search menu icon-carat-right cmu-wordmark


June 2005 White Paper
Aaron Hackworth

In this 2005 paper, the authors give an overview of spyware, provide examples of common threats, and describe how to defend against spyware.


Software Engineering Institute


Spyware has existed at least since the early 1980's when keyloggerswere discovered on computers at university campuses. Subsequently, there has been a steady growth in the use of spyware by online attackers and traditional criminals to execute crimes against individuals, businesses, and governments. 

These crimes have both direct economic impacts, as in the case of identity theft and credit card fraud, as well as more subtle, lasting impacts, caused by shaking consumer's confidence and willingness to participate in modern electronic commerce. Reducing threats from spyware is an important part of slowing the erosion of public faith in online business transactions and maintaining healthy economic growth.

Making lasting reductions in spyware activity requires recognition of the financial motives and taking steps towards architecting the value out of the activity. As a business activity, deploying spyware generates revenues from the information collected and entails basic costs such as the purchase or development of malicious software (known as malware), distribution channel costs to deploy and install spyware on the target systems, and loss expectance in the form of criminal or civil penalties levied by the courts. While this is a simplified business model, it covers the main areas and serves as a starting point to discuss how to take the value and profit out of spyware activity.

Technical solutions that combat spyware generally focus on finding, blocking, or removing spyware. The counter-response to these approaches is usually the development of improved spyware. This is because there is still enough potential profit to make the effort worthwhile.

Designing systems and policies that lower the value of spyware-related activity is a better longterm solution because it helps to reduce the value of using spyware rather than simply defending against it.

The following gives an overview of spyware, provides examples of some common threats, and outlines policies and practices to defend against spyware and architect the value out of the spyware market.