Advanced search
Publication Cover
Journal of Management Information Systems Volume 26, 2009 - Issue 3
Journal homepage
211
Views
48
CrossRef citations to date
0
Altmetric
Original Article

Risks and Benefits of Signaling Information System Characteristics to Strategic Attackers

Marco Cremonini Department of Information Technology, University of Milan, Italy
&
Dmitri Nizovtsev Washburn University School of Business, Topeka, Kansas
Pages 241-274 | Published online: 08 Dec 2014

References

  • Akerlof, G. A. The market for "lemons": Quality uncertainty and market mechanism. Quarterly Journal of Economics, 84, 3 (1970), 488-500.
  • Anderson, R. J., and Moore, T. Information security economics—and beyond. In A. Menezes (ed.), Advances in Cryptology—CRYPTO 2007. Lecture Notes in Computer Science 4622. Berlin and Heidelberg: Springer, 2007, pp. 68-91.
  • August, T., and Tunca, T. I. Network software security and user incentives. Management Science, 52, 11 (2006), 1703-1720.
  • Avizienis, A.; Laprie, J.; and Randell, B. Fundamental concepts of dependability. Technical Report no. 01145, Laboratoire d'Analyse et d'Architecture des Systemes, Centre National de la Recherche Scientifique, Toulouse, France, 2001.
  • Avizienis, A.; Laprie, J.; Randell, B.; and Landwehr, C. Basic concepts and taxonomy of dependable and secure computing. IEEE Transactions on Dependable and Secure Computing, 1, 1 (2004), 11-33.
  • Baker, W. H.; Hylender, C. D.; and Valentine, J. A. 2008 data breach investigation report. Verizon Business Risk Team, New York, 2008 (available at www.verizonbusiness.com/resources/security/databreachreport.pdf
  • Becker, G. S. The economic way of looking at behavior. Journal of Political Economy, 101, 3 (1993), 385-409.
  • Bier, V.; Oliveros, S.; and Samuelson, L. Choosing what to protect: Strategic defensive allocation against an unknown attacker. Journal of Public Economic Theory, 9, 4 (2007), 563-587.
  • Cavusoglu, H., and Raghunathan, S. Configuration of detection software: A comparison of decision and game theory approaches. Decision Analysis, 1, 3 (2004), 131-148.
  • Cavusoglu, H.; Mishra, B.; and Raghunathan, S. A model for evaluating IT security investments. Communications of the ACM, 47, 7 (2004), 87-92.
  • Cavusoglu, H.; Mishra, B.; and Raghunathan, S. The value of intrusion detection systems in information technology security architecture. Information Systems Research, 16, 1 (2005), 28-46.
  • Cavusoglu, H.; Raghunathan, S.; and Yue, W. T. Decision theoretic and game-theoretic approaches to IT security investment. Journal of Management Information Systems, 25, 2 (Fall 2008), 281-304.
  • Cremonini, M., and Nizovtsev, D. Understanding and influencing attackers' decisions: Implications for security investment strategies. Paper presented at the Fifth Workshop on the Economics of Information Security (WEIS 2006), Cambridge, UK, June 26-28, 2006.
  • Enders, W., and Sandler, T. What do we know about the substitution effect in transnational terrorism? In A. Silke and G. Ilardi (eds.), Researching Terrorism Trends, Achievements, Failures. Ilford, UK: Frank Cass, 2004, pp. 119-137.
  • Franklin, J.; Paxson, V.; Perrig, A.; and Savage, S. An inquiry into the nature and causes of the wealth of Internet miscreants. In S. De Capitani, P. Syverson, and D. Evans (eds.), Proceedings of the Fourteenth ACM Conference on Computer and Communications Security. New York; ACM Press, 2007, pp. 375-388.
  • Gordon, L. A., and Loeb, M. P. The economics of information security investment. ACM Transactions on Information and System Security, 5, 4 (2002), 438-457.
  • Gordon, L. A., and Loeb, M. Managing Cybersecurity Resources: A Cost-Benefit Analysis. New York: McGraw-Hill, 2005.
  • Hausken, K. Income, interdependence, and substitution effects affecting incentives for security investment. Journal of Accounting and Public Policy, 25, 6 (2006), 629-665.
  • Hausken, K. Strategic defense and attack for series and parallel reliability systems. European Journal of Operational Research, 186, 2 (2008), 856-881.
  • Jonsson, E., and Olovsson, T. A quantitative model of the security intrusion process based on attacker behavior. IEEE Transactions on Software Engineering, 23, 4 (1997), 235-245.
  • Kennedy, D. M. Deterrence and Crime Prevention: Reconsidering the Prospect of Sanction. New York: Routledge, 2008.
  • Kiefer Peretti, K. Data breaches: What the underground world of "carding" reveals. Computer Crime and Intellectual Property Section, U. S. Department of Justice, Washington, DC, 2008 (available at www.usdoj.gov/criminal/cybercrime/DataBreachesArticle.pdf
  • Kuhnreuther, H., and Heal, G. Interdependent security. Journal of Risk and Uncertainty, 26, 2-3 (2003), 231-249.
  • Leeson, P. T., and Coyne, C. J. The economics of computer hacking. Journal of Law, Economics and Policy, 1, 2 (2006), 511-532.
  • Littlewood, B.; Brocklehurst, S.; Fenton, N.; Mellor, P.; Page, S.; Wright, D.; Dobson, J.; McDermid, J.; and Gollmann, D. Towards operational measures of computer security. Journal of Computer Security, 2, 3 (1993), 211-229.
  • Liu, P.; Zang, W.; and Yu, M. Incentive-based modeling and inference of attacker intent, objectives, and strategies. ACM Transactions on Information and System Security, 8, 1 (2005), 78-118.
  • McDermott, J. Attack-potential-based survivability modeling for high-consequence systems. In J. L. Cole and S. D. Wolthusen (eds.), Proceedings of the Third IEEE International Information Assurance Workshop. Los Alamitos, CA: IEEE Computer Society, 2005, pp. 119-130.
  • Nicol, D. M.; Sanders, W. H.; and Trivedi, K. S. Model-based evaluation: From dependability to security. IEEE Transactions on Dependable and Secure Computing, 1, 1 (2004), 48-65.
  • Ning, P.; Cui, Y.; Reeves, D. S.; and Xu, D. Techniques and tools for analyzing intrusion alerts. ACM Transactions on Information and System Security, 7, 2 (2004), 274-318.
  • Ortalo, R.; Deswarte, Y.; and Kaâniche, M. Experiments with quantitative evaluation tools for monitoring operational security. IEEE Transactions on Software Engineering, 25, 5 (1999), 633-650.
  • Png, I. P. L.; Wang, C. Y.; and Wang, Q. H. The deterrent and displacement effects of information security enforcement: International evidence. Journal of Management Information Systems, 25, 2 (Fall 2008), 125-144.
  • Reinganum, J. A dynamic game of R&D: Patent protection and competitive behavior. Econometrica, 50, 3 (1982), 671-688.
  • Schechter, S. E. Computer security strength and risk: A quantitative approach. Ph.D. dissertation, Division of Engineering and Applied Sciences, Harvard University, Cambridge, 2004.
  • Schechter, S. E., and Smith, M. D. How much security is enough to stop a thief? The economics of outsider theft via computer systems and networks. In R. N. Wright (ed.), Financial Cryptography Conference. Lecture Notes in Computer Science 2742. Berlin: Springer, 2003, pp. 122-137.
  • Swire, P. P. A model for when disclosure helps security: What is different about computer and network security? Journal on Telecommunications and High Technology Law, 3, 1 (2004), 163-208.
  • Swire, P. P. A theory of disclosure for security and competitive reasons: Open source, proprietary software, and government agencies. Houston Law Review, 42, 5 (2006), 1333-1380.
  • Valeur, F.; Vigna, G.; Kruegel, C.; and Kemmerer, R. A. A comprehensive approach to intrusion detection alert correlation. IEEE Transactions on Dependable and Secure Computing, 1, 3 (2004), 146-169.
  • Wespi, A.; Debar, H.; Dacier, M.; and Nassehi, M. Fixed- vs. variable-length patterns for detecting suspicious process behavior. Journal of Computer Security, 8, 2-3 (2000), 1-15.
  • Zhou, J.; Heckman, M.; Reynolds, B.; Carlson, A.; and Bishop, M. Modeling network intrusion detection alerts for correlation. ACM Transactions on Information and System Security, 10, 1 (2007), 1-31.

Reprints and Corporate Permissions

Please note: Selecting permissions does not provide access to the full text of the article, please see our help page How do I view content?

To request a reprint or corporate permissions for this article, please click on the relevant link below:

Order Reprints Request Corporate Permissions

Academic Permissions

Please note: Selecting permissions does not provide access to the full text of the article, please see our help page How do I view content?

Obtain permissions instantly via Rightslink by clicking on the button below:

Request Academic Permissions

If you are unable to obtain permissions via Rightslink, please complete and submit this Permissions form. For more information, please visit our Permissions help page.

Related research

People also read lists articles that other readers of this article have read.

Recommended articles lists articles that we recommend and is powered by our AI driven recommendation engine.

Cited by lists all citing articles based on Crossref citations.
Articles with the Crossref icon will open in a new tab.