Journal of Management Information Systems

Volume 26 Number 3 2009 pp. 241-274

Risks and Benefits of Signaling Information System Characteristics to Strategic Attackers

Cremonini, Marco and Nizovtsev, Dmitri

ABSTRACT: The paper uses a game-theoretic setting to examine the interaction between strategic attackers who try to gain unauthorized access to information systems, or "targets," and defenders of those targets. Our analysis of the attacker--defender interaction shows that well-protected targets can use signals of their superior level of protection as a deterrence tool. This is due to the fact that, all other things being equal, rational attackers motivated by potential financial gains tend to direct their effort toward less-protected targets. We analyze several scenarios differing in the scope of publicly available information about target parameters and discuss conditions under which greater defenders' ability to signal their security characteristics may improve their welfare. Our results may assist security researchers in devising better defense strategies through the use of deterrence and provide new insight about the efficacy of specific security practices in complex information security environments.

Key words and phrases: cost-benefit analysis, crime deterrence, games of complete and incomplete information, information security, information warfare, interdependent strategies, signaling