Geodesic
Attackers’ Motivation and Security Investment
Contributions to game theory and management, Tome 1 (2007), pp. 43-67.

Voir la notice de l'article provenant de la source Math-Net.Ru

We model economic behavior of attackers when they are able to obtain complete information about the security characteristics of targets and when such information is unavailable. We find that when attackers are able to distinguish targets by their security characteristics and switch between multiple alternative targets, the effect of a given security measure is stronger. That is due to the fact that attackers rationally put more effort into attacking systems with low security levels. Ignoring that effect would result in underinvestment in security or misallocation of security resources. We also find that systems with better levels of protection have stronger incentives to reveal their security characteristics to attackers than poorly protected systems. Those results have important implications for security practices and policy issues.
Keywords: Economics of information systems, information system security, perceived security, investment evaluation, attacker behavior. 
@article{CGTM_2007_1_a4,
     author = {Marco Cremonini and Dmitri Nizovtsev},
     title = {Attackers{\textquoteright} {Motivation} and {Security} {Investment}},
     journal = {Contributions to game theory and management},
     pages = {43--67},
     publisher = {mathdoc},
     volume = {1},
     year = {2007},
     language = {en},
     url = {http://geodesic.mathdoc.fr/item/CGTM_2007_1_a4/}
}
TY  - JOUR
AU  - Marco Cremonini
AU  - Dmitri Nizovtsev
TI  - Attackers’ Motivation and Security Investment
JO  - Contributions to game theory and management
PY  - 2007
SP  - 43
EP  - 67
VL  - 1
PB  - mathdoc
UR  - http://geodesic.mathdoc.fr/item/CGTM_2007_1_a4/
LA  - en
ID  - CGTM_2007_1_a4
ER  - 
%0 Journal Article
%A Marco Cremonini
%A Dmitri Nizovtsev
%T Attackers’ Motivation and Security Investment
%J Contributions to game theory and management
%D 2007
%P 43-67
%V 1
%I mathdoc
%U http://geodesic.mathdoc.fr/item/CGTM_2007_1_a4/
%G en
%F CGTM_2007_1_a4
Marco Cremonini; Dmitri Nizovtsev. Attackers’ Motivation and Security Investment. Contributions to game theory and management, Tome 1 (2007), pp. 43-67. http://geodesic.mathdoc.fr/item/CGTM_2007_1_a4/

[1] Akerlof G. A., “The market for 'lemons': Quality uncertainty and market mechanism”, Quarterly Journal of Economics, 84:3 (1970), 488–500 | DOI

[2] Anderson R. J., “Why information security is hard — an economic perspective”, Proc. of the 17th Annual Computer Security Applications Conference, IEEE Computer Society, 2001, 358

[3] Avizienis A., Laprie J., Randell B., Fundamental concepts of dependability, Tech. Rep. No 1145, LAAS-CNRS, 2001

[4] Avizienis A., Laprie J., Randell B., Landwehr C., “Basic concepts and taxonomy of dependable and secure computing”, IEEE Transactions on Dependable and Secure Computing, 1:1 (2004), 11–33 | DOI

[5] Beale J., Security Through Obscurity. Ain't what they think it is, , Bastille Linux, 2000 http://www.bastille-linux.org/jay/obscurity-revisited.html

[6] Bier V., Oliveros S., Samuelson L., “Choosing what to protect: Strategic defensive allocation against an unknown attacker”, Journal of Public Economic Theory, 9:4 (2007), 563–587 | DOI

[7] Cavusoglu H., Raghunathan S., “Configuration of detection software: A comparison of decision and game theory approaches”, Decision Analysis, 1:3 (2004), 131–148 | DOI

[8] Cavusoglu H., Mishra B., Raghunathan S., “A model for evaluating IT security investments”, Communications of the ACM, 47:7 (2004), 87–92 | DOI

[9] Cavusoglu H., Mishra B., Raghunathan S., “The value of intrusion detection systems in information technology security architecture”, Information Systems Research, 16:1 (2005), 28–46 | DOI

[10] Clemons E., “Evaluation of strategic investments in information technology”, Communications of the ACM, 34:1 (1991), 22–36 | DOI

[11] Cozzolino J., “Sequential search for an unknown number of objects of nonuniform size”, Operations Research, 20 (1972), 293–308 | DOI | Zbl

[12] Curry S., Bug Watch: Hacker motivation. Vnunet.com, , 2002 http://www.vnunet.com/vnunet/news/2117147/bug-watch-hacker-motivation?vnu_lt=vnu_art_related_articles

[13] Denning D., “Concerning hackers who break into computer systems”, Proc. of the 13th National Computer Security Conference (Washington, 1990), 1990, 653–664

[14] Enders W., Sandler T., What do we know about the substitution effect in transnational terrorism?, Researching Terrorism Trends, Achievements, Failures, Frank Cass, Ilford, UK, 2004

[15] Geer D., “Making choices to show ROI”, Secure Business Quarterly, 1:2 (2005), 1–4 http://sbq.com/sbq/rosi/sbq_rosi_making_choices.pdf

[16] Gordon L., Loeb M., “The economics of information security investment”, ACM Transactions on Information and System Security, 5:4 (2002), 438–457 | DOI

[17] Gordon L., Loeb M., Lucyshyn W., “Information security expenditures and real options: A wait-and-see approach”, Computer Security Journal, 19:2 (2003), 1–7

[18] Gordon L., Loeb M., Managing Cybersecurity Resources: A Cost-Benefit Analysis, McGraw-Hill, New York, 2005

[19] Gordon L. A., Richardson R., The new economics of information security, Information Week 53-56, , 2004 http://www.banktech.com/aml/showArticle.jhtml?articleID=18901266

[20] Jajodia S., Miller J., “Editor's preface”, Journal of Computer Security, 16:4 (1993), 43–53

[21] Jonsson E., Olovsson T., “A quantitative model of the security intrusion process based on attacker behavior”, IEEE Transactions on Software Engineering, 23:4 (1997), 235–245 | DOI

[22] Kearns M., Ortiz L., “Algorithms for Interdependent Security Games”, Advances in Neural Information Processing Systems, 16, MIT Press, 2004, 561–570

[23] Kuhnreuther H., Heal G., “Interdependent security”, The Journal of Risk and Uncertainty, 26:2/3 (2003), 231–249 | DOI

[24] Lee W., Xiang D., “Information-theoretic measures for anomaly detection”, Proc. of the IEEE Symposium on Security and Privacy, IEEE Computer Society Press, Oakland, CA, 2001, 130–143

[25] Leeson P., Coyne C., “The economics of computer hacking”, Journal of Law, Economics and Policy, 1:2 (2006), 511–532

[26] Littlewood B., Brocklehurst S., Fenton N., Mellor P., Page S., Wright D., Dobson J., McDermid J., Gollmann D., “Towards operational measures of computer security”, Journal of Computer Security, 2 (1993), 211–229 | MR

[27] Liu P., Zang W., Yu M., “Incentive-based modeling and inference of attacker intent, objectives, and strategies”, ACM Transactions on Information and System Security, 8:1 (2005), 78–118 | DOI

[28] McDermott J., “Attack-potential-based survivability modeling for high-consequence systems”, Proc. of the Third IEEE Int. Information Assurance Workshop (Washington, DC, 2005), IEEE Computer Society, 119–130

[29] Nicol D., Sanders W., Trivedi K., “Model-based evaluation: From dependability to security”, IEEE Transactions on Dependable and Secure Computing, 1:1 (2004), 48–65 | DOI | MR

[30] Ning P., Cui Y., Reeves D., Xu D., “Techniques and tools for analyzing intrusion alerts”, ACM Transactions on Information and System Security, 7:2 (2004), 274-318 | DOI | MR

[31] Risk management guide for information technology systems, NIST 800-30, National Institute of Standards and Technology Special Publication, Gaithersburg, MD, 2002

[32] Ortalo R., Deswarte Y., Kaaniche M., “Experiments with quantitative evaluation tools for monitoring operational security”, IEEE Transactions on Software Engineering, 25:5 (1999), 633–650 | DOI

[33] Perens B., Why security-through-obscurity won't work, , Slashdot, 1998 http://slashdot.org/features/980720/0819202.shtml

[34] Purser S., “Improving the ROI of the security management process”, Journal of Computers Security, 23:7 (2004), 542–546 | DOI

[35] Rodewald G., “Aligning information security investments with a firm's risk tolerance”, Proc. of the Information Security Curriculum Development (InfoSecCD) Conference'05 (Kennesaw, GA, 2005), 139–141

[36] Schechter S., Smith M., “How much security is enough to stop a thief? The economics of outsider theft via computer systems and networks”, Proc. of the Seventh International Financial Cryptography Conference (Gosier, Guadeloupe, 2003), 122–137

[37] Schechter S., Computer Security Strength and Risk: A Quantitative Approach, PhD thesis, Harvard University DEAS, 2004

[38] Schechter S., “Toward econometric models of the security risk from remote attack”, IEEE Security Privacy, 3:1 (2005), 40–44 | DOI

[39] Schneier B., Secrecy, security, and obscurity, , Crypto-Gram, 2002 http://www.schneier.com/crypto-gram-0205.html#1

[40] Sieberg D., Hackers shift focus to financial gain, , CNN, 2005 http://www.cnn.com/2005/TECH/internet/09/26/identity.hacker/

[41] Soo Hoo K., How Much Is Enough? A Risk-Management Approach to Computer Security, Doctoral dissertation, Stanford University School of Engineering, 2000

[42] Swire P., A model for when disclosure helps security: What is different about computer and network security?, Journal on Telecommunications and High Technology Law, 3:1 (2004), 163–208

[43] Valeur F., Vigna G., Kruegel C., Kemmerer R., “A comprehensive approach to intrusion detection alert correlation”, IEEE Transactions on Dependable and Secure Computing, 1:3 (2004), 146–169 | DOI

[44] Wells M., Thrower B., The importance of layered security. Symantec Corporation, , 2002 http://enterprisesecurity.symantec.com/article.cfm?articleid=769&EID=0

[45] Wespi A., Debar H., Dacier M., Nassehi M., “Fixed- vs. variable-length patterns for detecting suspicious process behavior”, Journal of Computer Security, 8:2/3 (2000), 1–15