Abstract:
We model economic behavior of attackers when they are able to obtain complete information about the security characteristics of targets and when such information is unavailable. We find that when attackers are able to distinguish targets by their security characteristics and switch between multiple alternative targets, the effect of a given security measure is stronger. That is due to the fact that attackers rationally put more effort into attacking systems with low security levels. Ignoring that effect would result in underinvestment in security or misallocation of security resources. We also find that systems with better levels of protection have stronger incentives to reveal their security characteristics to attackers than poorly protected systems. Those results have important implications for security practices and policy issues.
Keywords:Economics of information systems, information system security, perceived security, investment evaluation, attacker behavior.
Fulltext:
PDF file (499 kB)