{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,12,22]],"date-time":"2025-12-22T22:22:08Z","timestamp":1766442128034,"version":"3.48.0"},"publisher-location":"New York, NY, USA","reference-count":54,"publisher":"ACM","content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2025,11,19]]},"DOI":"10.1145\/3719027.3765026","type":"proceedings-article","created":{"date-parts":[[2025,11,22]],"date-time":"2025-11-22T23:33:16Z","timestamp":1763854396000},"page":"663-677","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":0,"title":["Can IOCs Impose Cost? The Effects of Publishing Threat Intelligence on Adversary Behavior"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0009-0005-7430-8942","authenticated-orcid":false,"given":"Xander","family":"Bouwman","sequence":"first","affiliation":[{"name":"Delft University of Technology, Delft, Netherlands"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0005-5738-7458","authenticated-orcid":false,"given":"Aksel","family":"Ethembabaoglu","sequence":"additional","affiliation":[{"name":"Delft University of Technology, Delft, Netherlands"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0000-0079-3408","authenticated-orcid":false,"given":"Bart","family":"Hermans","sequence":"additional","affiliation":[{"name":"Delft University of Technology, Delft, Netherlands"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-4699-3007","authenticated-orcid":false,"given":"Carlos","family":"Ga\u00f1\u00e1n","sequence":"additional","affiliation":[{"name":"Delft University of Technology, Delft, Netherlands"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-0338-2812","authenticated-orcid":false,"given":"Michel","family":"van Eeten","sequence":"additional","affiliation":[{"name":"Delft University of Technology, Delft, Netherlands"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"320","published-online":{"date-parts":[[2025,11,22]]},"reference":[{"key":"e_1_3_2_1_1_1","volume-title":"The 24th Workshop on the Economics of Information Security (WEIS)","author":"Agarwal S.","year":"2099","unstructured":"S. Agarwal and M. Vasek. 2025. Examining Newly Registered Phishing Domains at Scale. In The 24th Workshop on the Economics of Information Security (WEIS). Tokyo, Japan. https:\/\/discovery.ucl.ac.uk\/id\/eprint\/10209951"},{"key":"e_1_3_2_1_2_1","first-page":"2783","volume-title":"31st USENIX Security Symposium (USENIX Security 22)","author":"Alahmadi Bushra A.","year":"2022","unstructured":"Bushra A. Alahmadi, Louise Axon, and Ivan Martinovic. 2022. 99% False Positives: A Qualitative Study of SOC Analyststextquoteright Perspectives on Security Alarms. In 31st USENIX Security Symposium (USENIX Security 22). USENIX Association, Boston, MA, 2783-2800. https:\/\/www.usenix.org\/conference\/usenixsecurity22\/presentation\/alahmadi"},{"key":"e_1_3_2_1_3_1","unstructured":"M. Armelli S. Caudill J.P. Dees M. Eager J. Keltz I. Pelekis J. Sakellariadis V.V. Singh and K. von Ofenheim. 2020. Cyber Threat Intelligence - What is the Impact of Information Disclosures on an Adversary's Operations? Technical Report. University of Columbia SIPA. https:\/\/www.sipa.columbia.edu\/academics\/capstone-projects\/cyber-threat-intelligence-what-impact-information-disclosures-adversary"},{"key":"e_1_3_2_1_4_1","volume-title":"General Acknowledges. (Dec.","author":"Barnes J. E.","year":"2021","unstructured":"J. E. Barnes. 2021. U.S. Military Has Acted Against Ransomware Groups, General Acknowledges. (Dec. 2021). https:\/\/www.nytimes.com\/2021\/12\/05\/us\/politics\/us-military-ransomware-cyber-command.html"},{"key":"e_1_3_2_1_5_1","unstructured":"R. Bevington. 2024. Turning the tables: Using cyber deception to hunt phishers at scale. https:\/\/www.bleepingcomputer.com\/news\/security\/microsoft-creates-fake-azure-tenants-to-pull-phishers-into-honeypots"},{"key":"e_1_3_2_1_6_1","unstructured":"Bianco D. 2013. The Pyramid of Pain. http:\/\/detect-respond.blogspot.com\/2013\/03\/the-pyramid-of-pain.html"},{"key":"e_1_3_2_1_7_1","doi-asserted-by":"publisher","DOI":"10.1145\/2382196.2382284"},{"key":"e_1_3_2_1_8_1","first-page":"433","volume-title":"29th USENIX Security Symposium (USENIX Security 20)","author":"Bouwman Xander","year":"2020","unstructured":"Xander Bouwman, Harm Griffioen, Jelle Egbers, Christian Doerr, Bram Klievink, and Michel van Eeten. 2020. A different cup of TI? The added value of commercial threat intelligence. In 29th USENIX Security Symposium (USENIX Security 20). USENIX Association, 433-450. https:\/\/www.usenix.org\/conference\/usenixsecurity20\/presentation\/bouwman"},{"key":"e_1_3_2_1_9_1","first-page":"1149","volume-title":"31st USENIX Security Symposium (USENIX Security 22)","author":"Bouwman Xander","year":"2022","unstructured":"Xander Bouwman, Victor Le Pochat, Pawel Foremski, Tom Van Goethem, Carlos H. Ganan, Giovane C. M. Moura, Samaneh Tajalizadehkhoob, Wouter Joosen, and Michel van Eeten. 2022. Helping hands: Measuring the impact of a large threat intelligence sharing community. In 31st USENIX Security Symposium (USENIX Security 22). USENIX Association, Boston, MA, 1149-1165. https:\/\/www.usenix.org\/conference\/usenixsecurity22\/presentation\/bouwman"},{"key":"e_1_3_2_1_10_1","volume-title":"Proceedings of the Workshop on the Economics of Information Security (WEIS)","author":"Brunt Ryan","year":"2017","unstructured":"Ryan Brunt, Prakhar Pandey, and Damon McCoy. 2017. Booted: An analysis of a payment intervention on a ddos-for-hire service. In Proceedings of the Workshop on the Economics of Information Security (WEIS). La Jolla, CA, USA."},{"volume-title":"The Hacker and the State: Cyber Attacks and the New Normal of Geopolitics","author":"Buchanan Ben","key":"e_1_3_2_1_11_1","unstructured":"Ben Buchanan. 2020. The Hacker and the State: Cyber Attacks and the New Normal of Geopolitics. Harvard University Press, Cambridge, MA, USA."},{"key":"e_1_3_2_1_12_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.jeconom.2020.12.001"},{"key":"e_1_3_2_1_13_1","doi-asserted-by":"publisher","DOI":"10.1109\/ACCESS.2022.3161636"},{"key":"e_1_3_2_1_14_1","unstructured":"CompaniesMarketCap.com. 2025. CrowdStrike (CRWD) - Market capitalization. https:\/\/companiesmarketcap.com\/usd\/crowdstrike\/marketcap"},{"key":"e_1_3_2_1_15_1","doi-asserted-by":"publisher","unstructured":"G. Di Tizio M. Armellini and F. Massacci. 2022. Software Updates Strategies: a Quantitative Evaluation against Advanced Persistent Threats. (May 2022) 1. doi:10.1109\/TSE.2022.3176674","DOI":"10.1109\/TSE.2022.3176674"},{"key":"e_1_3_2_1_16_1","doi-asserted-by":"publisher","unstructured":"J. Dykstra K. Shortridge J. Met and D. Hough. 2022. Sludge for Good: Slowing and Imposing Costs on Cyber Attackers. (Nov. 2022). showeprint2211.16626 doi:10.48550\/arXiv.2211.16626","DOI":"10.48550\/arXiv.2211.16626"},{"key":"e_1_3_2_1_17_1","doi-asserted-by":"crossref","unstructured":"M. P. Fischerkeller E. O. Goldman and R. J. Harknett. 2022. Cyber Persistence Theory. Oxford University Press Oxford England UK. https:\/\/global.oup.com\/academic\/product\/cyber-persistence-theory-9780197638262","DOI":"10.1093\/oso\/9780197638255.001.0001"},{"key":"e_1_3_2_1_18_1","unstructured":"Gartner. 2021. Market Guide for Security Threat Intelligence Products and Services."},{"key":"e_1_3_2_1_19_1","volume-title":"Quality Evaluation of Cyber Threat Intelligence Feeds. In International Conference on Applied Cryptography and Network Security (ACNS).","author":"Griffioen Harm","year":"2020","unstructured":"Harm Griffioen, Tim M. Booij, and Christian Doerr. 2020. Quality Evaluation of Cyber Threat Intelligence Feeds. In International Conference on Applied Cryptography and Network Security (ACNS)."},{"key":"e_1_3_2_1_20_1","doi-asserted-by":"publisher","DOI":"10.1093\/cybsec\/tyz008"},{"key":"e_1_3_2_1_21_1","volume-title":"National Cybersecurity Strategy. (March","author":"White House U.S.","year":"2023","unstructured":"U.S. White House. 2023. National Cybersecurity Strategy. (March 2023). https:\/\/www.whitehouse.gov\/briefing-room\/statements-releases\/2023\/03\/02\/fact-sheet-biden-harris-administration-announces-national-cybersecurity-strategy"},{"key":"e_1_3_2_1_22_1","volume-title":"The Case for Scale in Cyber Security. https:\/\/media.ccc.de\/v\/36c3-11220-the_case_for_scale_in_cyber_security [Conference talk","author":"Iozzo Vincenzo","year":"2020","unstructured":"Vincenzo Iozzo. 2019. The Case for Scale in Cyber Security. https:\/\/media.ccc.de\/v\/36c3-11220-the_case_for_scale_in_cyber_security [Conference talk; accessed 4. Feb. 2020]."},{"key":"e_1_3_2_1_23_1","doi-asserted-by":"publisher","unstructured":"C. Johnson L. Badger D. Waltermire J. Snyder and C. Skorupka. 2016. Guide to Cyber Threat Information Sharing. Technical Report. National Institute of Standards and Technology. http:\/\/dx.doi.org\/10.6028\/NIST.SP.800-150","DOI":"10.6028\/NIST.SP.800-150"},{"key":"e_1_3_2_1_24_1","unstructured":"Joseph Cox. 2020. Internal Docs Show Why the US Military Publishes North Korean Russian Malware. Vice.com. https:\/\/www.vice.com\/en\/article\/5dmwyx\/documents-how-cybercom-publishes-russian-north-korean-malware-virustotal"},{"key":"e_1_3_2_1_25_1","doi-asserted-by":"publisher","DOI":"10.1109\/BigData59044.2023.10386664"},{"key":"e_1_3_2_1_26_1","doi-asserted-by":"publisher","DOI":"10.52306\/2578-3289.1121"},{"key":"e_1_3_2_1_27_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2019.23386"},{"key":"e_1_3_2_1_28_1","first-page":"851","volume-title":"28th USENIX Security Symposium (USENIX Security 19)","author":"Li Vector Guo","year":"2019","unstructured":"Vector Guo Li, Matthew Dunn, Paul Pearce, Damon McCoy, Geoffrey M. Voelker, and Stefan Savage. 2019. Reading the Tea leaves: A Comparative Analysis of Threat Intelligence. In 28th USENIX Security Symposium (USENIX Security 19). USENIX Association, Santa Clara, CA, 851-867. https:\/\/www.usenix.org\/conference\/usenixsecurity19\/presentation\/li"},{"key":"e_1_3_2_1_29_1","doi-asserted-by":"publisher","DOI":"10.1080\/02684527.2020.1840746"},{"key":"e_1_3_2_1_30_1","doi-asserted-by":"publisher","unstructured":"E. D. Lonergan and S. W. Lonergan. 2022. Cyber Operations Accommodative Signaling and the De-Escalation of International Crises. (Jan. 2022). doi:10.1080\/09636412.2022.2040584","DOI":"10.1080\/09636412.2022.2040584"},{"key":"e_1_3_2_1_31_1","unstructured":"Lonergan E. and Poznansky M. 2023. Are We Asking Too Much of Cyber? https:\/\/warontherocks.com\/2023\/05\/are-we-asking-too-much-of-cyber"},{"key":"e_1_3_2_1_32_1","unstructured":"Martin Mathishak. 2024. As Cyber Command evolves its novel malware alert system fades away. https:\/\/therecord.media\/cyber-command-virustotal-twitter-malware-alerts-cnmf"},{"key":"e_1_3_2_1_33_1","unstructured":"Martin Matishak and Jonathan Greig. 2024. US confirms takedown of China-run botnet targeting home and office routers. https:\/\/therecord.media\/china-run-botnet-takedown-fbi-doj-routers"},{"key":"e_1_3_2_1_34_1","volume-title":"Persistent Enforcement: Criminal Charges as a Response to Nation-State Malicious Cyber Activity. (1","author":"Maurer Tim","year":"2020","unstructured":"Tim Maurer and Garret Hinck. 2020. Persistent Enforcement: Criminal Charges as a Response to Nation-State Malicious Cyber Activity. (1 2020). https:\/\/jnslp.com\/2020\/01\/23\/persistent-enforcement-criminal-charges-as-a-response-to-nation-state-malicious-cyber-activity"},{"key":"e_1_3_2_1_35_1","unstructured":"L. B. Metcalf D. Ruef and J. M. Spring. 2017. Open-source Measurement of Fast-flux Networks While Considering Domain-name Parking. 13-24 pages. https:\/\/www.usenix.org\/conference\/laser2017\/presentation\/metcalf"},{"key":"e_1_3_2_1_36_1","doi-asserted-by":"publisher","DOI":"10.1145\/1299015.1299016"},{"volume-title":"U.S. Cyber Command before the 117th Congress. https:\/\/www.cybercom.mil\/Media\/News\/Article\/2989087\/posture-statement-of-gen-paul-m-nakasone-commander-us-cyber-command-before-the","author":"Nakasone P.M.","key":"e_1_3_2_1_37_1","unstructured":"P.M. Nakasone. 2022. Posture statement of Gen. Paul M. Nakasone, commander, U.S. Cyber Command before the 117th Congress. https:\/\/www.cybercom.mil\/Media\/News\/Article\/2989087\/posture-statement-of-gen-paul-m-nakasone-commander-us-cyber-command-before-the"},{"key":"e_1_3_2_1_38_1","volume-title":"Understanding Threat Actor Naming Conventions. https:\/\/www.infosecurityeurope.com\/en-gb\/blog\/threat-vectors\/understanding-threat-actor-naming-conventions.html","author":"Poireault Kevin","year":"2023","unstructured":"Kevin Poireault. 2023. Understanding Threat Actor Naming Conventions. https:\/\/www.infosecurityeurope.com\/en-gb\/blog\/threat-vectors\/understanding-threat-actor-naming-conventions.html"},{"key":"e_1_3_2_1_39_1","unstructured":"Ponemon Institute. 2019. The Value of Threat Intelligence: The Second Annual Study of North American & United Kingdom Companies. Technical Report February. Ponemon Institute."},{"key":"e_1_3_2_1_40_1","unstructured":"Michael Raggi. 2024. IOC Extinction? China-Nexus Cyber Espionage Actors Use ORB Networks to Raise Cost on Defenders. https:\/\/cloud.google.com\/blog\/topics\/threat-intelligence\/china-nexus-espionage-orb-networks"},{"key":"e_1_3_2_1_41_1","unstructured":"Florian Roth. 2018. The Newcomer's Guide to Cyber Threat Actor Naming. https:\/\/medium.com\/@cyb3rops\/the-newcomers-guide-to-cyber-threat-actor-naming-7428e18ee263"},{"key":"e_1_3_2_1_42_1","doi-asserted-by":"crossref","unstructured":"J. Sigholm and M. Bang. 2013. Towards Offensive Cyber Counterintelligence: Adopting a Target-Centric View on Advanced Persistent Threats. (2013) 166-171. https:\/\/www.diva-portal.org\/smash\/record.jsf?pid=diva2%3A640955&dswid=6375","DOI":"10.1109\/EISIC.2013.37"},{"key":"e_1_3_2_1_43_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2016.04.003"},{"key":"e_1_3_2_1_44_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-94-6265-419-8_20"},{"key":"e_1_3_2_1_45_1","volume-title":"Watson","author":"Stock James H.","year":"2020","unstructured":"James H. Stock and Mark W. Watson. 2020. Introduction to Econometrics, 4th edition. Pearson.","edition":"4"},{"key":"e_1_3_2_1_46_1","doi-asserted-by":"publisher","unstructured":"L. Sun and S. Abraham. 2021. Estimating dynamic treatment effects in event studies with heterogeneous treatment effects. Vol. 225 2 (12 2021) 175-199. doi:10.1016\/j.jeconom.2020.09.006","DOI":"10.1016\/j.jeconom.2020.09.006"},{"key":"e_1_3_2_1_47_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-45719-2_7"},{"key":"e_1_3_2_1_48_1","volume-title":"Proceedings of the Workshop on the Economics of Information Security (WEIS)","author":"Thomas Kurt","year":"2015","unstructured":"Kurt Thomas, Danny Yuxing Huang, David Wang, Elie Bursztein, Chris Grier, Thomas J Holt, Christopher Kruegel, Damon McCoy, Stefan Savage, and Giovanni Vigna. 2015. Framing Dependencies Introduced by Underground Commoditization. In Proceedings of the Workshop on the Economics of Information Security (WEIS). Delft, The Netherlands."},{"key":"e_1_3_2_1_49_1","doi-asserted-by":"publisher","DOI":"10.1109\/CSR57506.2023.10224937"},{"key":"e_1_3_2_1_50_1","unstructured":"Brandon Valeriano. 2020. Cost Imposition Is the Point: Understanding U.S. Cyber Operations and the Strategy Behind Achieving Effects. https:\/\/www.lawfareblog.com\/cost-imposition-point-understanding-us-cyber-operations-and-strategy-behind-achieving-effects"},{"key":"e_1_3_2_1_51_1","volume-title":"Alerts and Incidents in Network Intrusion Detection. In ASIA CCS '22: ACM Asia Conference on Computer and Communications Security","author":"Vermeer Mathew","year":"2022","unstructured":"Mathew Vermeer, Carlos Ga\u00f1\u00e1n, and Michel van Eeten. 2022. Ruling the Rules: Quantifying the Evolution of Rulesets, Alerts and Incidents in Network Intrusion Detection. In ASIA CCS '22: ACM Asia Conference on Computer and Communications Security, Nagasaki, May 30-June 3, 2022. ACM."},{"key":"e_1_3_2_1_52_1","doi-asserted-by":"publisher","DOI":"10.1145\/3576915.3616581"},{"key":"e_1_3_2_1_53_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-66332-6_21"},{"key":"e_1_3_2_1_54_1","doi-asserted-by":"publisher","unstructured":"R. L.Wasserstein A. L. Schirm and N. A. Lazar. 2019. Moving to a World Beyond ''p < 0.05''. (3 2019). doi:10.1080\/00031305.2019.1583913","DOI":"10.1080\/00031305.2019.1583913"}],"event":{"name":"CCS '25: ACM SIGSAC Conference on Computer and Communications Security","sponsor":["SIGSAC ACM Special Interest Group on Security, Audit, and Control"],"location":"Taipei Taiwan","acronym":"CCS '25"},"container-title":["Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3719027.3765026","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,12,22]],"date-time":"2025-12-22T22:18:23Z","timestamp":1766441903000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3719027.3765026"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,11,19]]},"references-count":54,"alternative-id":["10.1145\/3719027.3765026","10.1145\/3719027"],"URL":"https:\/\/doi.org\/10.1145\/3719027.3765026","relation":{},"subject":[],"published":{"date-parts":[[2025,11,19]]},"assertion":[{"value":"2025-11-22","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}