A Walk on the Supply Side
Lyman Chapin
If global cybercrime were measured as a country, it would be the third largest economy after the United States and China, with a GDP in 2025 projected by the World Economic Forum to be roughly 10.5 trillion US dollars. Cybercrime continues to grow year after year with no end in sight and no coherent strategy for confronting its causes or mitigating its effects. For researchers, the sheer scale of the phenomenon makes it hard to know what to study.
At Interisle, using data collected by the Cybercrime Information Center, we focus on the supply chain—the resources that criminals need to conduct their attacks, and the name, address, hosting, and financial infrastructures that provide them. Our premise is that criminals and criminal organizations are exquisitely rational actors—they will pursue whatever maximizes their returns, and avoid whatever adds cost or risk to their campaigns. We collect and analyze data on the supply side of cybercrime with the goal of finding ways to make it more difficult and costly for criminals to acquire attack resources, conduct crimes, and “launder” criminal proceeds.
Why is it so important to break the supply chain? Because decades of effort on the demand side of cybercrime have been almost completely ineffective.
You won’t hear this from the companies that sell workforce anti-phishing training or other risk-management programs. But cybercrime targets the ineradicable foibles of human behavior, and independent studies have consistently demonstrated their resilience. For example, a team of researchers at UC San Diego and the University of Chicago recently reported the results of an 8-month randomized controlled experiment involving ten simulated phishing campaigns sent to over 19,500 employees at a large healthcare organization. They found that annual cybersecurity awareness training and embedded anti-phishing training exercises "are unlikely to offer significant practical value in reducing phishing risks.”
So if criminals can always count on finding targets who will take the bait, what would deter them? The cost, difficulty, and risk—legal and financial—of dangling the hook. Adding those to the supply side undermines the cybercrime business model. It won’t stop cybercrime, but it might slow it down—while we figure out how to change human nature.
Nothing will change until financial institutions and banks start acting in a manner that naturally trains users to do the right thing. My partner had a Vanguard support person on the phone and the Vanguard support person asked my partner to repeat his one-time code to him. You know, the code that Vanguard says they will never ask for. I get emails from my Visa CC bank from multiple domains.
Don't even get me started on the stupid password policies I see in the field. My Amex account requires that my _username_ have a certain level of entropy, but my password cannot be longer than 16 characters. My credit union greys out my account number in their web interface, literally the same number on every paper check I hand out. But they only offer OTP via SMS.
It's 2025 and financial institutions are still not taking these kinds of things seriously.