Not just BANAL: How branding shapes cybercrime ecosystems

We consider the trend of (self-)consciously branding bugs and vulnerabilities in what we deem to be a BANAL (Bug with A Name and A Logo) manner. However, there is a great deal more naming and branding going on in cybercrime and cybersecurity than this. We show how the use of names by criminologists, cybersecurity companies and the academics who study cybercrime fundamentally shapes the way in which both attackers and defenders understand cybercrime ecosystems. We argue that there are four main functions of naming present: names as deviant labelling, names as a way of structuring practices and scripts, names as branding or marketing, and names as a tool of information brokerage. We further contend that the cultural functions of labelling and marketing are overwhelming the practical functions of co-ordinating practices and assessing the criminal innovation ecosystem; names are exploding cybercrime rather than integrating it. By applying frameworks from criminology and evolutionary economics, we explore the complex dynamics of naming and branding in cybercrime and suggest interventions.