Understanding and Influencing Attackers' Decisions: Implications for Security Investment Strategies

We model economic behavior of attackers when they are able to obtain complete information about the security characteristics of targets and when such information is unavailable. We find that when attackers are able to distinguish targets by their security characteristics and switch between multiple alternative targets, the effect of a given security measure is stronger. That is due to the fact that attackers rationally put more effort into attacking systems with low security levels. Ignoring that effect would result in underinvestment in security or misallocation of security resources. We also find that systems with better levels of protection have stronger incentives to reveal their security characteristics to attackers than poorly protected systems. Those results have important implications for security practices and policy issues.

[1]  George A. Akerlof The Market for “Lemons”: Quality Uncertainty and the Market Mechanism , 1970 .

[2]  John M. Cozzolino,et al.  Sequential Search for an Unknown Number of Objects of Nonuniform Size , 1972, Oper. Res..

[3]  Eric K. Clemons,et al.  Evaluation of strategic investments in information technology , 1991, CACM.

[4]  David Wright,et al.  Towards Operational Measures of Computer Security , 1993, J. Comput. Secur..

[5]  R. Zayan Editor's preface , 1994, Behavioural Processes.

[6]  Tomas Olovsson,et al.  A Quantitative Model of the Security Intrusion Process Based on Attacker Behavior , 1997, IEEE Trans. Software Eng..

[7]  Rodolphe Ortalo,et al.  Experimenting with Quantitative Evaluation Tools for Monitoring Operational Security , 1999, IEEE Trans. Software Eng..

[8]  Brian Randell,et al.  Fundamental Concepts of Dependability , 2000 .

[9]  Marc Dacier,et al.  Fixed- vs. Variable-Length Patterns for Detecting Suspicious Process Behavior , 1998, J. Comput. Secur..

[10]  Michael M. May,et al.  How much is enough? A risk management approach to computer security , 2000 .

[11]  Ross J. Anderson Why information security is hard - an economic perspective , 2001, Seventeenth Annual Computer Security Applications Conference.

[12]  Dong Xiang,et al.  Information-theoretic measures for anomaly detection , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[13]  R. Power CSI/FBI computer crime and security survey , 2001 .

[14]  Lawrence A. Gordon,et al.  The economics of information security investment , 2002, TSEC.

[15]  Gary Stoneburner,et al.  SP 800-30. Risk Management Guide for Information Technology Systems , 2002 .

[16]  G. Stoneburner,et al.  Risk Management Guide for Information Technology Systems: Recommendations of the National Institute of Standards and Technology , 2002 .

[17]  Luis E. Ortiz,et al.  Algorithms for Interdependent Security Games , 2003, NIPS.

[18]  Lawrence A. Gordon,et al.  Information Security Expenditures and Real Options: A Wait-and-See Approach , 2003 .

[19]  H. Kunreuther,et al.  Interdependent Security , 2003 .

[20]  Peng Liu,et al.  Incentive-based modeling and inference of attacker intent, objectives, and strategies , 2003, CCS '03.

[21]  Michael D. Smith,et al.  How Much Security Is Enough to Stop a Thief?: The Economics of Outsider Theft via Computer Systems and Networks , 2003, Financial Cryptography.

[22]  T. Sandler,et al.  What do we know about the substitution effect in transnational terrorism , 2003 .

[23]  Christopher Krügel,et al.  Comprehensive approach to intrusion detection alert correlation , 2004, IEEE Transactions on Dependable and Secure Computing.

[24]  William H. Sanders,et al.  Model-based evaluation: from dependability to security , 2004, IEEE Transactions on Dependable and Secure Computing.

[25]  Huseyin Cavusoglu,et al.  Configuration of Detection Software: A Comparison of Decision and Game Theory Approaches , 2004, Decis. Anal..

[26]  Michael D. Smith,et al.  Computer security strength and risk: a quantitative approach , 2004 .

[27]  Peng Ning,et al.  Techniques and tools for analyzing intrusion alerts , 2004, TSEC.

[28]  Carl E. Landwehr,et al.  Basic concepts and taxonomy of dependable and secure computing , 2004, IEEE Transactions on Dependable and Secure Computing.

[29]  Peter P. Swire A Model for When Disclosure Helps Security: What Is Different About Computer and Network Security? , 2004, J. Telecommun. High Technol. Law.

[30]  Huseyin Cavusoglu,et al.  Model for Evaluating , 2022 .

[31]  Steve Purser Improving the ROI of the security management process , 2004, Comput. Secur..

[32]  Stuart E. Schechter Toward econometric models of the security risk from remote attacks , 2005, IEEE Security & Privacy.

[33]  John McDermott,et al.  Attack-potential-based survivability modeling for high-consequence systems , 2005, Third IEEE International Workshop on Information Assurance (IWIA'05).

[34]  G. Rodewald. Aligning information security investments with a firm's risk tolerance , 2005, InfoSecCD '05.

[35]  Larry Samuelson,et al.  Choosing What to Protect: Strategic Defensive Allocation Against an Unknown Attacker , 2005 .

[36]  Lawrence A. Gordon,et al.  Managing Cybersecurity Resources: A Cost-Benefit Analysis , 2005 .

[37]  Huseyin Cavusoglu,et al.  The Value of Intrusion Detection Systems in Information Technology Security Architecture , 2005, Inf. Syst. Res..

[38]  Christopher J. Coyne,et al.  THE ECONOMICS OF COMPUTER HACKING , 2005 .

[39]  George A. Akerlof,et al.  The Market for “Lemons”: Quality Uncertainty and the Market Mechanism , 1970 .