When Hackers Talk: Managing Information Security Under Variable Attack Rates and Knowledge Dissemination

This paper analyzes interactions between a firm that seeks to discriminate between normal users and hackers that try to penetrate and compromise the firm's information assets. We develop an analytical model in which a variety of factors are balanced to best manage the detection component within information security management. The approach not only considers conventional factors such as detection rate and false-positive rate, but also factors associated with hacker behavior that occur in response to improvements in the detection system made by the firm. Detection can be improved by increasing the system's discrimination ability (i.e., the ability to distinguish between attacks and normal usage) through the application of maintenance effort. The discrimination ability deteriorates over time due to changes in the environment. Also, there is the possibility of sudden shocks that can sharply degrade the discrimination ability. The firm's cost increases as hackers become more knowledgeable by disseminating security knowledge within the hacker population. The problem is solved to reveal the presence of a steady-state solution in which the level of system discrimination ability and maintenance effort are held constant. We find an interesting result where, under certain conditions, hackers do not benefit from disseminating security knowledge among one another. In other situations, we find that hackers benefit because the firm must lower its detection rate in the presence of knowledge dissemination. Other insights into managing detection systems are provided. For example, the presence of security shocks can increase or decrease the optimal discrimination level as compared to the optimal level without shocks.

[1]  Lawrence A. Gordon,et al.  Sharing Information on Computer Systems Security: An Economic Analysis , 2003 .

[2]  Alain Bensoussan,et al.  Maintaining Diagnostic Knowledge-Based Systems: A Control-Theoretic Approach , 2009, Manag. Sci..

[3]  Wei T. Yue,et al.  Intrusion Prevention in Information Systems: Reactive and Proactive Responses , 2007, J. Manag. Inf. Syst..

[4]  Pedro M. Domingos,et al.  Adversarial classification , 2004, KDD.

[5]  Joel Winstead,et al.  Using Attack Graphs to Design Systems , 2007, IEEE Security & Privacy.

[6]  William A. Arbaugh,et al.  IEEE 52 Computer , 1985 .

[7]  Steve W. Manzuik,et al.  Windows of Vulnerability , 2006 .

[8]  Salvatore J. Stolfo,et al.  A data mining framework for building intrusion detection models , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[9]  Stuart McClure,et al.  Hacking Exposed; Network Security Secrets and Solutions , 1999 .

[10]  John E. Gaffney,et al.  A Decision Analysis Method for Evaluating Computer Intrusion Detection Systems , 2004 .

[11]  T. Jordan,et al.  A Sociology of Hackers , 1998 .

[12]  Karen A. Scarfone,et al.  Guide to Intrusion Detection and Prevention Systems (IDPS) , 2007 .

[13]  Hao Xu,et al.  Optimal Policy for Software Vulnerability Disclosure , 2008, Manag. Sci..

[14]  Gary J. Koehler,et al.  Induction over Strategic Agents , 2010, Inf. Syst. Res..

[15]  Huseyin Cavusoglu,et al.  Configuration of and Interaction Between Information Security Technologies: The Case of Firewalls and Intrusion Detection Systems , 2009, Inf. Syst. Res..

[16]  Ann E. Schlosser,et al.  Converting Web Site Visitors into Buyers: How Web Site Investment Increases Consumer Trusting Beliefs and Online Purchase Intentions , 2006 .

[17]  Stuart McClure,et al.  Hacking Exposed: Network Security Secrets and Solutions, Fourth Edition , 2001 .

[18]  William L. Simon,et al.  The Art of Deception , 2002 .