Economics and Optimal Investment Policies of Attackers and Defenders in Cybersecurity

TL;DR

This paper develops an economic game-theoretic model of cybersecurity investment involving rational attackers and defenders, revealing complex, discontinuous optimal strategies and surpassing traditional one-sided models in investment predictions.

Contribution

It introduces a two-sided, Stackelberg game model for cybersecurity investments, incorporating attacker behavior and analyzing its impact on defender strategies beyond existing models.

Findings

Defender's optimal investments often exceed Gordon-Loeb predictions.

Optimal decisions are categorized into three distinct types.

Discontinuous behavior in defender strategies as initial vulnerability varies.

Abstract

In our time cybersecurity has grown to be a topic of massive proportion at the national and enterprise levels. Our thesis is that the economic perspective and investment decision-making are vital factors in determining the outcome of the struggle. To build our economic framework, we borrow from the pioneering work of Gordon and Loeb in which the Defender optimally trades-off investments for lower likelihood of its system breach. Our two-sided model additionally has an Attacker, assumed to be rational and also guided by economic considerations in its decision-making, to which the Defender responds. Our model is a simplified adaptation of a model proposed during the Cold War for weapons deployment in the US. Our model may also be viewed as a Stackelberg game and, from an analytic perspective, as a Max-Min problem, the analysis of which is known to have to contend with discontinuous behavior. The complexity of our simple model is rooted in its inherent nonlinearity and, more consequentially, non-convexity of the objective function in the optimization. The possibilities of the Attacker's actions add substantially to the risk to the Defender, and the Defender's rational, risk-neutral optimal investments in general substantially exceed the optimal investments predicted by the one-sided Gordon-Loeb model. We obtain a succinct set of three decision types that categorize all of the Defender's optimal investment decisions. Also, the Defender's optimal decisions exhibit discontinuous behavior as the initial vulnerability of its system is varied. The analysis is supplemented by extensive numerical illustrations. The results from our model open several major avenues for future work.