Um artigo interessante:
Dinei Florencio and Cormac Herley
Microsoft Research Technical Report
June 2011
The
fact that a majority of Internet users appear unharmed each year is
difficult to reconcile with a weakest-link analysis. We seek to explain
this enormous gap between potential and actual harm. The answer, we
find, lies in the fact that an Internet attacker, who attacks en masse,
faces a sum-of-effort rather than a weakest-link defense. Large-scale
attacks must be profitable in expectation, not merely in particular
scenarios. For example, knowing the dog's name may open an occasional
bank account, but the cost of determining one million users' dogs' names
is far greater than that information is worth. The strategy that
appears simple in isolation leads to bankruptcy in expectation. Many
attacks cannot be made profitable, even when many profitable targets
exist. We give several examples of insecure practices which should be
exploited by a weakest-link attacker but are extremely difficult to turn
into profitable attacks.