IDEAS home Printed from https://ideas.repec.org/a/spr/infosf/v23y2021i6d10.1007_s10796-020-10054-z.html
   My bibliography  Save this article

Attack and Defense Strategies in Cyber War Involving Production and Stockpiling of Zero-Day Cyber Exploits

Author

Listed:
  • Kjell Hausken

    (University of Stavanger)

  • Jonathan W. Welburn

    (National Security Research Division)

Abstract

Two players strike balances between allocating resources for defense and production of zero-day exploits. Production is further allocated into cyberattack or stockpiling. Applying the Cobb Douglas expected utility function for equivalent players, an analytical solution is determined where each player’s expected utility is inverse U shaped in each player’s unit defense cost. More generally, simulations illustrate the impact of varying nine parameter values relative to a benchmark. Increasing a player’s unit costs of defense or development of zero-days benefits the opposing player. Increasing the contest intensities over the two players’ assets causes the players to increase their efforts until their resources are fully exploited and they receive zero expected utility. Decreasing the Cobb Douglas output elasticity for a player’s stockpiling of zero-days causes its attack to increase and its expected utility to eventually reach a maximum, while the opposing player’s expected utility reaches a minimum. Altering the Cobb Douglas output elasticities for a player’s attack or defense contests towards their maxima or minima causes maximum expected utility for both players.

Suggested Citation

  • Kjell Hausken & Jonathan W. Welburn, 2021. "Attack and Defense Strategies in Cyber War Involving Production and Stockpiling of Zero-Day Cyber Exploits," Information Systems Frontiers, Springer, vol. 23(6), pages 1609-1620, December.
    • Handle: RePEc:spr:infosf:v:23:y:2021:i:6:d:10.1007_s10796-020-10054-z
    DOI: 10.1007/s10796-020-10054-z
    as

    Download full text from publisher

    File URL: http://link.springer.com/10.1007/s10796-020-10054-z
    File Function: Abstract
    Download Restriction: Access to the full text of the articles in this series is restricted.
    File URL: https://libkey.io/10.1007/s10796-020-10054-z?utm_source=ideas
    LibKey link: if access is restricted and if your library uses this service, LibKey will redirect you to where you can use your library subscription to access this item
    ---><---

    As the access to this document is restricted, you may want to search for a different version of it.

    References listed on IDEAS

    as
    1. Kjell Hausken, 2017. "Information Sharing Among Cyber Hackers in Successive Attacks," International Game Theory Review (IGTR), World Scientific Publishing Co. Pte. Ltd., vol. 19(02), pages 1-33, June.
    2. Kjell Hausken, 2020. "Additive multi-effort contests," Theory and Decision, Springer, vol. 89(2), pages 203-248, September.
    3. Kjell Hausken, 2014. "Returns to information security investment: Endogenizing the expected loss," Information Systems Frontiers, Springer, vol. 16(2), pages 329-336, April.
    4. Hausken, Kjell, 2006. "Income, interdependence, and substitution effects affecting incentives for security investment," Journal of Accounting and Public Policy, Elsevier, vol. 25(6), pages 629-665.
    5. Yosra Miaoui & Noureddine Boudriga, 2019. "Enterprise security investment through time when facing different types of vulnerabilities," Information Systems Frontiers, Springer, vol. 21(2), pages 261-300, April.
    6. Feng Xu & Xin (Robert) Luo & Hongyun Zhang & Shan Liu & Wei (Wayne) Huang, 2019. "Do Strategy and Timing in IT Security Investments Matter? An Empirical Investigation of the Alignment Effect," Information Systems Frontiers, Springer, vol. 21(5), pages 1069-1083, October.
    7. Kjell Hausken, 2018. "A cost–benefit analysis of terrorist attacks," Defence and Peace Economics, Taylor & Francis Journals, vol. 29(2), pages 111-129, February.
    8. Baliga, Sandeep & Bueno De Mesquita, Ethan & Wolitzky, Alexander, 2020. "Deterrence with Imperfect Attribution," American Political Science Review, Cambridge University Press, vol. 114(4), pages 1155-1178, November.
    9. Kjell Hausken, 2006. "Returns to information security investment: The effect of alternative information security breach functions on optimal investment and sensitivity to vulnerability," Information Systems Frontiers, Springer, vol. 8(5), pages 338-349, December.
    10. Simon Trang & Benedikt Brendel, 2019. "A Meta-Analysis of Deterrence Theory in Information Security Policy Compliance Research," Information Systems Frontiers, Springer, vol. 21(6), pages 1265-1284, December.
    11. Levitin, Gregory & Hausken, Kjell & Taboada, Heidi A. & Coit, David W., 2012. "Data survivability vs. security in information systems," Reliability Engineering and System Safety, Elsevier, vol. 100(C), pages 19-27.
    12. Kjell Hausken, 2018. "Proactivity and Retroactivity of Firms and Information Sharing of Hackers," International Game Theory Review (IGTR), World Scientific Publishing Co. Pte. Ltd., vol. 20(01), pages 1-30, March.
    13. Maria Arbatskaya & Hugo Mialon, 2010. "Multi-activity contests," Economic Theory, Springer;Society for the Advancement of Economic Theory (SAET), vol. 43(1), pages 23-43, April.
    14. Kjell Hausken & Gregory Levitin, 2008. "Efficiency of Even Separation of Parallel Elements with Variable Contest Intensity," Risk Analysis, John Wiley & Sons, vol. 28(5), pages 1477-1486, October.
    15. Lakdawalla, Darius & Zanjani, George, 2005. "Insurance, self-protection, and the economics of terrorism," Journal of Public Economics, Elsevier, vol. 89(9-10), pages 1891-1905, September.
    16. Robert E. Crossler & France Bélanger & Dustin Ormond, 2019. "The quest for complete security: An empirical analysis of users’ multi-layered protection from security threats," Information Systems Frontiers, Springer, vol. 21(2), pages 343-357, April.
    17. Kjell Hausken, 2017. "Security Investment, Hacking, and Information Sharing between Firms and between Hackers," Games, MDPI, vol. 8(2), pages 1-23, May.
    18. Hausken, Kjell, 2007. "Information sharing among firms and cyber attacks," Journal of Accounting and Public Policy, Elsevier, vol. 26(6), pages 639-688.
    19. Yosra Miaoui & Noureddine Boudriga, 0. "Enterprise security investment through time when facing different types of vulnerabilities," Information Systems Frontiers, Springer, vol. 0, pages 1-40.
    20. Nagurney, Anna & Shukla, Shivani, 2017. "Multifirm models of cybersecurity investment competition vs. cooperation and network vulnerability," European Journal of Operational Research, Elsevier, vol. 260(2), pages 588-600.
    Full references (including those not matched with items on IDEAS)

    Most related items

    These are the items that most often cite the same works as this one and are cited by the same works as this one.
    1. Guizhou Wang & Jonathan W. Welburn & Kjell Hausken, 2020. "A Two-Period Game Theoretic Model of Zero-Day Attacks with Stockpiling," Games, MDPI, vol. 11(4), pages 1-26, December.
    2. Ali Pala & Jun Zhuang, 2019. "Information Sharing in Cybersecurity: A Review," Decision Analysis, INFORMS, vol. 16(3), pages 172-196, September.
    3. Mazaher Kianpour & Stewart J. Kowalski & Harald Øverby, 2021. "Systematically Understanding Cybersecurity Economics: A Survey," Sustainability, MDPI, vol. 13(24), pages 1-28, December.
    4. Kjell Hausken, 2017. "Security Investment, Hacking, and Information Sharing between Firms and between Hackers," Games, MDPI, vol. 8(2), pages 1-23, May.
    5. Zhiheng Xu & Jun Zhuang, 2019. "A Study on a Sequential One‐Defender‐N‐Attacker Game," Risk Analysis, John Wiley & Sons, vol. 39(6), pages 1414-1432, June.
    6. Aniruddha Bagchi & Tridib Bandyopadhyay, 2018. "Role of Intelligence Inputs in Defending Against Cyber Warfare and Cyberterrorism," Decision Analysis, INFORMS, vol. 15(3), pages 174-193, September.
    7. Qingqing Zhai & Rui Peng & Jun Zhuang, 2020. "Defender–Attacker Games with Asymmetric Player Utilities," Risk Analysis, John Wiley & Sons, vol. 40(2), pages 408-420, February.
    8. Chul Ho Lee & Xianjun Geng & Srinivasan Raghunathan, 2016. "Mandatory Standards and Organizational Information Security," Information Systems Research, INFORMS, vol. 27(1), pages 70-86, March.
    9. Daniel Schatz & Rabih Bashroush, 2017. "Economic valuation for information security investment: a systematic literature review," Information Systems Frontiers, Springer, vol. 19(5), pages 1205-1228, October.
    10. Yong Wu & Gengzhong Feng & Richard Y. K. Fung, 2018. "Comparison of information security decisions under different security and business environments," Journal of the Operational Research Society, Taylor & Francis Journals, vol. 69(5), pages 747-761, May.
    11. Yosra Miaoui & Noureddine Boudriga, 2019. "Enterprise security investment through time when facing different types of vulnerabilities," Information Systems Frontiers, Springer, vol. 21(2), pages 261-300, April.
    12. Xing Gao & Weijun Zhong & Shue Mei, 2015. "Security investment and information sharing under an alternative security breach probability function," Information Systems Frontiers, Springer, vol. 17(2), pages 423-438, April.
    13. Yosra Miaoui & Noureddine Boudriga, 0. "Enterprise security investment through time when facing different types of vulnerabilities," Information Systems Frontiers, Springer, vol. 0, pages 1-40.
    14. Levitin, Gregory & Hausken, Kjell & Taboada, Heidi A. & Coit, David W., 2012. "Data survivability vs. security in information systems," Reliability Engineering and System Safety, Elsevier, vol. 100(C), pages 19-27.
    15. Yong Wu & Mengyao Xu & Dong Cheng & Tao Dai, 2022. "Information Security Strategies for Information-Sharing Firms Considering a Strategic Hacker," Decision Analysis, INFORMS, vol. 19(2), pages 99-122, June.
    16. Simon, Jay & Omar, Ayman, 2020. "Cybersecurity investments in the supply chain: Coordination and a strategic attacker," European Journal of Operational Research, Elsevier, vol. 282(1), pages 161-171.
    17. Feng Xu & Xin (Robert) Luo & Hongyun Zhang & Shan Liu & Wei (Wayne) Huang, 2019. "Do Strategy and Timing in IT Security Investments Matter? An Empirical Investigation of the Alignment Effect," Information Systems Frontiers, Springer, vol. 21(5), pages 1069-1083, October.
    18. Daniel Schatz & Rabih Bashroush, 0. "Economic valuation for information security investment: a systematic literature review," Information Systems Frontiers, Springer, vol. 0, pages 1-24.
    19. Xing Gao & Weijun Zhong & Shue Mei, 2014. "A game-theoretic analysis of information sharing and security investment for complementary firms," Journal of the Operational Research Society, Palgrave Macmillan;The OR Society, vol. 65(11), pages 1682-1691, November.
    20. Adam Behrendt & Vineet M. Payyappalli & Jun Zhuang, 2019. "Modeling the Cost Effectiveness of Fire Protection Resource Allocation in the United States: Models and a 1980–2014 Case Study," Risk Analysis, John Wiley & Sons, vol. 39(6), pages 1358-1381, June.

    Corrections

    All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:spr:infosf:v:23:y:2021:i:6:d:10.1007_s10796-020-10054-z. See general information about how to correct material in RePEc.

    If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.

    If CitEc recognized a bibliographic reference but did not link an item in RePEc to it, you can help with this form .

    If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.

    For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: Sonal Shukla or Springer Nature Abstracting and Indexing (email available below). General contact details of provider: http://www.springer.com .

    Please note that corrections may take a couple of weeks to filter through the various RePEc services.

    IDEAS is a RePEc service. RePEc uses bibliographic data supplied by the respective publishers.