In previous simulation studies, attackers were assumed to respond to changes in reward with an S shaped curve and to changes in security with a declining S shaped curve. This paper reports experimental work that investigates the validity of those assumptions. In general, the results suggest that the assumptions are reasonable.
BackgroundMuch of the research in computer security focuses on the technological systems interactions. Walters, Liang, Shi, and Chaudhary [1] focus on the technological portion of wireless networking. Early research surveyed by Browne [2] found that that there were thousands of papers on computer security and risk management, but most were too narrow in scope and too fixated on technological fixes to be of much value.Udo's survey [3] of privacy and security concerns as related to e-commerce focuses on how users perceive threats, and concludes that while many IT users feel that security is a critical issue, they don't believe that the government or any technological fix is capable of securing their privacy. In those areas where the human interaction factor is described, the literature tends to focus on the technology side of the interaction rather than the human side. In their book, Cranor and Garfinkel [4] make the point that overly complex passwords can hurt the overall effectiveness of password security. Besar and Arief [5] and Duggan, Johnson and Grawemeyer [6] discuss the impairment of security by legitimate users, their description of the faults focuses on the technical.Sasse et.al.[7] made the point that the human portion of the security problem is the area of highest leverage. Adams and Sasse [8] stated that rather than avoiding investigating the human factors, we need to embrace them. Mitnick and Simon [9] note that the importance of human factor is critical because it is the basis of many threats. Saltzer and Schroeder [10] who recognize that humans play a role, focus mainly on the technological issues of security rather than the interactions of the system with its users and attackers.The human factor is important because engineers cannot evaluate a security system until they can measure the effectiveness and hence the benefit provided by computer security.Carayon [11] describes a "sociotechnical system" which is the amalgamation of humans and their information system.Many firms engage in cost/benefit analysis of security measures before applying them [12][13] [14]. These analyses are primarily qualitative in nature since there are not many quantitative models of the interaction between attacker and security professional. Gordon and Loeb [15] describe how an information system manager might respond in terms of monetary resources for a selected vulnerability, but they do not discuss how this response will affect the likelihood of future attacks. Authors such as Schneier [16] and Cavusoglu, Cavusoglu, and Raghunathan [17] look at the economics of computer security from the user's point of view but cast little light on how attackers respond. Their work assumes that attackers are u...