What drives cybercrime? Empirical evidence from DDoS attacks

The main predictions of the model are that effective botnets are located in countries with many internet users and high internet speeds, and that the most attractive targets of DDoS attacks are countries with many internet users.

We use a theoretical framework to derive a structural equation that resembles the ”gravity equations” common in the literature on international trade. The empirical results are consistent with the predictions of the model. The number of internet users is strongly related to the number of international DDoS attacks: our results suggest that a ten percent increase in the number of internet users worldwide would raise the total number of DDoS attacks by eight percent. Bandwidth in the country of origin is also significantly related to attacks, but quantitatively not very important. The vulnerability of computers does not seem influential.

We use international data from www.digitalattackmap.com on 55,000 DDoS attacks in 2013 and 2014. The vast majority of attacks originate from the United States (6,256 attacks in 2013/2014) and China (2851 attacks). The Netherlands ranks third with 834 attacks. We estimate an econometric model with economic and technological variables in order to explain observed DDoS patterns. Our model is inspired by models from the international trade literature that explain trade patterns.

Trade relations are significantly related to attacks, while other economic factors including GDP per capita do not appear to play a role. The geographical distance between countries is not relevant, while historical ties between countries are significantly related to the number of attacks.

This paper is one of the first to explore possible determinants of cybercrime at an aggregate level. We hope that by uncovering some general patterns in the data, our research may contribute to the growing and exciting field of cybersecurity economics.