The trouble with (supply-side) counts: the potential and limitations of counting sites,vendors or products as a metric for threat trends on the Dark Web

Many national security threats now originate on the Dark Web. As a result of the anonymity of these networks, researchers and policymakers often use supply-side data (i.e. the number of sites) as a threat metric. However, the utility of these data depends upon the underlying distribution of users. Users could be distributed uniformly, normally or in a power law across Dark Web content. The utility of supply-side counts varies predictably based upon the underlying distribution of users. Yet, the likelihood of each distribution type varies inversely with its utility: uniform distributions are most useful for intelligence purposes but least likely and power law distributions are least useful but occur most commonly. Complementing supply-side counts with demand-side measures can improve Dark Web threat analysis, thereby helping to combat terrorism, criminality and cyberattacks.