoming ubiquitous in the 1990s, those who engaged in illegal hacking activities did so for the purpose of improving their knowledge of systems, testing their abilities and competing against others for recognition as the best hacker. Thus, intrusions into networks, ranging from military installations to commercial institutions, were little more than nuisances and likely did not pose a long-term risk to security. Furthermore, while viruses, spyware and Trojan horses became more disruptive, these intrusions were seen as an annoyance akin to vandalism. Aside from disabling a computer or making it run slower, intrusions such as these did not reach the level of concern normally associated with criminal behavior. Yet as history shows us, whenever a group of people develop skills that give them an advantage over society at large, some will eventually exploit and victimize society.
According to the FBI and the Association for Computing Machinery, the last few years have seen an explosion in computer security breaches that are used to steal, extort and deceive. This new breed of cybercriminal is no longer motivated solely by ego and technological ability. Instead, cybercriminals have discovered that the skills they learned as teens--hacking into high school networks or creating disruptive viruses to boast to their friends--are now also useful in making a comfortable living.
Unlike crimes committed in the physical world, cybercrime requires little to no investment to be carried out. A criminal mugging someone on the street requires a gun and some basic know-how, and such a crime carries with it the risk of jail time or injury if the victim puts up a fight. More complex criminal activity, such as robbing a bank or operating a protection racket, requires organizing several people, and to a certain extent, equipping and training them. In the real world, the laws of economics apply to criminals, and criminals must make determinations about how much they can invest and risk.
Online, a potential criminal usually only needs to worry about his or her ability to compromise secure systems or trick someone into revealing his or her financial information. Cybercriminals can operate remotely from countries where they risk little interference from law enforcement. Through the very systems that make e-commerce possible, cybercriminals are able to easily commit crimes. Additionally, unlike in the physical world, cybercriminals do not need to deal with competing groups or individuals for territory.
Thus, there is ease of entry into the market, and, because the market is so big, little in the way of direct competition. In fact, there is often collaboration and loose networks of cybercriminals, who, instead of fighting for control like real-world gangs do, work together to improve their capabilities and skills and to seek out new opportunities. This “open source” organization is one of the reasons crybercrime is so hard to fight using traditional methods and organizations. Hierarchical and static law enforcement agencies, for example, usually rely on defined laws, regulations and internal procedures to operate effectively against criminals. The tools that are effective for law enforcement agencies on the street are ineffective in the virtual realm. Technology and tactics of cybercriminals can change faster than law enforcement can adapt to them.