"We are at high risk, don't get me wrong," Black says. "Just the examples aren't there."

But Roiter suggests there may plenty of examples that the police simply don't know about. Extortion, he says, is a crime that usually goes unreported, making it impossible to know how prevalent it is. While countries do differ in terms of the types of DDoS attacks they experience, certain industries are magnets for these types of crimes, Roiter says. He notes, for example, that Canada has a "healthy online gambling industry."

"Gambling sites are very popular targets. There's a lot of that that goes on in online gambling. And usually they'll pay the ransom. Think of it this way: somebody gives you that call before World Cup match when you know you're going to be doing hundreds of thousands, maybe a million dollars in business, and they say, 'pay us $50,000' or '£30,000' or whatever it is. You're going to pay."

Roiter says part of the reason that companies are forced to give into criminals' demands is not necessarily that they haven't taken protective measures, but that they haven't taken the right ones. They may be protected from network-based attacks and aren't ready for the newer application-level attacks.

"The networking flooding attacks, the SYN flood, the UDP attacks, the ICMP attacks, those sorts of things are becoming less prevalent, and application-layer attacks, which use far less bandwidth and are much harder to detect and mitigate, are becoming dominant."