News Release

New model of cybercrime factors in perishability of stolen data: INFORMS journal study

Peer-Reviewed Publication

Institute for Operations Research and the Management Sciences

Anna Nagurney, 	Institute for Operations Research and the Management Sciences

image: This is Anna Nagurney. view more 

Credit: U Mass Amherst

A new model examining cybercrimes adds an important way of examining the perishable value of stolen data so policy makers can plan against future hacks like the recent Anthem data breach, according to a study in the Articles in Advance section of Service Science, a journal published by the Institute for Operations Research and the Management Sciences (INFORMS).

INFORMS is the leading professional association for professionals in advanced analytics.

A Multiproduct Network Economic Model of Cybercrime in Financial Services is by Anna Nagurney, the John F. Smith Memorial Professor of Operations Management at the Isenberg School of Management at the University of Massachusetts Amherst. Professor Nagurney is an INFORMS Fellow. It describes a computer-based model that captures the network economics of cybercrime activity and permits the policy evaluation of interventions.

A novel feature of the model is its inclusion of the critical time element and perishability of stolen cyber financial products with, as in the case of fresh produce, the value (and, hence, the black market price) decreasing over time. It also identifies different demand prices for different financial products, with certain credit cards being more valuable because of credit limit, expiration date, and continent of origin.

Cybercrime exacts billions of dollars from businesses across the globe annually in theft and loss of revenue, as well as damage to reputation, opportunity cost, and disclosure of proprietary information. The financial services sector, in particular, has been a major target of cybercriminals, with cybercrime now the second most commonly reported economic crime affecting such firms. Through new Internet pathways, cybercriminals can attack remotely and remain undetected for months.

The new model includes the sources of financial products (the supply points) and the destinations (the demand points) in a powerful visual representation as a network, accompanied by the associated costs of illicitly acquiring the financial products, the transaction costs associated with finding consumers of such illicit products, and the prices at which they can be sold.

It models cybercriminals as economic agents who evaluate targets by the difference between the demand prices that the products (such as credit and debit cards) command versus the associated costs of stealing and transacting them. Financial service firms are modeled as prey and the hackers as predators. The underlying methodology used to capture such asymmetric interactions is "variational inequality theory," which examines multiple interacting agents on the supply and demand sides.

The network economic framework permits quantifiable evaluation of various policy interventions investigated in the study:

    1. Determining the impact of strategies that make it harder to attack financial products' source locations (computer servers)

    2. Evaluating ways that make it harder for cybercriminals to make transactions through the common technique of increasing transaction costs

    3. Exploring changes in the demand price to evaluate greater or lesser interest in criminal products at demand markets

In addition, the study shows improved graphical network representation that makes it possible to quantify the addition or removal of demand markets and sources of financial products.

In subsequent research, the author is investigating extensions to this framework that include cybersecurity investments using game theory. These identify not only an individual firm's vulnerability but that of the industry as well. She is also studying supply chain networks' vulnerability to cyberattacks.


The research reported in the paper was supported, in part, by the Advanced Cyber Security Center (ACSC) and by a grant from the National Science Foundation (NSF). Preliminary findings were presented at the Workshop on Cybersecurity Risk Analysis for Enterprises, held at the Sloan School at MIT in September 2014, co-organized by the author with colleagues, and funded by the ACSC, a non-profit consortium in Bedford, MA. Panelists and speakers at the daylong event represented the Isenberg School of Management, UMass Amherst, MIT, Biogen Idec, the U.S. Office of Financial Research, Liberty Mutual, the UMass President's Office, State Street, MITRE, and the Federal Reserve Bank.


INFORMS is the leading international association for professionals in analytics and operations research (O.R.). INFORMS advances research, and develops and promotes best practices in analytics and O.R. through collaboration, knowledge sharing, and professional development. INFORMS helps business, government, and other organization professionals make better decisions to drive value to their organizations and society. Our certification program (CAP®), highly cited publications, educational meetings and conferences, continuing education, industry and process focused networking communities, competitions, and recognition provide professionals with the knowledge and connections they need to achieve ever greater value for their organizations. Further information about INFORMS, analytics, and operations research is at or @informs.

Disclaimer: AAAS and EurekAlert! are not responsible for the accuracy of news releases posted to EurekAlert! by contributing institutions or for the use of any information through the EurekAlert system.