{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,23]],"date-time":"2026-02-23T04:30:37Z","timestamp":1771821037513,"version":"3.50.1"},"reference-count":34,"publisher":"Oxford University Press (OUP)","issue":"1","license":[{"start":{"date-parts":[[2024,11,14]],"date-time":"2024-11-14T00:00:00Z","timestamp":1731542400000},"content-version":"vor","delay-in-days":318,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2024,1,2]]},"abstract":"<jats:title>Abstract<\/jats:title>\n                  <jats:p>Our thesis is that economics and investment policies are vital factors in determining the outcome of cybersecurity conflicts. For our economic framework, we borrow from the pioneering work of Gordon and Loeb, in which the Defender optimally trades off investments for lower likelihood of its system breach. Our two-sided model has in addition an Attacker, assumed to be rational and also guided by economic considerations in its decision-making, to which the Defender responds. The model is a simplified adaptation of a model proposed during the Cold War for weapons deployment in the USA. Our model is a Stackelberg game and, from an analytic perspective, a Max\u2013Min problem. The complexity of the analysis is due to the non-convexity of the objective function in the optimization. The Attacker\u2019s possible actions add substantially to the risk to the Defender, and the Defender\u2019s rational, risk-neutral optimal investments in general substantially exceed the optimal investments predicted by the one-sided Gordon\u2013Loeb model. We obtain a succinct set of three decision types that categorize all of the Defender\u2019s optimal investment decisions. Also, the Defender\u2019s optimal decisions exhibit discontinuous behavior as the prior vulnerability of its system is varied. Results for two limiting cases of the model corresponding to an Extreme Attacker and an Extreme Defender are given. The analysis is supplemented by extensive numerical illustrations. The results from our model open several major avenues for future work.<\/jats:p>","DOI":"10.1093\/cybsec\/tyae019","type":"journal-article","created":{"date-parts":[[2024,9,22]],"date-time":"2024-09-22T23:13:17Z","timestamp":1727046797000},"source":"Crossref","is-referenced-by-count":2,"title":["Economics and optimal investment policies of Attackers and Defenders in cybersecurity"],"prefix":"10.1093","volume":"10","author":[{"ORCID":"https:\/\/orcid.org\/0000-0003-1150-9219","authenticated-orcid":false,"given":"Austin","family":"Ebel","sequence":"first","affiliation":[{"name":"Department of Electrical and Computer Engineering, New York University , NY 10012 ,","place":["United States"]}]},{"given":"Debasis","family":"Mitra","sequence":"additional","affiliation":[{"name":"Department of Electrical Engineering, Columbia University , NY 10027 ,","place":["United States"]}]}],"member":"286","published-online":{"date-parts":[[2024,11,14]]},"reference":[{"key":"2025112707314017300_bib1","volume-title":"At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues","author":"Clark","year":"2014"},{"key":"2025112707314017300_bib2","article-title":"The hidden costs of cybercrime","author":"Smith","year":"2020"},{"key":"2025112707314017300_bib3","article-title":"Cost of a data breach report 2021","author":"IBM","year":"2021"},{"key":"2025112707314017300_bib4","article-title":"National vulnerability database","author":"NVD","year":"2021"},{"key":"2025112707314017300_bib5","article-title":"A complete guide to the common vulnerability scoring system version 2.0","author":"Mell","year":"2007"},{"key":"2025112707314017300_bib6","volume-title":"The Theory of Max-Min and Its Application to Weapons Allocation Problems","author":"Danskin","year":"2012"},{"key":"2025112707314017300_bib7","doi-asserted-by":"crossref","first-page":"438","DOI":"10.1145\/581271.581274","article-title":"The economics of information security investments","volume":"5","author":"Gordon","year":"2002","journal-title":"ACM Trans Inf Syst Secur"},{"key":"2025112707314017300_bib8","article-title":"IT security investment and Gordon\u2013Loeb\u2019s 1\/e rule","volume-title":"Proc.\u00a017th\u00a0Annual\u00a0Workshop\u00a0on\u00a0the\u00a0Economics\u00a0of\u00a0Information\u00a0Security\u00a0(WEIS)","author":"Baryshnikov","year":"2012"},{"key":"2025112707314017300_bib9","doi-asserted-by":"crossref","first-page":"2210","DOI":"10.1109\/JSAC.2012.121213","article-title":"Coordination in network security games: a monotone comparative statics approach","volume":"30","author":"Lelarge","year":"2012","journal-title":"IEEE J Sel Area Commun"},{"key":"2025112707314017300_bib10","article-title":"Game theory for applied economists","author":"Gibbons","year":"1992"},{"key":"2025112707314017300_bib11","doi-asserted-by":"crossref","first-page":"183","DOI":"10.1137\/1035044","article-title":"Lagrange multipliers and optimality","volume":"35","author":"Rockafellar","year":"1993","journal-title":"SIAM Rev"},{"key":"2025112707314017300_bib12","doi-asserted-by":"crossref","first-page":"358","DOI":"10.1109\/ACSAC.2001.991552","article-title":"Why information security is hard-an economic perspective","volume-title":"Seventeenth Annual Computer Security Applications Conference","author":"Anderson","year":"2001"},{"key":"2025112707314017300_bib13","doi-asserted-by":"crossref","first-page":"157","DOI":"10.1111\/joes.12456","article-title":"Dangerous games: a literature review on cybersecurity investments","volume":"36","author":"Fedele","year":"2022","journal-title":"J Econ Surv"},{"key":"2025112707314017300_bib14","doi-asserted-by":"crossref","first-page":"338","DOI":"10.1007\/s10796-006-9011-6","article-title":"Returns to information security investment: the effect of alternative information security breach functions on optimal investment and sensitivity to vulnerability","volume":"8","author":"Hausken","year":"2006","journal-title":"Inform Syst Front"},{"key":"2025112707314017300_bib15","doi-asserted-by":"crossref","first-page":"37","DOI":"10.1016\/j.jaccpubpol.2004.12.003","article-title":"Vulnerability and information security investment: an empirical analysis of e-local government in Japan","volume":"24","author":"Tanaka","year":"2005","journal-title":"J Account Public Policy"},{"key":"2025112707314017300_bib16","article-title":"Productivity space of information security in an extension of the Gordon\u2013Loeb\u2019s investment model","volume-title":"Managing Information Risk and the Economics of Security","author":"Matsuura","year":"2008"},{"key":"2025112707314017300_bib17","doi-asserted-by":"crossref","first-page":"793","DOI":"10.1016\/j.ijpe.2008.04.002","article-title":"An economic analysis of the optimal information security investment in the case of a risk-averse firm","volume":"114","author":"Huang","year":"2008","journal-title":"Int J Prod Econ"},{"key":"2025112707314017300_bib18","doi-asserted-by":"crossref","first-page":"530","DOI":"10.1287\/inte.1060.0252","article-title":"Defending critical infrastructure","volume":"36","author":"Brown","year":"2006","journal-title":"Interfaces"},{"key":"2025112707314017300_bib19","first-page":"265","article-title":"Measuring the cost of cybercrime","volume-title":"Proc. 18th Annual Workshop on the Economics of Information Security (WEIS)","author":"Anderson","year":"2013"},{"key":"2025112707314017300_bib20","article-title":"Cost tradeoffs for information security assurance","volume-title":"Workshop on the Economics of Information Security (WEIS)","author":"Tiwari","year":"2005"},{"key":"2025112707314017300_bib21","doi-asserted-by":"crossref","first-page":"186","DOI":"10.1007\/978-3-642-34266-0_11","article-title":"A game-theoretic framework for network security vulnerability assessment and mitigation","volume-title":"Decision and Game Theory for Security: Third International Conference, GameSec 2012, Budapest, Hungary, November 5-6, 2012. Proceedings 3","author":"Gueye","year":"2012"},{"key":"2025112707314017300_bib22","doi-asserted-by":"crossref","first-page":"30","DOI":"10.1016\/j.geb.2012.12.007","article-title":"Network design and defence","volume":"79","author":"Dziubinski","year":"2013","journal-title":"Game Econ Behav"},{"key":"2025112707314017300_bib23","doi-asserted-by":"crossref","first-page":"1518","DOI":"10.1093\/restud\/rdu013","article-title":"Attack, defence and contagion in networks","volume":"81","author":"Goyal","year":"2014","journal-title":"Rev Econ Stud"},{"key":"2025112707314017300_bib24","doi-asserted-by":"crossref","first-page":"536","DOI":"10.1016\/j.jet.2016.09.009","article-title":"Network security and contagion","volume":"166","author":"Acemoglu","year":"2016","journal-title":"J Econom Theory"},{"key":"2025112707314017300_bib25","doi-asserted-by":"crossref","first-page":"71","DOI":"10.1007\/BF00939867","article-title":"Sequential Stackelberg equilibria in two-person games","volume":"59","author":"Breton","year":"1988","journal-title":"J Optim Theory Appl"},{"key":"2025112707314017300_bib26","doi-asserted-by":"crossref","first-page":"86","DOI":"10.1145\/3418293","article-title":"Cyber reconnaissance techniques","volume":"64","author":"Mazurczyk","year":"2021","journal-title":"Commun ACM"},{"key":"2025112707314017300_bib27","doi-asserted-by":"crossref","first-page":"283","DOI":"10.1007\/978-3-540-70567-3_22","article-title":"An attack graph-based probabilistic security metric","volume-title":"Data and Applications Security XXII: 22nd Annual IFIP WG 11.3 Working Conference on Data and Applications Security London, UK, July 13-16, 2008 Proceedings 22","author":"Wang","year":"2008"},{"key":"2025112707314017300_bib28","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1155\/2018\/3759626","article-title":"Moving target defense techniques: a survey","volume":"2018","author":"Lei","year":"2018","journal-title":"Secur Commun Netw"},{"key":"2025112707314017300_bib29","first-page":"491","article-title":"Contestable markets: an uprising in the theory of industry structure: Reply","volume":"73","author":"Baumol","year":"1983","journal-title":"Am Econ Rev"},{"key":"2025112707314017300_bib30","first-page":"3","article-title":"Technological determinants of firm and industry structure","volume-title":"Handbook of Industrial Organizations","author":"Panzar","year":"1989"},{"key":"2025112707314017300_bib31","article-title":"Soviet-American arms race","author":"Swift","year":"2009"},{"key":"2025112707314017300_bib32","first-page":"49","article-title":"The price of victory in Cold War is $5.8 trillion for nuclear arms and delivery systems, says panel","volume":"51","author":"Goodwin","year":"1998","journal-title":"Phys Today"},{"key":"2025112707314017300_bib33","first-page":"701","article-title":"Competition and innovation: an inverted-u relationship","volume":"120","author":"Aghion","year":"2005","journal-title":"Quart J Econ"},{"key":"2025112707314017300_bib34","first-page":"1289","article-title":"Optimal policies for natural monopolies","volume-title":"Handbook of Industrial Organizations","author":"Braeutigam","year":"1989"}],"container-title":["Journal of Cybersecurity"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/academic.oup.com\/cybersecurity\/article-pdf\/10\/1\/tyae019\/61182382\/tyae019.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"syndication"},{"URL":"https:\/\/academic.oup.com\/cybersecurity\/article-pdf\/10\/1\/tyae019\/61182382\/tyae019.pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,11,27]],"date-time":"2025-11-27T12:31:53Z","timestamp":1764246713000},"score":1,"resource":{"primary":{"URL":"https:\/\/academic.oup.com\/cybersecurity\/article\/doi\/10.1093\/cybsec\/tyae019\/7900094"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2024]]},"references-count":34,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2024,1,2]]}},"URL":"https:\/\/doi.org\/10.1093\/cybsec\/tyae019","relation":{},"ISSN":["2057-2085","2057-2093"],"issn-type":[{"value":"2057-2085","type":"print"},{"value":"2057-2093","type":"electronic"}],"subject":[],"published-other":{"date-parts":[[2024]]},"published":{"date-parts":[[2024]]},"article-number":"tyae019"}}