A new report calculates a hacker’s salary, and shows what might keep the attackers away from you.

There is hacking for good, and hacking for evil. And the wages of sin may be about $40 an hour, according to a report on the economy of hacking.

The Ponemon Institute said it surveyed about 300 online attackers from the U.S., the United Kingdom, and Germany, with the promise that it would keep their identities secret.

Researchers determined that the hackers worked an average of 705 hours per year, earning about $28,000. That equals about 14 hours per week of work—with two weeks off for vacation—what some might consider a lucrative part-time job.

In addition, it is getting easier for attackers to do their jobs, according to the report, in part because the hackers can buy effective tool kits on line to carry out more complicated attacks.

“It costs less to hack,” the report said. “Cyber criminals can launch more sophisticated attacks for less investment.”

Retire early?

The institute’s founder, Larry Ponemon, told Dark Reading that the criminal hacker’s income, as determined by the survey, was lower than he had expected.

“The perception by some is that they do this ‘work,’ make a lot of money and then retire at an early age,” he said in the article. “But they have to work very hard for a small income.”

But some cybersecurity experts say there are pieces missing from this analysis.

For example, some consider Russia, China, Brazil, Vietnam and Nigeria to be cybercrime strongholds, according to Time.

“You can’t leave out the most active hot spots,” said Patrick C. Miller with Archer Security Group. “The caveats are significant.”

He said the report also does not include hackers who work on behalf of organized crime and nation-states, as well as what he calls “NGO’s”—terrorist organizations with no real “nation” behind them—all of which of which may earn far more.


The report show insights into how hackers from the three countries surveyed may work, and that has some value, said Miller.

These hackers will make a run for the easiest targets, and then move on relatively quickly if they are not successful, according to the report.

“Time is the enemy of an attacker,” the report said. “The more time that passes before a successful attack can execute, the more likely an organization can stop it.”

If attackers have to spend an extra five hours on a hack, 13% may give up, according to the report. In addition, an extra 10 hours can deter 24% of attacks, and an extra 20 hours without a payoff will deter 36% of attacks.

The lesson here, Miller said, is that better security can help keep attackers away from you and your organization, just as “The Club” steering wheel lock can keep car thieves from stealing your ride.

“It’s not about outrunning the bear,” he said. “It’s about outrunning the slower organizations in your target space.”

Low and slow

Hackers working on behalf of organized crime and nation-states and hackers from independent terrorist groups will work differently than these quick-money-seeking, drive-by hackers as described in the report, said Miller.

“The serious ones do this low and slow,” he said. “They don’t act quickly.”

“The threat intel they are talking about [in the report] is quick hit stuff,” explained Miller. “Yes, it matters, but mostly for the obvious and opportunistic stuff. You may learn new tactics and today’s latest trends [from the report], but you won’t learn how to stop the ones that are already in your organization without your knowledge.”

He said the report may not be helpful for every business or organization.

“This type of information is useful for lesser-protected organizations trying to stop today’s hack today,” Miller said. “It is marginally useful for the mature organizations facing the determined, well-funded adversary.”

In addition, he said, some businesses and groups are not ready to move to a sophisticated level of security.

“Most organizations can’t use this intel effectively today because they are still struggling with the simple stuff, like locking the doors and windows,” he said.

That is important, Miller said, because attackers will be checking these cyber doors and windows for easy access.

“It’s really a numbers game. Rattle the most doorknobs in the least amount of time for the highest gain,” he said.