Cybercrime and Prevention: Colonel Blotto in Social Engineering

TL;DR

This paper develops game-theoretic models based on criminology to optimize resource allocation for preventing social engineering cyberattacks at both national and organizational levels.

Contribution

It introduces two Colonel Blotto game models grounded in Routine Activity Theory and real-world data to guide targeted cybercrime prevention strategies.

Findings

Models suggest optimal resource distribution varies by country and organization characteristics.

Data-driven models can effectively support policymakers and leaders in cyber resilience planning.

The approach emphasizes the importance of organization- and context-specific training and prevention efforts.

Abstract

Cybercriminals increasingly target the human factor rather than continuously advancing technological defense mechanisms. Consequently, institutions that allocate substantial resources to strengthening their cybersecurity infrastructure may remain vulnerable if a deceived employee voluntarily transmits sensitive information or financial assets to attackers. Therefore, alongside the implementation of technological defense mechanisms, particular emphasis must be placed on mitigating human vulnerabilities, which can be achieved through preventive awareness programs. However, such training activities can only be effective if they are organization- and context-specific. In this paper, we develop two Colonel Blotto game models to determine the optimal allocation of defensive resources across dominant social engineering attack vectors. We ground the models in Routine Activity Theory (RAT), borrowed from criminology, that describes crime as an event involving a motivated offender, a suitable target, and the absence of a capable guardian. Next, we quantify relevant factors via the VIVA (Value, Inertia, Visibility, Accessibility) framework, and operationalize the models by feeding real-world cybercrime data into them. The first model investigates optimal population-level prevention, focusing on nation-states as defenders; we present and compare use cases of three different countries. The second model focuses on the organization as a decision-maker; here, we analyze five use cases involving organizations of different characteristics. Our results demonstrate that theoretically grounded and data-driven models can provide decision support to policymakers and organizational leaders in allocating their efforts optimally to prevent social engineering attacks and improve their overall cyber resilience.