ABSTRACT
Modern countries employ computer networks that manage organizations in the private and public sectors. Cyber-attacks aim to disrupt, block, delete, manipulate or steal the data held in these networks, which challenge these countries’ national security. Consequently, cybersecurity programs must be developed to protect these networks from cyber-attacks in a manner that is similar to operations against terrorism. This study presents several models that analyze a contest between a network operator (defender) that deploys costly detectors to protect the network and a capable cyber attacker. Generally, when the deployed detectors become more potent or the defender exhibits higher vigilance, the attacker allocates more resources to R&D to ensure that the attack remains covert. We show that detectors may be substitutes, complements, or even degrade each other, implying that defenders must account for the cyber weapons’ characteristics and the attacker’s profile and strategic behavior. We derive the optimal number of detectors when the attacker’s R&D process features R&D spillovers and show that targeted detectors act as deterrents against high-quality weapons only if the attacker’s budget is not substantial. Finally, we demonstrate that common cybersecurity practices may be detrimental from a social-welfare perspective by enhancing an arms race with the attacker.
Disclosure statement
No potential conflict of interest was reported by the authors.
Supplementary material
Supplemental data for this article can be accessed online at https://doi.org/10.1080/10242694.2022.2161739
Notes
1. Gartner finds that worldwide spending on information security products and services increased by eight to twelve percent in recent years, whereas the worldwide IT spending increased by only a few percent (Gartner Citation2018, Citation2019). Kaspersky Lab estimates that about a quarter to a third of the IT budget of organizations worldwide, across various industries and regions, is spent on IT security (Lab Citation2021).
2. For example, Russell and Abdelzaher (Citation2018) demonstrate how information gathering and management in cyberspace using IoT devices may evolve into a two-edged sword.
3. A weapon aimed at gathering users’ login passwords may be improved by modifying it to gather, in addition, the users’ internet browser passwords. A weapon aimed at deleting information from the defender’s databases may be improved by modifying it to delete, in addition, the defender’s backup files.
4. In reality, when APTs’ attacks are revealed, the network configuration is altered to avoid major damage, at least in the short term (Matania and Tal-Shir Citation2020). Thus, APTs’ eagerly attempt to remain covert, and are usually exposed, if at all, only in hindsight (Cole Citation2013).
5. For example, the acquired knowledge and research infrastructure in an R&D process yield direct and indirect advancements to planning and executing similar and/or alternative R&D processes.
6. Hackers, particularly APTs, develop and improve their weapons when they use them often. Thus, the overall benefit from deploying a particular weapon increases with the number of times the weapon is deployed and with the improvements to the weapon during these deployments.
7. The quality of a weapon is measured by a continuous variable that represents a set of abilities that fulfill certain tactical objectives (data gathering, data manipulation, data transportation, gaining authorization, etc.).
8. This choice of implies that the (positive) marginal utility from both factors of production is decreasing.
9. For example, anomaly detection techniques are employed to identify novel attacks. In this case, detectors monitor traffic or abnormalities in host activities (in volume, structure, timing, etc.) under the assumption that they may signal suspicious behavior (see Bace and Mell Citation2001).
10. Intrusion detection (and prevention) systems are measures that monitor network activity for malicious behavior and provide technical reports to the IS management (Venter and Eloff Citation2003).
11. This assumption is reasonable as an increase in the use and level of potency of weapon may result in more detectable traces (unless the attacker sets a higher level of R&D-S, aimed at reducing the detectability of weapon
).
12. Generally, detectors may be very efficient in detecting specific features (i.e. focused or targeted detectors) or designed to detect an extensive range of features (i.e. multipurpose detectors). These characteristics of the detector’s profile are analyzed later on.
13. Kokulu et al. (Citation2019) conducted multiple semi-structured interviews with managers and Security Operations Center (SOC) analysts and identified shortcomings and drawbacks that reduce the efficiency of the SOCs’ actions and processes (e.g. inferior countermeasures, low visibility, data overloading, etc.).
14. Detection often features a ‘tipping point’ behavior in distinguishing a malicious activity from a legitimate one. Therefore, acquiring privileged user permissions or disguising malicious network traffic may ‘blind’ many types of detectors, regardless of the underlying cyber-weapons.
15. All proofs appear in an online appendix. The attacker’s budget is ‘sufficiently large’ when the budget and the detection constraints are active at the optimum. The optimal solution follows from the first-order conditions of the Lagrangian of problem (2).
16. This result is obtained by differentiation of EquationEquation 9(9)
(9) , EquationEquation 10
(10)
(10) and EquationEquation 13
(13)
(13) w.r.t.
.
17. The parameter values in are: .
18. The choice of is discussed later on in this section.
19. The other parameter values in are: .
20. This model builds on and extends the model in Gilad, Pecht, and Tishler (Citation2021).
21. The proofs of Lemma 3 and Proposition 3 are in Gilad, Pecht, and Tishler (Citation2021).
22. The nature of our results was unchanged when we briefly experimented with several R&D processes and cost functions (not presented here due to space limitations). Nevertheless, we plan to extend this study with sensitivity analysis on the model’s parameters and assess additional R&D processes.
23. This can be demonstrated by the distinction between manually operated cyber weapons versus autonomous and sophisticated cyber weapons such as computer worms.