Risks and benefits of signaling information system characteristics to strategic attackers

Journal of Management Information Systems

Volumn 26, Issue 3, 2009, Pages 241-274

  Cremonini, Marco ^a   Nizovtsev, Dmitri ^b  

^a UNIVERSITY OF MILAN   (Italy)

^b WASHBURN UNIVERSITY   (United States)

Author keywords

Cost benefit analysis; Crime deterrence; Games of complete and incomplete information; Information security; Information warfare; Interdependent strategies; Signaling

Indexed keywords

COMPLEX INFORMATION; DEFENSE STRATEGY; FINANCIAL GAINS; INCOMPLETE INFORMATION; INFORMATION SECURITY; INFORMATION WARFARE; SECURITY PRACTICE; TARGET PARAMETER;

COMPLEXATION; COST EFFECTIVENESS; INFORMATION SYSTEMS; SECURITY OF DATA; SIGNALING; TARGETS;

COST BENEFIT ANALYSIS;

EID: 77749320098     PISSN: 07421222     EISSN: None     Source Type: Journal    
DOI: 10.2753/MIS0742-1222260308     Document Type: Article

References (39)

1. Akerlof, G.A. The market for "lemons": Quality uncertainty and market mechanism. Quarterly Journal of Economics, 84, 3 (1970), 488-500.
2. Anderson, R.J., and Moore, T. Information security economics-and beyond. In A. Menezes (ed.), Advances in Cryptology-CRYPTO 2007. Lecture Notes in Computer Science 4622. Berlin and Heidelberg: Springer, 2007, pp. 68-91.
3. August, T., and Tunca, T.I. Network software security and user incentives. Management Science, 52, 11 (2006), 1703-1720.
4. Avizienis, A.; Laprie, J.; and Randell, B. Fundamental concepts of dependability. Technical Report no. 01145, Laboratoire d'Analyse et d'Architecture des Systemes, Centre National de la Recherche Scientifique, Toulouse, France, 2001.
5. Avizienis, A.; Laprie, J.; Randell, B.; and Landwehr, C. Basic concepts and taxonomy of dependable and secure computing. IEEE Transactions on Dependable and Secure Computing, 1, 1 (2004), 11-33.
6. Baker, W.H.; Hylender, C.D.; and Valentine, J.A. 2008 data breach investigation report. Verizon Business Risk Team, New York, 2008 (available at www.verizonbusiness.com/resources/ security/databreachreport.pdf).
7. Becker, G.S. The economic way of looking at behavior. Journal of Political Economy, 101, 3 (1993), 385-409.
8. Bier, V.; Oliveros, S.; and Samuelson, L. Choosing what to protect: Strategic defensive allocation against an unknown attacker. Journal of Public Economic Theory, 9, 4 (2007), 563-587.
9. Cavusoglu, H., and Raghunathan, S. Configuration of detection software: A comparison of decision and game theory approaches. Decision Analysis, 1, 3 (2004), 131-148.
10. Cavusoglu, H.; Mishra, B.; and Raghunathan, S. A model for evaluating IT security investments. Communications of the ACM, 47, 7 (2004), 87-92.
11. Cavusoglu, H.; Mishra, B.; and Raghunathan, S. The value of intrusion detection systems in information technology security architecture. Information Systems Research, 16, 1 (2005), 28-46.
12. Cavusoglu, H.; Raghunathan, S.; and Yue, W.T. Decision theoretic and game-theoretic approaches to IT security investment. Journal of Management Information Systems, 25, 2 (Fall 2008), 281-304.
13. Cremonini, M., and Nizovtsev, D. Understanding and influencing attackers' decisions: Implications for security investment strategies. Paper presented at the Fifth Workshop on the Economics of Information Security (WEIS 2006), Cambridge, UK, June 26-28, 2006.
14. Enders, W., and Sandler, T. What do we know about the substitution effect in transnational terrorism? In A. Silke and G. Ilardi (eds.), Researching Terrorism Trends, Achievements, Failures. Ilford, UK: Frank Cass, 2004, pp. 119-137.
15. Franklin, J.; Paxson, V.; Perrig, A.; and Savage, S. An inquiry into the nature and causes of the wealth of Internet miscreants. In S. De Capitani, P. Syverson, and D. Evans (eds.), Proceedings of the Fourteenth ACM Conference on Computer and Communications Security. New York; AC M Press, 2007, pp. 375-388.
16. Gordon, L.A., and Loeb, M.P. The economics of information security investment. ACM Transactions on Information and System Security, 5, 4 (2002), 438-457.
17. Gordon, L.A., and Loeb, M. Managing Cybersecurity Resources: A Cost-Benefit Analysis. New York: McGraw-Hill, 2005.
18. Hausken, K. Income, interdependence, and substitution effects affecting incentives for security investment. Journal of Accounting and Public Policy, 25, 6 (2006), 629-665.
19. Hausken, K. Strategic defense and attack for series and parallel reliability systems. European Journal of Operational Research, 186, 2 (2008), 856-881.
20. Jonsson, E., and Olovsson, T. A quantitative model of the security intrusion process based on attacker behavior. IEEE Transactions on Software Engineering, 23, 4 (1997), 235-245.
21. Kennedy, D.M. Deterrence and Crime Prevention: Reconsidering the Prospect of Sanction. New York: Routledge, 2008.
22. Kiefer Peretti, K. Data breaches: What the underground world of "carding" reveals. Computer Crime and Intellectual Property Section, U.S. Department of Justice, Washington, DC, 2008 (available at www.usdoj.gov/criminal/cybercrime/DataBreachesArticle.pdf).
23. Kuhnreuther, H., and Heal, G. Interdependent security. Journal of Risk and Uncertainty, 26, 2-3 (2003), 231-249.
24. Leeson, P.T., and Coyne, C.J. The economics of computer hacking. Journal of Law, Economics and Policy, 1, 2 (2006), 511-532.
25. Littlewood, B.; Brocklehurst, S.; Fenton, N.; Mellor, P.; Page, S.; Wright, D.; Dobson, J.; McDermid, J.; and Gollmann, D. Towards operational measures of computer security. Journal of Computer Security, 2, 3 (1993), 211-229.
26. Liu, P.; Zang, W.; and Yu, M. Incentive-based modeling and inference of attacker intent, objectives, and strategies. ACM Transactions on Information and System Security, 8, 1 (2005), 78-118.
27. McDermott, J. Attack-potential-based survivability modeling for high-consequence systems. In J.L. Cole and S.D. Wolthusen (eds.), Proceedings of the Third IEEE International Information Assurance Workshop. Los Alamitos, CA : IEEE Computer Society, 2005, pp. 119-130.
28. Nicol, D.M.; Sanders, W.H.; and Trivedi, K.S. Model-based evaluation: From dependability to security. IEEE Transactions on Dependable and Secure Computing, 1, 1 (2004), 48-65.
29. Ning, P.; Cui, Y.; Reeves, D.S.; and Xu, D. Techniques and tools for analyzing intrusion alerts. ACM Transactions on Information and System Security, 7, 2 (2004), 274-318.
30. Ortalo, R.; Deswarte, Y.; and Kaâniche, M. Experiments with quantitative evaluation tools for monitoring operational security. IEEE Transactions on Software Engineering, 25, 5 (1999), 633-650.
31. Png, I.P.L.; Wang, C.Y.; and Wang, Q.H. The deterrent and displacement effects of information security enforcement: International evidence. Journal of Management Information Systems, 25, 2 (Fall 2008), 125-144.
32. Reinganum, J. A dynamic game of R&D: Patent protection and competitive behavior. Econometrica, 50, 3 (1982), 671-688.
33. Schechter, S.E. Computer security strength and risk: A quantitative approach. Ph.D. dissertation, Division of Engineering and Applied Sciences, Harvard University, Cambridge, 2004.
34. Schechter, S.E., and Smith, M.D. How much security is enough to stop a thief? The economics of outsider theft via computer systems and networks. In R.N. Wright (ed.), Financial Cryptography Conference. Lecture Notes in Computer Science 2742. Berlin: Springer, 2003, pp. 122-137.
35. Swire, P.P. A model for when disclosure helps security: What is different about computer and network security? Journal on Telecommunications and High Technology Law, 3, 1 (2004), 163-208.
36. Swire, P.P. A theory of disclosure for security and competitive reasons: Open source, proprietary software, and government agencies. Houston Law Review, 42, 5 (2006), 1333-1380.
37. Valeur, F.; Vigna, G.; Kruegel, C.; and Kemmerer, R.A. A comprehensive approach to intrusion detection alert correlation. IEEE Transactions on Dependable and Secure Computing, 1, 3 (2004), 146-169.
38. Wespi, A.; Debar, H.; Dacier, M.; and Nassehi, M. Fixed- vs. variable-length patterns for detecting suspicious process behavior. Journal of Computer Security, 8, 2-3 (2000), 1-15.
39. Zhou, J.; Heckman, M.; Reynolds, B.; Carlson, A.; and Bishop, M. Modeling network intrusion detection alerts for correlation. ACM Transactions on Information and System Security, 10, 1 (2007), 1-31.