skip to main content
research-article

A Comparison of Systemic and Systematic Risks of Malware Encounters in Consumer and Enterprise Environments

Published:12 April 2023Publication History
Skip Abstract Section

Abstract

Malware is still a widespread problem, and it is used by malicious actors to routinely compromise the security of computer systems. Consumers typically rely on a single AV product to detect and block possible malware infections, while corporations often install multiple security products, activate several layers of defenses, and establish security policies among employees. However, if a better security posture should lower the risk of malware infections, then the actual extent to which this happens is still under debate by risk analysis experts. Moreover, the difference in risks encountered by consumers and enterprises has never been empirically studied by using real-world data.

In fact, the mere use of third-party software, network services, and the interconnected nature of our society necessarily exposes both classes of users to undiversifiable risks: Independently from how careful users are and how well they manage their cyber hygiene, a portion of that risk would simply exist because of the fact of using a computer, sharing the same networks, and running the same software.

In this work, we shed light on both systemic (i.e., diversifiable and dependent on the security posture) and systematic (i.e., undiversifiable and independent of the cyber hygiene) risk classes. Leveraging the telemetry data of a popular security company, we compare, in the first part of our study, the effects that different security measures have on malware encounter risks in consumer and enterprise environments. In the second part, we conduct exploratory research on systematic risk, investigate the quality of nine different indicators we were able to extract from our telemetry, and provide, for the first time, quantitative indicators of their predictive power.

Our results show that even if consumers have a slightly lower encounter rate than enterprises (9.8% vs. 12.0%), the latter do considerably better when selecting machines with an increasingly higher uptime (89% vs. 53%). The two segments also diverge when we separately consider the presence of Adware and Potentially Unwanted Applications (PUA) and the generic samples detected through behavioral signatures: While consumers have an encounter rate for Adware and PUA that is 6 times higher than enterprise machines, those on average match behavioral signatures 2 times more frequently than the counterpart. We find, instead, similar trends when analyzing the age of encountered signatures, and the prevalence of different classes of traditional malware (such as Ransomware and Cryptominers). Finally, our findings show that the amount of time a host is active, the volume of files generated on the machine, the number and reputation of vendors of the installed applications, the host geographical location, and its recurrent infected state carry useful information as indicators of systematic risk of malware encounters. Activity days and hours have a higher influence in the risk of consumers, increasing the odds of encountering malware of 4.51 and 2.65 times. In addition, we measure that the volume of files generated on the host represents a reliable indicator, especially when considering Adware. We further report that the likelihood of encountering Worms and Adware is much higher (on average 8 times in consumers and enterprises) for those machines that already reported this kind of signature in the past.

REFERENCES

  1. [1] Bilge Leyla, Han Yufei, and Dell’Amico Matteo. 2017. RiskTeller: Predicting the risk of cyber incidents. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security. Association for Computing Machinery, 12991311.Google ScholarGoogle ScholarDigital LibraryDigital Library
  2. [2] Caballero Juan, Grier Chris, Kreibich Christian, and Paxson Vern. 2011. Measuring pay-per-install: The commoditization of malware distribution. In Proceedings of the USENIX Security Symposium. The Advanced Computing Systems Association.Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. [3] Cameron A. Colin and Trivedi Pravin K.. 2013. Regression Analysis of Count Data, Vol. 53. Cambridge University Press.Google ScholarGoogle ScholarCross RefCross Ref
  4. [4] Canali Davide, Bilge Leyla, and Balzarotti Davide. 2014. On the effectiveness of risk prediction based on users browsing behavior. In Proceedings of the 9th ACM Symposium on Information, Computer and Communications Security. 171182.Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. [5] Cisco. 2019. Cisco Annual Cybersecurity Report. Retrieved from https://www.cisco.com/c/dam/m/hu_hu/campaigns/security-hub/pdf/acr-2018.pdf.Google ScholarGoogle Scholar
  6. [6] Cloonan John. 2017. Advanced Malware Detection—Signatures vs. Behavior Analysis. Retrieved from https://www.infosecurity-magazine.com/opinions/malware-detection-signatures/.Google ScholarGoogle Scholar
  7. [7] Corbet Shaen and Gurdgiev Constantin. 2019. What the hack: Systematic risk contagion from cyber events. Int. Rev. Finan. Anal. 65 (2019), 101386.Google ScholarGoogle ScholarCross RefCross Ref
  8. [8] Cyber Insurance and Systemic Market Risk 2018. Cyber Insurance and Systemic Market Risk. Retrieved from https:// www.eastwest.ngo/sites/default/files/ideas-files/cyber-insurance-and-systemic-market-risk.pdf.Google ScholarGoogle Scholar
  9. [9] Dambra Savino, Bilge Leyla, and Balzarotti Davide. 2020. SoK: Cyber insurance–technical challenges and a system security roadmap. In Proceedings of the IEEE Symposium on Security and Privacy (SP). 293309.Google ScholarGoogle ScholarCross RefCross Ref
  10. [10] Dambra Savino, Sanchez-Rola Iskander, Bilge Leyla, and Balzarotti Davide. 2022. When Sally met trackers: Web tracking from the users’ perspective. In Proceedings of the 31st USENIX Security Symposium (USENIX Security’22). 21892206.Google ScholarGoogle Scholar
  11. [11] Is Cyber Risk Systemic? 2017. Is Cyber Risk Systemic? Retrieved from https://www.aig.ie/latest-insights/is-cyber-risk-systemic.Google ScholarGoogle Scholar
  12. [12] ISO 3166-1 1997. ISO 3166-1. Retrieved from https://en.wikipedia.org/wiki/ISO_3166-1.Google ScholarGoogle Scholar
  13. [13] Kaspersky. 2018. Kaspersky Security Bulletin 2018. Threat Predictions for 2019. Retrieved from https://bit.ly/2Wq5eIw.Google ScholarGoogle Scholar
  14. [14] Kelley Diana. 2019. Microsoft Security Intelligence Report. Retrieved from https://www.microsoft.com/security/blog/2019/02/28/microsoft-security-intelligence-report-volume-24-is-now-available.Google ScholarGoogle Scholar
  15. [15] Kotzias Platon, Bilge Leyla, and Caballero Juan. 2016. Measuring PUP prevalence and PUP distribution through pay-per-install services. In Proceedings of the 25th USENIX Security Symposium. 739756.Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. [16] Kotzias Platon, Bilge Leyla, Vervier Pierre-Antoine, and Caballero Juan. 2019. Mind your own business: A longitudinal study of threats and vulnerabilities in enterprises. In Proceedings of the Network And Distributed System Security Symposium (NDSS). 739756.Google ScholarGoogle ScholarCross RefCross Ref
  17. [17] Labs McAfee. 2018. McAfee Labs Threats Report. Retrieved from https://www.mcafee.com/enterprise/en-us/assets/reports/rp-quarterly-threats-dec-2018.pdf.Google ScholarGoogle Scholar
  18. [18] labs MalwareBytes. 2019. 2019 State of Malware. Retrieved from https://resources.malwarebytes.com/files/2019/01/Malwarebytes-Labs-2019-State-of-Malware-Report-2.pdf.Google ScholarGoogle Scholar
  19. [19] Lever Chaz, Kotzias Platon, Balzarotti Davide, Caballero Juan, and Antonakakis Manos. 2017. A lustrum of malware network communication: Evolution and insights. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE Computer Society.Google ScholarGoogle ScholarCross RefCross Ref
  20. [20] Lévesque Fanny Lalonde, Fernandez José M., and Somayaji Anil. 2014. Risk prediction of malware victimization based on user behavior. In Proceedings of the 9th International Conference on Malicious and Unwanted Software: The Americas (MALWARE). IEEE, 128134.Google ScholarGoogle ScholarCross RefCross Ref
  21. [21] Liu Yang, Sarabi Armin, Zhang Jing, Naghizadeh Parinaz, Karir Manish, Bailey Michael, and Liu Mingyan. 2015. Cloudy with a chance of breach: Forecasting cyber security incidents. In Proceedings of the 24th USENIX Security Symposium. 10091024.Google ScholarGoogle Scholar
  22. [22] Liu Yang, Zhang Jing, Sarabi Armin, Liu Mingyan, Karir Manish, and Bailey Michael. 2015. Predicting cyber security incidents using feature-based characterization of network-level malicious activities. In Proceedings of the ACM International Workshop on International Workshop on Security and Privacy Analytics. 39.Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. [23] Matplotlib. 2022. Visualization with Python. Retrieved from https://matplotlib.org/.Google ScholarGoogle Scholar
  24. [24] Mezzour Ghita, Carley Kathleen M., and Carley L. Richard. 2015. An empirical study of global malware encounters. In Proceedings of the Symposium and Bootcamp on the Science of Security. 111.Google ScholarGoogle Scholar
  25. [25] Mezzour Ghita, Carley L., and Carley Kathleen M.. 2014. Global mapping of cyber attacks. Retrieved from SSRN 2729302 (2014).Google ScholarGoogle Scholar
  26. [26] Mood Carina. 2010. Logistic regression: Why we cannot do what we think we can do, and what we can do about it. Eur. Sociol. Rev. 26, 1 (2010), 6782.Google ScholarGoogle ScholarCross RefCross Ref
  27. [27] Moshchuk Alexander, Bragin Tanya, Gribble Steven D., and Levy Henry M.. 2006. A crawler-based study of spyware in the web. In Proceedings of the Network and Distributed System Security Symposium (NDSS).Google ScholarGoogle Scholar
  28. [28] Numpy. 2022. The fundamental package for scientific computing with Python. Retrieved from https://numpy.org/.Google ScholarGoogle Scholar
  29. [29] Pandas. 2022. Python data analysis library. Retrieved from https://pandas.pydata.org/.Google ScholarGoogle Scholar
  30. [30] PurpleSec. 2019. The Ultimate List of Cyber Security Statistics for 2019. Retrieved from https://purplesec.us/resources/cyber-security-statistics/.Google ScholarGoogle Scholar
  31. [31] Quantifying Systemic Cyber Risk 2018. Quantifying Systemic Cyber Risk. Retrieved from http://web.stanford.edu/csimoiu/doc/Global_CRQ_Network_Report.pdf.Google ScholarGoogle Scholar
  32. [32] Romanosky Sasha, Ablon Lilian, Kuehn Andreas, and Jones Therese. 2017. Content analysis of cyber insurance policies: How do carriers write policies and price cyber risk? Retrieved from SSRN 2929137 (2017).Google ScholarGoogle Scholar
  33. [33] Sarabi Armin, Naghizadeh Parinaz, Liu Yang, and Liu Mingyan. 2015. Prioritizing security spending: A quantitative analysis of risk distributions for different business profiles. In Proceedings of the Workshop on the Economics of Information Security.Google ScholarGoogle Scholar
  34. [34] Scikit-learn. 2022. Machine Learning in Python. Retrieved from https://scikit-learn.org/stable/.Google ScholarGoogle Scholar
  35. [35] Sharif Mahmood, Urakawa Jumpei, Christin Nicolas, Kubota Ayumu, and Yamada Akira. 2018. Predicting impending exposure to malicious content from user behavior. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security. 14871501.Google ScholarGoogle ScholarDigital LibraryDigital Library
  36. [36] StatCounter. 2022. Desktop Operating System Market Share Worldwide. Retrieved from https://gs.statcounter.com/os-market-share/desktop/worldwide.Google ScholarGoogle Scholar
  37. [37] Moore Susan and Keen Emma. 2018. Gartner Forecasts Worldwide Information Security Spending to Exceed $124 Billion in 2019. Retrieved from https://gtnr.it/2zQUueM.Google ScholarGoogle Scholar
  38. [38] Symantec. 2019. Internet Security Threat Report. Retrieved from https://docs.broadcom.com/doc/istr-24-executive-summary-en.Google ScholarGoogle Scholar
  39. [39] Thonnard Olivier, Bilge Leyla, Kashyap Anand, and Lee Martin. 2015. Are you at risk? Profiling organizations and individuals subject to targeted attacks. In Proceedings of the International Conference on Financial Cryptography and Data Security. Springer, 1331.Google ScholarGoogle ScholarCross RefCross Ref
  40. [40] Ventures OMERS. 2019. Cybersecurity: Industry Overview, Market Map, Global Investments. Retrieved from https:// bit.ly/2L52hbn.Google ScholarGoogle Scholar
  41. [41] W3techs. 2022. Usage statistics of operating systems for websites. Retrieved from https://w3techs.com/technologies/overview/operating_system.Google ScholarGoogle Scholar
  42. [42] Yen Ting-Fang, Heorhiadi Victor, Oprea Alina, Reiter Michael K., and Juels Ari. 2014. An epidemiological study of malware encounters in a large enterprise. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security. 11171130.Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. A Comparison of Systemic and Systematic Risks of Malware Encounters in Consumer and Enterprise Environments

      Recommendations

      Comments

      Login options

      Check if you have access through your login credentials or your institution to get full access on this article.

      Sign in

      Full Access

      • Published in

        cover image ACM Transactions on Privacy and Security
        ACM Transactions on Privacy and Security  Volume 26, Issue 2
        May 2023
        335 pages
        ISSN:2471-2566
        EISSN:2471-2574
        DOI:10.1145/3572849
        Issue’s Table of Contents

        Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

        Publisher

        Association for Computing Machinery

        New York, NY, United States

        Publication History

        • Published: 12 April 2023
        • Online AM: 3 October 2022
        • Accepted: 26 September 2022
        • Revised: 8 August 2022
        • Received: 9 August 2021
        Published in tops Volume 26, Issue 2

        Permissions

        Request permissions about this article.

        Request Permissions

        Check for updates

        Qualifiers

        • research-article
      • Article Metrics

        • Downloads (Last 12 months)209
        • Downloads (Last 6 weeks)11

        Other Metrics

      PDF Format

      View or Download as a PDF file.

      PDF

      eReader

      View online with eReader.

      eReader

      Full Text

      View this article in Full Text.

      View Full Text

      HTML Format

      View this article in HTML Format .

      View HTML Format
      About Cookies On This Site

      We use cookies to ensure that we give you the best experience on our website.

      Learn more

      Got it!