Mitigating the Risk of Advanced Cyber Attacks: The Role of Quality, Covertness and Intensity of Use of Cyber Weapons

Modern countries employ computer networks that manage organizations in the private and public sectors. Cyber-attacks aim to disrupt, block, delete, manipulate or steal the data held in these networks, which challenge these countries’ national security. Consequently, cybersecurity programs must be developed to protect these networks from cyber-attacks in a manner that is similar to operations against terrorism. This study presents several models that analyze a contest between a network operator (defender) that deploys costly detectors to protect the network and a capable cyber attacker. Generally, when the deployed detectors become more potent or the defender exhibits higher vigilance, the attacker allocates more resources to R&D to ensure that the attack remains covert. We show that detectors may be substitutes, complements, or even degrade each other, implying that defenders must account for the cyber weapons’ characteristics and the attacker’s profile and strategic behavior. We derive the optimal number of detectors when the attacker’s R&D process features R&D spillovers and show that targeted detectors act as deterrents against high-quality weapons only if the attacker’s budget is not substantial. Finally, we demonstrate that common cybersecurity practices may be detrimental from a social-welfare perspective by enhancing an arms race with the attacker.