The NFL season kicks off Thursday, but more importantly, for many, it’s the beginning of fantasy football.

A friend of mine has been preparing most of the year. He did his first mock draft in February. He studies the numbers. He knows the upsides and risks of each player. Our league trophy, a bobble-head coach emblazoned with “Fantasy Football League Champion: 2013" sits above his TV and will taunt me as we gather on Monday to do our first in-person, live draft this year.

But that’s irrelevant. I’m consumed with a far more important draft this year. It started as a blog — written as a joke — but has quickly spiraled out of control.

In heated arguments this week we’ve fine tuned the scoring system, the rules, and the prize: public glory as the top data analyst at HackSurfer, plus nearly a full year to shame all of our coworkers.

On Thursday we launch our Fantasy Cybercrime Draft.

Two years ago, I knew nothing about cybersecurity. My boss gave me this advice as I became the editor of HackSurfer:

“Most articles on cybercrime are written for tech people. They’ll put you to sleep by the third paragraph. We need to change that.”

That was our mantra. But we also had tons of data. At least, it seemed like a ton.

Being my first cyber company, I’ll leave the explanation to Richard Byrne Reilly at VentureBeat, who wrote recently, “[Surfwatch Labs founder Jason Polancich] and his team of former NSA security spooks are building what may be the largest database of security threats on the planet.”

It takes a unique person to work remotely. Looking into my office window is like watching a caged beast at the zoo. My hair and beard are unkempt. I mutter to myself, occasionally shouting obscenities at my screen or laughing hysterically at seemingly random moments. I’m constantly snacking.

In order to stay sane, we play games. As a joke, I decided to poke around our data as if I was scouting for the ultimate fantasy cybercrime team. If I had to draft a team, what would be the best actors, targets, effects and practices?

I blogged about it, laughing hysterically (when working from home, you’re always the funniest person in the room). It didn’t take long for a challenge to emerge from a coworker. From there, it snowballed.

It’s now serious business.

As a side effect, it’s a fun way to study cybercrime without falling asleep. It’s also a fun way to spread awareness of how cybercrime effects business.

So we thought we’d share our antics this year.

Create your own league and play along. Or follow our fantasy blog every Monday on HackSurfer.com as we recap our league and vie for the championship.

The complete draft day manifesto (yes, there are Matthew Berry types in our league) is below …

Fantasy Cybercrime 101: Draft Day Manifesto

The rules for building a team are just like fantasy football, except we use cybercrime tags from SurfWatch Labs:

• 1 Industry sector – quarterback
• 2 Targets* – receivers
• 2 Actors* – running backs
• 1 Practice – tight end
• 1 Philosophy (hacktivist, state-sponsored, etc.) – defense/special teams
• 1 Effect – Kicker

*Actor and Target selections are individual tags, all others are macro category tags.

I’ve got the #1 pick, what should I do?

Traditional thinking is to lock down a top industry, especially in the deeper leagues where the heavily targeted sectors get picked up fast. First to go are typically Information Technology, Government, Financials, and Consumer Goods.

But a look at the risk scores from the past few months shows that IT isn’t the clear-cut #1 pick. In fact, over the past three months IT has seen a slight month-to-month drop-off in cybercrime risk, whereas sectors like Consumer Goods, Other Organizations, Industrials and Energy have seen steady growth in risk over the summer.

Will that growth continue and those sectors become dominant players this season?

I’d say that IT is always a safe bet, but as we saw last year, a big breach at the proper moment could mean victory.

The recent Department of Homeland Security warnings that over 1,000 US business are likely infected with the Backoff point-of-sale malware has helped push Consumer Goods into contention as the #1 pick. With UPS becoming the 41st company tied to POS malware this year, and now rumors that Dairy Queen may have been infected as well, Consumer Goods is my recommendation as the #1 pick. There’s nothing but upside.

But if you’re still on the fence despite my advice (sure, I didn’t win last year, but I was close!), the industry reports done by our data analysts provide excellent insight into draft strategy. Here’s the latest IT scouting report:

My Sleeper Pick: Healthcare, which saw a huge breach at Community Health Systems in August, has managed to lead all other sectors in distinct industry targets this year. As SurfWatch Labs “First Half 2014 Trends Report” points out, “Over 27% of all distinct cybercrime targets are related to Healthcare, yet it only garnered 2.8% of the discussion.”

That’s the definition of a sleeper.

Choosing Weapons: Advice on Actors and Targets

Last year we saw a few people make the crucial mistake of overvaluing actors, particularly hacktivists.

I admit, I too was high with Syrian-Electronic-Army fever last year (I tried, and luckily failed, to grab the Entertainment sector with my first-round pick based solely on their attacks). The problem is that most attacks have unidentified actors, which leaves the pool of actors mostly open to the ever-growing group of script kiddies who like to beef up their importance with the usual self-congratulatory circle jerk of tweets and retweets of “Tango down!” and “Lolz.”

Sure, there are some genuine players out there, but do you want to pass up on the U.S government (both as an actor and target) in order to make room for some kid with Cheeto stains on his t-shirt and way too much time on his hands to use a Low Orbit Ion Cannon?

Targets are sporadic. Don’t take chances. Stick with the tried and true players, like I did last year:

The World Cup is over. Anonymous protests around the shooting in Ferguson are cooling off. Maybe another hacktivist protest will make waves, but don’t make the mistake of getting caught up in that hoopla. Other attacks are stealing millions and forcing businesses to close their doors.

Think Code Spaces.

Your Season Can be Won or Lost in the Late Rounds

Everyone likes focusing on sectors and targets, but that’s only half the game.

When it comes to cybercrime, the most important things are often not who was attacked, but what happened (effect) and how they did it (practice).

Everyone will be trying to snag Data Stolen/Leaked and Infected Exploited Assets, as they’re consistently the top trending effects, but remember the old adage: follow the money. Financial Loss and Fraud, while not as widely discussed, have the potential for a big score and severe effects.

My Sleeper Pick: Credentials Stolen/Leaked may not be as trendy as stolen data or DDoS attacks (Service Interruption), and it can be easy to get caught up in all the fancy new tactics cybercriminals use. But I always remember what 41st Parameters David Britton told us at the end of 2013: “What we typically find is really happening is most of the malware on the market today – whether it’s using man-in-the-browser tactics, whether it’s using things like session hijacking, whether it’s using things like HTML injection – almost every case they are still simply harvesting credentials.”

When it comes to practices: malware, malware, malware. It’s all anyone seems to talk about, so expect your less educated league mates duke it out over that one. Yes, it’s serious, but I guarantee it’s going to be overvalued and someone will reach early and snatch it — maybe even as early as the second round.

But think of all the other big players here. Software vulnerability exploits have been a consistent scorer, and imagine if something even a quarter as big as Heartbleed hits the news cycle. And of course we have Espionage. Sure, it’s not as common as malware, but the potential of a big score from a APT-type espionage attack is huge. There’s plenty of options to choose from here.

My Sleeper Pick: Charles Tendell, founder of Azorian Cyber Security, joined us for a HackSurfer Hangout in June and told us, “Insider threats are much harder to combat than just about anything.” That’s why Insider Activity is my sleeper pick. It’s the one practice that many don’t think about when it comes to cybercrime, so while your friends are battling it out over traditional “hacking” activity like network attacks and social engineering, have confidence that this practice, which can have severe affects and is hard to stop, will be sitting there waiting for you.

Philosophy

Lastly, when it comes to overall philosophy, what’s the best strategy? As you can see, most cybercrime actors are unidentified, but set that aside and there are some identified philosophies.

The best choice is clear: state-sponsored. The firepower is unmatched and there’s always a high level of activity.

If you can’t get the big government badass on your side (or if you’re the type that refuses out of principle) then you have to decide between consistency and potential. Hacktivism is going to get a lot of action, but it’s mostly just defacements mixed with minor attacks and a whole lot of bluster. Organized Crime or Individual may offer more of an upside, but those events aren’t as public, so you may be left waiting for the big score or the big arrest to shine light on those attacks.

My Not-So Sleeper Pick: Pickings are limited here, so my advice is to simply try not to get stuck with Cyberterrorist. Everyone talks a big game about a “cyber Pearl Harbor,” and there has been talk of a super-Stuxnet being developed, but cybercrime is mostly death by a thousand cuts, not one big bomb.

Plus, do you really want to be the only person jumping up and down when some cyberterrorist attacks someone’s pacemaker or knocks out half the power grid?

No, you don’t.

Best of luck this season.