Crime *does* pay -- hackers earn about $40 an hour. But black hats who turn white get a big raise

Crime does pay! About $28,744 per year, figures researcher Larry Ponemon. But that's a quarter of the income that security pros make, so mommas, don't let your babies grow up to be hackers.

Hackers' hourly rate suffers too. Computer criminals make about $40 an hour, compared to a little more than $60 an hour for pros. On the other hand, criminals have a lot more free time on their hands. They average hacker only 705 hours worked per year, compared to 1,918 hours worked by experienced IT security analysts. While these figures are estimates, if you think about the average number of sleepless nights security pros suffer, the numbers ring true. Although making a lot of money sounds appealing, hacking anyone's computer is illegal. If you work in a company that requires you to work with clients and save their personal data, looking into companies that provide protection and security from any cyber threats will be an advantage. By looking into IT Support Birmingham (if you live in and around this area of the UK), you can make sure your business is safe from anything that can put the company at risk. It is definitely better to be safe than sorry.

Ponemon, who runs the Ponemon Institute research and survey company, often tries to calculate the nearly incalculable, so his numbers come with a lot of qualifiers. But they provide some fascinating estimates and starting points in discussions like these.

(Ponemon and I also run the Ponemon-Sullivan Privacy Report free newsletter. You can sign up for that here.)

For this study, Ponemon surveyed hackers of all hat colors in an attempt to understand the economics of computer crime. As any pro will tell you, there is no such thing as total security. But if you can make your system too expensive to attack, most criminals will move on to softer (cheaper) targets. And that's how you make the economics of hacking work for you.

Of course, really great hackers probably chose not to participate in this survey -- who would fess up to stealing $1 million, even "anonymously." So there might be some top-heavy numbers missing. Still, the findings are interesting and should start a good discussion.

"While many attackers may be hoping for a big 'payout,' reality can be quite different. The findings reveal that attackers on average receive $28,744 for an average of 705 hours spent on attacks annually," the report says. "Of course, some attackers do 'earn' more than the average. However, this compensation is 38.8 percent less than the average hourly rate of IT security practitioners employed in the private and public sector."

Another interesting note from Ponemon's study: time equals money, even to hackers. So they have a point where they give up and move on to another target. On average, the "pivot point" where hackers cry uncle is 209 hours.

It's not only time that costs hackers money. They have overhead, too. Many computer criminals buy specialized hacking tools online; these tools cost $1,367 when amortized over an attack, Ponemon says.

Here's how Ponemon estimated hackers' costs.

"To calculate the average adversary’s compensation, we extrapolate the hours spent on attacks against organizations with a “typical” and “excellent” IT security infrastructure. As shown in Table 1, the time spent on an attack against an organization with an excellent IT security infrastructure is more than twice the time it takes when the organization has less than a strong security posture (e.g., 70 hours versus 147 hours per attack).

"From survey responses, we calculate an average value of $14,711 for each successful attack. We also calculate the average number of successful attacks per year at 8.26. The unadjusted economic gain per year equals $14,711 X 8.26. This value is adjusted by 42 percent (i.e. percent of successful attacks) and 59 percent (i.e. percent of successful attacks yielding a non-zero return). Finally, we reduce this adjusted value by the extrapolated cost of specialized tools of $1,367 used to improve the attacker’s performance. The following is the basic equation, which yields an adjusted annual compensation of $28,744."

Ponemon chart

The news isn't all rosy, however. Survey respondents told Ponemon that the costs of conducting widespread or sophisticated attacks is shrinking.

"The reduction in cost is due to less time to execute a successful attack and in the improvement in hacker tools," he said. "Contributing to the lower cost of a successful attack is the decrease in the cost of computing power. Cyber criminals can launch more sophisticated attacks for less investment. Today, bad actors without the capability to develop their own tools can use existing malware and exploits are often free or inexpensive to obtain online."

Also, 83 percent of respondents said the time it takes to execute attacks is shrinking.

That threatens to tip the economics of hacking in the bad guy's favor.

The main lesson from Ponemon's research: the longer an organization can keep the attacker from executing a successful attack, the stronger its ability to safeguard its sensitive and confidential information.

"While no organization has unlimited resources to spend hardening itself against malicious actors, understanding the amount of time until attackers’ efforts are no longer potentially profitable will help the leadership prioritize investments in the appropriate technologies," he said. "Time is the enemy of an attacker. The more time that passes before a successful attack can execute, the more likely an organization can stop it. For example, a delay of five hours in conducting a successful attack deters 13 percent of attacks, a delay of 10 hours can reduce 24 percent of attacks, and 20 hours deters 36 percent of attacks. On average, a technically proficient hacker will quit an attack and move to another target after spending less than nine days without success."

Ponemon chart

Here's how Ponemon conducted the survey:

"We surveyed 304 threat experts in the United States, United Kingdom and Germany. We built this panel of experts based on their participation in Ponemon Institute activities and IT security conferences. They were assured their identity would remain anonymous. Twenty-one percent of respondents say they are very involved, and 79 percent of respondents are involved in the threat community. They are all familiar with present-day hacking methods."

The research was funded by Palo Alto Networks.

(DISCLOSURE: Ponemon and I have a joint project called the Ponemon-Sullivan Privacy Report, an email newsletter on all things privacy. You can sign up for here for free. I receive compensation for work on that separate product; I was not paid to write this story. )