An Experimental Study to Explore Attacker Response to Changes in Security and Reward

Abstract: In previous simulation studies, attackers were assumed to respond to changes in reward with an S shaped curve and to changes in security with a declining S shaped curve. This paper reports experimental work that investigates the validity of those assumptions. In general, the results suggest that the assumptions are reasonable. BackgroundMuch of the research in computer security focuses on the technological systems interactions. Walters, Liang, Shi, and Chaudhary [1] focus on the technological portion of wirele… Show more

“…The majority of security-related economics analysis of human behavior has focused on experts' (e.g., system or network administrators) responses to threat [Christin et al, 2004, Grossklags et al, 2008b, Hota and Sundaram, 2015, Johnson et al, 2010, organizational responses to threat [Campbell et al, 2003, Gal-Or and Ghose, 2005, Miura-Ko et al, 2008, or attackers [Alpcan and Basar, 2006, Chen and Leneutre, 2009, Liu et al, 2006, Manshaei et al, 2013, Sallhammar et al, 2005, Shim et al, 2012. For example, Grossklags and colleagues conduct a number of different studies applying game-theoretic models to examine expert behavior in attack/defense security games [Christin et al, 2004, Grossklags et al, 2008a,b, Johnson et al, 2010 finding evidence of unclear risks and bounded rationality for security professionals; and relatedly, Rounds et al examined the impact of changes in security and reward on attacker responses, finding that as the value of an account increases, so too does the number of attacks on that account; and as the amount of security on an account increases so too does the number of attacks decrease [Rounds et al, 2013]. These analyses of experts, however, provide limited insight into end-user behavior.…”

Dancing Pigs or Externalities? Measuring the Rationality of Security Decisions

“…The majority of security-related economics analysis of human behavior has focused on experts' (e.g., system or network administrators) responses to threat [Christin et al, 2004, Grossklags et al, 2008b, Hota and Sundaram, 2015, Johnson et al, 2010, organizational responses to threat [Campbell et al, 2003, Gal-Or and Ghose, 2005, Miura-Ko et al, 2008, or attackers [Alpcan and Basar, 2006, Chen and Leneutre, 2009, Liu et al, 2006, Manshaei et al, 2013, Sallhammar et al, 2005, Shim et al, 2012. For example, Grossklags and colleagues conduct a number of different studies applying game-theoretic models to examine expert behavior in attack/defense security games [Christin et al, 2004, Grossklags et al, 2008a,b, Johnson et al, 2010 finding evidence of unclear risks and bounded rationality for security professionals; and relatedly, Rounds et al examined the impact of changes in security and reward on attacker responses, finding that as the value of an account increases, so too does the number of attacks on that account; and as the amount of security on an account increases so too does the number of attacks decrease [Rounds et al, 2013]. These analyses of experts, however, provide limited insight into end-user behavior.…”

Dancing Pigs or Externalities? Measuring the Rationality of Security Decisions

Dancing Pigs or Externalities?