The economic impact of cyber terrorism

Jian Hua
a,
, Sanjay Bapna
b
a
School of Business and Public Administration, University of the District of Columbia, 4200 Connecticut Avenue, Washington, DC 20008, United States
b
School of Business and Management, Morgan State University, United States
a r t i c l e i n f o
Article history:
Received 9 November 2010
Received in revised form 2 October 2012
Accepted 21 October 2012
Available online 8 December 2012
Keywords:
Game theory
Information systems security
Security investment
Cyber terrorism
a b s t r a c t
What is the economic impact of cyber terrorism? Can organizations achieve strategic
advantage in the cyber terrorism game? A general game theoretical model is proposed
to study the optimal information systems (ISs) security investment and then applied to
compare the losses caused by cyber terrorists and common hackers. Literature is reviewed
on IS security, game theoretical models of IS security, cyber terrorism, cyber deterrence and
IS security breach function. Simulations with varying levels of attackers preference, breach
function sensitivity and deterrence level are carried out to determine sensitivity to the
optimal IS security investment. Results suggest that organizations should invest more to
protect their strategic information systems against cyber terrorists who have long-term
goals.
Published by Elsevier B.V.
1. Introduction
Modern economies are heavily dependent upon Information Technology (IT) based information systems for survival.
Increased reliance on information systems (ISs) leads to increased vulnerabilities and risks. IS security has thus become a
critical issue in the IT world (Sonnenreich et al., 2006).
Investing optimally in the security of information systems can yield comparative strategic advantages (LeVeque, 2006)
through trustworthiness and positive image as perceived by partners, customers and suppliers; trust is difcult for compet-
itors to duplicate. Investing optimally implies avoiding inappropriate investment.
Information systems are vulnerable and it is possible for terrorists to utilize the vulnerabilities of information systems to
attack their adversaries (Jormakka and Molsa, 2005; Embar-Seddon, 2002). This has given rise to a new term, cyber terror-
ism. Parks and Duggan (2001) have dened cyber terrorism as an extension of traditional terrorism and a new approach
adopted by terrorists to attack cyberspace. The FBI director, Robert S. Mueller, has warned that cyber terrorists will either
train their own recruits or hire outsiders, with an eye toward combining physical attacks with cyber attacks. Mueller also
stressed that the cyber threat cannot be fought by government alone (Nakashima, 2010).
Organizations that comprise the critical infrastructure of the national economy should be aware of the potential for ter-
rorist attack (Nickolov, 2005). Critical infrastructure refers to the essential assets which make society or a country function
well and includes energy, transportation, telecommunication, water supply and waste management, agriculture and food
supply, nance, public health, and essential government services. Organizations which form the critical infrastructure of a
national economy must protect their information systems well.
Cyber terrorists could feasibly target the information systems of critical infrastructure of countries. The threat of cyber
terrorism is more dangerous than that of common IS attacks (Verton, 2003) and is becoming a major concern for most coun-
tries (Foltz, 2004). Cyber terrorists inherit not only the characteristics of terrorists, but also the characteristics of hackers. The
0963-8687/$ - see front matter Published by Elsevier B.V.
http://dx.doi.org/10.1016/j.jsis.2012.10.004

Corresponding author. Tel.: +1 202 274 7138; fax: +1 202 274 7023.
E-mail addresses: jhua@udc.edu (J. Hua), sanjay.bapna@morgan.edu (S. Bapna).
Journal of Strategic Information Systems 22 (2013) 175186
Contents lists available at SciVerse ScienceDirect
Journal of Strategic Information Systems
j our nal homepage: www. el sevi er. com/ l ocat e/ j si s
only way to differentiate cyber terrorism from traditional hacking and other cyber crime is by ascertaining the motivation or
intention of the person or group launching the attack (Embar-Seddon, 2002).
The quality of IS security is highly related to the investments in IS security (Bojanc and Jerman-Blazic, 2008). The appro-
priate level of IS security investment can enhance the capability of organizations and governments to defend against cyber
terrorism attacks (Bodin and Gordon, 2005). The objective of IS security is to minimize an organizations potential losses by
balancing the investment cost and nancial losses from intrusions. A solid theoretical foundation based on risk analysis and
terrorists behavior prediction has not been well established in the eld of IS security. Without proper risk and behavioral
analysis, non-optimal investment decisions in IS security will be made both in organizational and critical infrastructure secu-
rity systems.
In this paper, we examine the important factors that affect the optimal investment in IS security. We aim to show that
there are differences in the optimal investment for organizations, when they face the attacks from cyber terrorists compared
to attacks by common hackers. Even though both these attacks rely on the same toolset to attack an organizations informa-
tion systems, the motivation of cyber terrorists may lead to different optimal investment levels for organizations. Game the-
ory is used to create a model that includes critical factors that impact the optimal investment level. This model will show the
economic impact of cyber terrorism.
The rest of the paper is organized as follows. In the background section we review the literature on the related IS security
research and terrorism research, providing us with the background to propose a game theoretical model for IS security. The
game theoretical model is described in the methodology section. We then apply the model to cyber-terrorism. We discuss
the implications of our work in the conclusion.
2. Background
Prevention of cyber terrorism involves the study of IS security research and implementation techniques. Research on IS
security provides an understanding of the methods, threats, risks, and behavioral aspects of cyber crimes. Currently, there
are three streams of research related to IS security. The rst stream is technology-based and concentrates on developing
and improving a variety of technological solutions to reduce IS security risks (Lee et al., 2002; Denning and Branstad,
1996; Sandhu et al., 1996; Simmons, 1994). The second stream of research is behavioral IS security which is built on
disciplines of Psychology, Criminology, and Sociology, and focuses on nding the behavioral proles of hackers and insiders
(Fagnot, 2007; Workman and Gathegi, 2007; Rogers, 2001; Kjaerland, 2005; Skinner and Fream, 1997). The third stream of
research is related to economic issues in IS security and analyzes broader IS security problems froman economic perspective,
which includes risk management and cost/benet analysis (Campbell et al., 2003; Garg et al., 2003; Ettredge and Richardson,
2002; Cavusoglu et al., 2004).
This paper presents IS security research relevant to cyber terrorism. The primary focus in this paper is to develop game
theoretical models that explain the behavior of cyber-terrorists and hackers from an organizational investment perspective.
In order to develop such behavioral based models, literature on cyber terrorism, terrorism deterrence, IS security investment,
and prior studies on game theoretical models applied to IS security are discussed. Literature on technology-based IS security
is not presented since that is peripheral to this paper.
2.1. Cyber terrorism
The word terrorism can be traced back to the French Revolution when terror was used by the government to suppress
counter-revolutionary adversaries (Harzenski, 2003). Most terrorist acts share two common features: (1) they assault civil-
ians; and (2) they target victims that are not their true targets, but these victims do inuence the target audience (Badey,
1998). The term terrorist refers to a person who practices terrorism. Terrorists know that they cannot be superior to their
adversaries in conventional resource intensive warfare, hence they rely on techniques intended to erode the enemys moral
and physical capacities (Oprea and Mesnita, 2005).
We dene cyber terrorism as attacks implemented by cyber terrorists via information systems to (1) signicantly inter-
fere with the political, social or economic functioning of a critically important group or organization of a nation, or (2) induce
physical violence and/or create panic. We dene hackers as individuals who (1) wish to access/modify data, les, and
resources without having the necessary authorization to do so, and/or (2) wish to block services to authorized users. Cyber
terrorists are individuals or groups who utilize computing and networking technologies to terrorize. In this paper, we study
the behaviors of two groups of hackers: cyber terrorists and common hackers.
Because information about cyber terrorism and cyber terrorists is generally considered classied information which
cannot be released to the public, we can usually only infer that cyber terrorism and cyber terrorists exist. However in
2010 Federal Bureau of Investigation chief, Robert Mueller, told an RSA Conference of computer security professionals,
The cyber-terrorism threat is real and rapidly expanding. He indicated that terrorists have shown a clear interest in hack-
ing skills and combining real attacks with cyber attacks.
While cyber terrorists are a sub group of hackers (Beveren, 2001; Rogers, 1999), an important difference between cyber
terrorists and other hackers pertains to their motivation. Cyber terrorists are politically or religiously motivated. Creating
fear and panic among civilians, and disrupting or destroying public and private infrastructure is the goal of terrorists. They
176 J. Hua, S. Bapna / Journal of Strategic Information Systems 22 (2013) 175186
wish to coerce a targeted government to negotiate with them, or show their existence to their community, or demonstrate
their capabilities to their political and nancial supporters (Embar-Seddon, 2002; Verton, 2003). Unlike viruses or computer
attacks that result in a denial of service a cyber terrorist attack is designed to cause physical violence or extreme nancial
harm (Poremba, 2011). In contrast, common hackers motivations include addiction to hack, curiosity, intention to gain
power, peer recognition and the sense of belonging to a group (Beveren, 2001). Increasingly the motivation is to make money
(Aaronson, 2005). Representative cases from the U.S. Department of Justice showing that most hackers tried to make money
from their hacking are presented in Appendix A.
A skilled hacker may attack the same target as a cyber terrorist; however, the cyber terrorist generally has more resources
than the hacker to support long-term uninterrupted attacks (Quigley, 2007; Furnell and Warren, 1999).
Salient characteristics of cyber terrorists listed by Schudel and Wood (2000) include:
Even though it is assumed that cyber terrorists may have limited funding, they may be able to raise from hundreds of
thousands to a few million dollars and also be willing to spend the raised funds for their attacks.
Cyber terrorists are able to access commercial resources including consultants and commercial expertise.
Cyber terrorists would be able to acquire all design information on a system of interest.
People commonly believe that terrorists are insane or psychopathic. Strictly speaking, psychopathic ailments can be
divided into two conditions: clinical illness and personality disorder. The person with clinical illness cannot differentiate
right from wrong, but the person with personality disorder can. As such, terrorists are rarely psychotic or insane (Victoroff,
2005; Hudson, 1999; Post, 2007; McCormick, 2003). Cyber terrorists are a sub group of terrorists, so we can conclude that
cyber terrorists inherit the basic psychological prole of terrorists: cyber terrorists are rational rather than insane. A cyber
terrorist has a similar prole to traditional terrorists (Poremba, 2011). The difference between a cyber terrorist and a tradi-
tional terrorist is that the former has sophisticated hacking skills.
Contrary to common opinion, terrorists are also rarely sociopathic. There is no evidence, from any empirical study, that
demonstrates that terrorists are antisocial. Considerable evidence supports the observation that terrorists are regarded as
heroes, at least by their groups or local communities. The Middle Eastern students who join an Islamic radical group may
enjoy popular support and believe that they are serving their society in a pro-social way. Contrary to common understand-
ing, terrorists are altruistic in their groups (Keet, 2003; Krueger and Maleckova, 2003).
The following literature review on terrorism indicates that some terrorists are highly educated. For example, Rees (2002)
found that since the late 1990s, Middle Eastern terrorists have come from a wide demographic range, including university
students, professionals, and young women. Other research indicates that most terrorists come from a middle class back-
ground (Hassan, 2001; Pedahzur et al., 2003; Sageman, 2004). Krueger and Maleckova (2003) found that support for terror-
ism against Israeli civilians was more common among professionals than among laborers, and more common amongst those
with a secondary education than among illiterate respondents. Sageman (2004) found that 71% of Muslim respondents who
claimed they were terrorists had at least some college education, with 43% having professional backgrounds. Thus, it is rea-
sonable to assume that many terrorists are highly educated and are computer literate. Since a pool of educated potential ter-
rorists exists, terrorist organizations can fund, and recruit such individuals and train them in the science of computer
security.
Foltz (2004) summarized some potential threats of cyber terrorism. A cyber terrorist could:
Attack electrical power systems; gas and oil production, transportation, and storage; water supply systems; banking and
nance (Embar-Seddon, 2002).
Access a drug manufacturers facility and alter its medication formulas to make them deadly (Wehde, 1998).
Access hospital records and change patient blood types (Gengler, 1999).
Report stolen information to others (e.g. troop movement) (Desouza and Hensgen, 2003).
Manipulate perception, opinion and the political and socioeconomic direction (Stanton, 2002).
Facilitate identity theft (Gordon and Ford, 2002).
The most dangerous cyber terrorism attacks are those that affect national infrastructure or business systems. Although
cyber terrorism may not be able to generate the same effect as a physical explosion, cyber terrorism can lead to extensive
monetary loss. If cyber terrorists shut down the Amazon.com website, potential customers would buy goods from other
online sellers. In this case, only Amazon.com would lose the sale, however other online sellers would benet from this inci-
dent. However, if the intrusion resulted in the creation of spurious transactions, especially to key nancial institutions, such
as the national/federal banks, then this could create a panic amongst businesses, which would, in turn, impact the national
economy adversely. Compared with other terrorism approaches, cyber terrorism requires fewer people and fewer inputs.
Cyber terrorism does not require the cyber terrorists to be physically present. Cyber terrorists can remotely launch attacks
and remain anonymous by using proxy servers and IP-change methods to hide their real addresses. Because cyber terrorists
can easily hide their identity, it is difcult for government agents to trace and capture them.
The easiest attack approach adopted by cyber terrorists is sending virus infected e-mails. If the virus is new or unknown
and unable to be detected by the victims antivirus software, it could behave in the interest of the cyber terrorists. A
J. Hua, S. Bapna / Journal of Strategic Information Systems 22 (2013) 175186 177
computer worm, launched by a cyber terrorist, can burrow through a network, hide itself and can either steal information, or
disrupt the functioning of the computer systems.
2.2. IS security investment models
IS security investment models either borrow concepts from the nancial domain such as Net Present Value, and Value-At-
Risk, or from the economic domain such as utility theory, or game theory. In this section, key papers in each of these disci-
plines are mentioned, with greater focus on the literature on economic models.
Bojanc and Jerman-Blazic (2008) presented a nancial approach for assessing the required information and communica-
tion technology (ICT) security investment through the identication of assets and vulnerabilities. They used three methods
to quantify the costs and benets of security investments: return on investment (ROI), net present value (NPV), and internal
rate of return (IRR). Huang et al. (2008) used expected utility theory to determine the optimal security investment level and
showed how an organization could manage its investment in information security based on the different characteristics of
threat environments and system congurations.
Wang et al. (2008) introduced the value-at-risk (VAR) approach to measure the daily risk of an organizational information
system. Using extreme value theory, they modeled the probability distribution of daily losses and time trends in the extreme
behavior of daily risks, but did not provide an operational approach to determine an appropriate security investment.
2.2.1. The breach function of IS security
Gordon and Loeb (2002) believed that previous studies related to the economic aspects of information security provided
little generic guidance on how to derive the proper investment in IS security. Hence, they built a model that considered how
the vulnerability of information and the potential loss from such vulnerability affected the optimal funding to secure that
information. They proposed two classes of security breach probability functions. The rst class of security breach probability
functions proposed was S
I
z; v
v
az1
b
, where z is the investment, and v is the vulnerability. Their second class is not
considered in this paper. The parameters, a and b, are measures of the productivity of information security. The probability
of breaches decreases with increases in both of these parameters. Hausken (2006) proposed a logistic breach function
S
III
z; v
v
1qe
sz
1
(third class of breach functions) to address some of the drawbacks of the Gordon and Loebs classes of
breach functions. Hauskens other classes of breach functions are not considered in this paper. The parameters, q and s,
measure the productivity of information security. By varying the parameters of the functions, it is possible to model the
sensitivity of breaching information systems to investment levels. A sensitive breach function is a function where a moderate
increase in the amount of investment can decrease breaching probability considerably. In other words, a sensitive breach
function has a steeper slope at a particular investment level, compared to an insensitive breach function.
Liu et al. (2008) empirically analyzed information security investment based on a survey of Japanese rms and used Jap-
anese survey results to test Gordon and Loebs model. They found that the effects of the information security investment
were to reduce the vulnerability effects. Their empirical results suggested that the defense measures associated with infor-
mation security policy and employee training could signicantly reduce virus incidents, and that information security
investments were signicantly affected by industry type.
2.2.2. The game theoretical model of IS security
Using game theory, Schechter and Smith (2003) developed a model for companies to gauge their attractiveness to thieves
and determine the proper level of security required for packaged systems. Under varying conditions of attack, their research
revealed that a company would benet substantially by increasing the probability of detection and/or the probability of
repelling the attack, and by increasing the likelihood of hacker convictions.
Cavusoglu et al. (2008) claimed that the traditional decision-theoretic risk management techniques used to determine IS
security investments were incomplete, because the traditional techniques did not recognize that hackers alter their hacking
strategies in response to the rms security investment strategies. They compared game theory and decision theory ap-
proaches on the investment levels, vulnerability, and payoffs from investment and concluded that game theory was appro-
priate to model IS security investment.
2.3. The deterrence function in IS security
Deterrence theory has been widely employed in the elds of economics and criminology to study the behavior of crim-
inals and antisocialists (Becker, 1968; Pearson and Weiner, 1985). In criminology, deterrence theory asserts that the prob-
ability of criminal behavior varies with the expected punishment, which consists of the perceived probability of being caught
and the punishment level (Pearson and Weiner, 1985). In the realm of cyber terrorism, the expected punishment to cyber
terrorists depends upon national and international legal frameworks, the cooperation for information sharing between na-
tions, and states ability to identify the perpetrators (Hua and Bapna, 2012).
Workman and Gathegi (2007) studied the effects of attitudes towards the law and the effects of social inuence and con-
cluded that punishment was more effective in deterring people who tried to avoid punishment or negative consequences,
while ethics education was more effective in deterring people who had a strong social consciousness.
178 J. Hua, S. Bapna / Journal of Strategic Information Systems 22 (2013) 175186
Oksanen and Valimaki (2007) conducted research on copyright violations and found that the strategy of minimizing risk
was not only theoretically practiced, but was also extensively used. They found that the classic deterrence model should
incorporate both the reputational cost of violations and the reputational benet of violations (Sunstein, 2003). The reputa-
tional cost means the unofcial sanction applied by the individuals peers. Reputational benet comes from the support of
the individuals community, or peers (Rebellon and Manasse, 2004). The reputational benet may play a signicant role in
individual decision-making. This literature shows that there are possible reputational benets behind cyber terrorism. The
increased reputation from peer groups after a successful cyber attack may motivate cyber terrorists.
Straub and Welke (1998) considered deterrence theory as a theoretical basis for security countermeasures to reduce IS
risks and posited that managers and administrative policies were the key to successfully deterring, preventing, detecting,
and pursuing remedies to cyber terrorism.
Determining the proper punishment is an important issue in the legal eld. Legal systems in most societies specify pun-
ishments that increase with the level of social harm caused by the criminal activities (Rasmusen, 1995). The punishment
may include punishment of a person or a group or the party to which the lawbreakers belong. For cyber terrorism, the pun-
ishment may include anti-terrorism wars against the state where the cyber terrorists reside. Thus, for cyber terrorism the
punishment may be more severe, and in some cases exceed the losses caused to the victims.
3. Methodology
Game theory is a branch of applied mathematics widely applied in economics, accounting, nance, biology, and political
science. Game theory attempts to model interactions among rational players and mathematically predicts their choices of
action. Game theory has numerous applications, ranging from solving problems involving offense and defense (Cavusoglu
et al., 2008; Lye and Wing, 2005; Sallhammar et al., 2007) to the design of optimal penalties to deter crime, which can be
viewed as a rational choice decision (Saha and Poole, 2000; Chu et al., 2000). Game theory is a very useful approach to study
cyber terrorism (Matusitz, 2009).
In most applications of game theory, all players are assumed to be rational and desiring to maximize their rewards. Each
player also assumes that the other players will act rationally. This assumption guarantees that each player makes a correct
prediction on the choices of the other players, and hence, is able to make the best choice for himself/herself.
Sandler and Arce (2003) listed six strengths of game theory in analyzing the behavior of a hacker and a target. First, game
theory captures the strategic interactions between a hacker and a target, that is, the players actions are interdependent. Sec-
ond, it captures the strategic interactions among the rational actors, who act according to their analysis about the opponents
actions. Third, each side has to consider the impacts of threat and punishment from the opponent. Fourth, hackers can
observe that the targets actions are constrained and vice versa. Fifth, game-theoretic notions of bargaining can predict
outcomes. Finally, game theory incorporates uncertainty and learning in a strategic environment.
In the game theory, the Nash equilibrium is a solution concept used in non-cooperative games whereby no player can
gain more by changing his/her strategy unilaterally (Osborne and Rubinstein, 1994). This strategy choice constitutes the
Nash equilibrium and every nite game (nite players, nite strategies, and nite payoffs) has at least one equilibrium in
mixed strategies. Pure strategies specify the nonrandom action selection of players. In this case, a player always selects
one action from his/her action set, without any uncertainty. Contrary to pure strategies, mixed strategies specify the set
of actions from which a random selection will be made. For example, if a cyber terrorist has an action set {Attack, Do Not
Attack}, a mixed strategy of (30%, 70%) will result in selecting the action Attack with a probability of 30% and the action
Do Not Attack with a probability with 70%, respectively.
3.1. Model development
For the sake of clarity only, we combine the groups of cyber terrorists and common hackers under the term attacker.
Henceforth, in the rest of the paper, hackers will refer to common hackers, and attackers will refer to both cyber terrorists
and common hackers. In this paper, we propose a one-state static 2 2 general-sum game between an attacker and a target.
The normal form of the common IS security game is presented in Table 1. A target will be an information system. This general
game model can be applied to all cyber crimes including common hackers and cyber terrorism, allowing us to compare their
Table 1
A general-sum IS security Game.
Player 1: Attacker Player 2: Target organization
Invest More in IS Security Do Not Invest More in IS Security
Attack lP
1
M kz
1
Q
1
; P
1
M z
1
lP
0
M kz
0
Q
0
; P
0
M z
0

Do Not Attack kz
1
; z
1
kz
0
; z
0

J. Hua, S. Bapna / Journal of Strategic Information Systems 22 (2013) 175186 179

different strategies. Table 1 presents the rewards to the two players. In each of the four cells, gains to player 1 (the attacker)
are shown rst, followed by the losses to player 2 (the target organization), which are negative rewards.
In this paper, we only dene two actions which an attacker may choose. The action Attack means that an attacker can
use all possible methods to attack the target organization. The possible attacking methods may include, but is not limited to,
Denial-of-Service, Distributed Denial-of-Service, Dumpster Diving, Network Scanning, Viruses, War Dialing, Password Crack-
ing, and social engineering. The target organization can also choose two actions: keep its current investment or increase its
investment in IS security.
In Table 1, P
1
and P
0
denote the future and current probability of information systems breaches respectively. The variable
z
1
and z
0
denote the targets future and current investment in IS security respectively. The variable M denotes the maximum
instant loss in the incident of information systems breaches. The maximum instant loss includes any loss from incursions
excluding the cost of security. Subscript 0 denotes the current state. Subscript 1 denotes the future state. z
1
> z
0
and P
1
< P
0
.
(P
1
M + z
1
) is the reward to the target for the strategy pair {Attack, Invest More in IS Security}. If the attacker chooses the
action Attack and the target chooses the action Invest in IS Security, the target would lose (P
1
M + z
1
).
(P
0
M + z
0
) is the reward to the target for the strategy pair {Attack, Do Not Invest More In IS Security}.
z
1
is the reward to the target for the strategy pair {Do Not Attack, Invest More In IS Security}.
z
0
is the reward to the target for the strategy pair {Do Not Attack, Do Not Invest More In IS Security}.
The reward to the attacker is more complex. In Table 1, l and k are parameters to convert the targets losses to the
attackers gains. k is a discount rate and represents the ratio of the attackers gain to the investments made by the target
in securing its systems. This comes about since the loss of utilizing the productive resources elsewhere for targets may be
a gain that the attacker desires In other words, k is the indirect benet to the attacker by investments made by the target.
l represents the ratio of the attackers gain to the targets maximum instant loss. In other words, not all of the losses to the
target will accrue to the attacker. In the perfect case of complete breaching, the gain to the attacker will be only l M. For
example, if the maximum instant loss M is 100 million dollars and if l is 0.48, the reward to the attacker will be 48 million
dollars. The value range of l and k is [0, 1].
Before attackers take action, they will evaluate their potential costs, punishment and reputational losses. We call this pro-
cess deterrence. In Table 1, the capital letter P denotes the function P(z), the breach probability as discussed in Section 2.2.1.
The function a(z) represents the probability that the attacker chooses the Attack action. The function Q(z) denotes the
deterrence function including the potential punishment and costs. Given that the attackers skills are xed, it is assumed that
@Q=@z 0 1
i.e., if the target increased investment in IS security, the deterrence of the attacker would increase.
There is only one assumption concerning a(z), a(z = 0) = 1. That is, if the information systemof a target were not protected
by any IS security protection, the probability that an attacker selects the action Attack is 100%. In Fig. 1, lP
1
M kz
1
Q
1
denotes the reward to the attacker, if the attacker chooses the action Attack and the target chooses the action Invest More
in IS Security. P
1
(z
1
) denotes the new probability of information systems breaches with the new investment z
1
. Q
1
(z
1
)
denotes new deterrence which includes his/her concerns about the potential punishment and costs of the new investment
0
1
2
3
4
5
6
7
8
9
10
0.05 0.25 0.45 0.65 0.85
(
P
e
r
c
e
n
t
a
g
e

o
f

M
a
x
i
m
u
m

I
n
s
t
a
n
t

L
o
s
s
)
Discount Rate
Optimal Investment Variance with Discount Rate
(Gordon and Loeb Breach Function)
less sensitive and low deterrence more sensitive and high deterrence
less sensitive and high deterrence more sensitive and low deterrence
Common Hackers Cyber-Terrorists
B
e
t
t
e
r

C
o
n
f
i
g
u
r
a
t
i
o
n
a
n
d

A
d
m
i
n
i
s
t
r
a
t
i
o
n
Fig. 1. Optimal investment variance with discount rate changes (Gordon and Loeb Breach function).
180 J. Hua, S. Bapna / Journal of Strategic Information Systems 22 (2013) 175186
z
1
. The deterrence function can be a linear function with variable z, or a constant value. The other values are treated in a
similar manner with the subscript 0 referring to the target choosing the action Do Not Invest More in IS Security.
The variable a(z) represents the probability that the attacker chooses the action Attack, and the variable b(z) represents
the probability that the target chooses the action Invest More in IS Security. H denotes the total reward to the attacker and
L denotes the total reward to the target.
The break-even point occurs when lPM kz Q kz. The investment at the break-even point is represented as z

. When
the investment z is higher or lower than z

, the two players strategy will change.

Boundary conditions are given next.
When z
0
< z

and z
1
< z

; lP
1
M kz
1
Q
1
> kz
1
, the game reduces to a pure-strategy game. The prole of best response in
the static game is: the attacker will choose the action Attack regardless of the action of the target. The value of a is 100%
until z increases to the breakpoint z

.
When z
0
< z

and z
1
> z

, lP
1
M kz
1
Q
1
< kz
1
, the game becomes a mixed strategy game. When the target chooses the
action Invest More in IS Security, the attacker will choose the action Do Not Attack. When the target chooses the action
Do Not Invest More in IS Security, the attacker will choose the action Attack.
The attackers mixed strategy (a, 1 a) indicates that the attacker chooses the action Attack and the action Do Not
Attack with a probability of a and 1 a respectively. The attacker chooses a to make the target indifferent between its
two strategic choices.
P
1
M z
1
a z
1
1 a P
0
M z
0
a z
0
1 a 2
Rearranging yields
a
z
1
z
0
MP
0
P
1

3
H
lP
0
M Q
0
kz
1
kz
0
lP
1
M Q
1

lP
0
M Q
0
lP
1
M Q
1

4
When the attacker chooses the above mixed strategy (a, 1 a), the targets rewards from two action rewards are indifferent.
Regardless of the targets strategy, the total reward to the target will not change, because the attacker chooses the Nash
Equilibrium.
The targets mixed strategy (b, 1 b) indicates that the target chooses the action Invest More in IS Security and the ac-
tion Do Not Invest More in IS Security with a probability of b and 1 b respectively. Equating the two rewards results in
blP
1
M kz
1
Q
1
1 blP
0
M kz
0
Q
0
bkz
1
1 bkz
0
5
From the above equation, we get
b
lP
0
M Q
0
lP
0
M Q
0
lP
1
M Q
1

6
L
P
0
z
1
P
1
z
0
P
0
P
1
7
When z
0
Pz

and z
1
> z

, lP
1
M kz
1
Q
1
< kz
1
and lP
0
M kz
0
Q
0
< kz
0
The function PM + z has its minimum value with
z = z
#
. When the probability that the attacker chooses the action Do Not Attack is 100%, the target will choose the action
Do Not Invest More in IS Security with 100%. There is no reason for the target to increase the investment in IS security. The
values of a and b both equal 0. The expected reward to the attacker, H, is kz
0
. The expected reward to the target, L, is z
0
.
When we assume z
1
z
0
= e and e ?0, we can get a dynamic game model. z

is the minimum loss of the target.

With changes to the k value, the general sum static game model can represent different IS security games in which attack-
ers have different preferences. One particular application of the general sum static game model: a cyber terrorism game is
shown below in Table 2. In this extreme game, a cyber terrorist will gain the entire loss of the target. When l 1 and k 1,
the previous general-sum game model can be used as this extreme cyber terrorism game. In the reward cell {Attack, Invest in
IS Security}, Q(z) denotes the cyber terrorists deterrence function. We assume that Q(0) = 0. If a target country does not
Table 2
A cyber terrorism game model.
Cyber terrorist Target
Invest More in IS Security Do Not Invest More in IS Security
Attack P
1
M + z
1
Q
1
P
0
M + z
0
Q
0
Do Not Attack z
1
z
0
J. Hua, S. Bapna / Journal of Strategic Information Systems 22 (2013) 175186 181
invest any money in IS security to protect the information system of the national critical infrastructure, the cyber terrorist
will not experience any deterrence and this cyber terrorism game will become a zero-sum game.
Cyber terrorists are different from common hackers. Common hackers may not consider the security investment of the
target to be their reward, but for the cyber terrorists, this consideration may be meaningful, since any investment made
by the host is a non-productive usage of resources by the host. Although the literature indicates that cyber terrorists are
not psychotic, their reward evaluations may be different from those of common hackers. Cyber terrorists may consider
the security investment of the target to be one of their goals. The existence of a cyber terrorist threat forces the targeted
government to divert money from other governmental funds. If the total governmental budget were xed, the budget ex-
penses for other public services would be reduced. If the investment in IS security exceeds the budget, the targeted govern-
ments might face a budget decit. In the long run, taxes in the targeted country will increase and impact potential economic
growth. In this extreme game, when PM + z Q = z, the attacker does not gain from intruding, and hence, the target has made
the optimal investment and suffered a minimal loss.
To make our model simple, useful, and applicable, we have three assumptions.
1. The rst assumption: The targeted information systems are not valuable to common hackers, but valuable to cyber
terrorists.
2. The second assumption: The deterrence function is positively and linearly related to the security investment.
3. The third assumption: Attacking is a perfect information game.
For the general game, the following two propositions are supported by simulation results.
1. There is an optimal investment to minimize the targets loss.
2. There is an optimal investment to minimize the reward to the attacker.
Furthermore, the model is validated by using simulations to prove two intuitive behavioral actions:
1. Given identical deterrence functions, a sensitive breach function can lead to a lower optimal IS security investment than a
less sensitive breach function.
2. Given identical breach functions, a high level deterrence function leads to a lower optimal IS security investment than a
low level deterrence function.
4. Simulation results and discussion
Simulations were conducted in MatLab to demonstrate the behavioral actions. To simplify the model, we assume k = l.
The discount rate k and the ratio l are described in Section 3.1. The discount rate k is also termed the attackers preference,
where the two preferences that we analyze are cyber terrorism and hacking by common hackers. Fig. 1 demonstrates how
the optimal security investment from the targets perspective changes with breach functions with different sensitivities, dif-
ferent deterrence levels, and different discount rates. The rst class of Gordon and Loebs breach functions (see Section 2.2.1),
with different parameter values for a and b, P
1
z1
and P
1
4z1
3
, and Hauskens third class of breach functions (see Section
2.2.1) with different parameter values for q and s, P
1
10:0001e
z
1
and P
1
10:0001e
2z
1
are used for our simulation. The
deterrence function is modeled as a simple linear relationship between deterrence and security level with the assumption
that when the security investment increases, the deterrence to attackers increases. The deterrence function with two differ-
ent parameter values used are, Q = z and Q = 4z + 5. This allows us to compare the impact of investments on high and low
deterrence levels. A total of 8 cases are analyzed. They are the combinations of two breach functions (Gordon and Loeb,
Table 3
The implication of the parameter values.
Parameter values Implications
High discount rate (if k P0.9) Cyber terrorism Attacks
Low discount rate (if k 6 0.1) Common Hacker Attacks
More sensitive breach function Information systems with good administration and conguration: Critical Information Systems
P
1
4z5
3
; where a 4 and b 3
P
1
10:001e
2z
1
; where q 0:001 and s 2
Less sensitive breach function Information systems with poor administration and conguration: Non-critical Information
Systems P
1
z1
; where a 1 and b 1
P
1
10:0001e
z
1
; where q 0:0001 and s 1
High level deterrence Q = 4z + 5 High costs to attackers to attack Information Systems successfully
Low level deterrence Q = z Low costs to attackers to attack Information Systems successfully
182 J. Hua, S. Bapna / Journal of Strategic Information Systems 22 (2013) 175186
and Hausken), their sensitiveness (sensitive and insensitive), and deterrence level (high and low). Table 3 presents the impli-
cations of the parameter values. Two levels were used for each parameter: high and low. For each case, the discount rate is
changed from 0.05 to 1 with 0.05 increment to reect the difference between the behavior of hackers (low discount rate) and
cyber-terrorists (high discount rate) The simulation results indicated very similar behavior for Gordon and Loebs and
Hauskens functions, and we only report on Gordon and Loebs breach function.
Fig. 1 represents the results of the four cases. This gure clearly shows how the breach function sensitivity, deterrence
level, and the discount rates affect the optimal investment. If both the breach function and the deterrence level remain con-
stant, preventing IS security breaches from attackers with high discount rate (cyber terrorists) require more investments on
IS security. If both the breach function and attackers preference remain constant, low level deterrence requires more invest-
ments on IS security. If both the deterrence level and attackers preference remain constant, a less sensitive breach function
requires more investments on IS security.
Fig. 1 shows that, when all other factors are equal, the most critical factor for the optimal investment is the sensitivity of
the breach function, which in turn depends upon the IS security conguration and administration. Additional resources
expended on these will increase the sensitivity of the breach function. Deterrence also impacts the optimal investment,
much of which is governed by the international legal infrastructure over which organizations have little control, but the
national governments have some control. However, assuming that the critical and strategic information systems have been
well protected by organizations (more sensitive breach function), the optimal investment to protect an organizations assets
in turn depends upon the motivation of the attackers group. The game theory simulation model clearly indicates that the
optimal investments are far greater to protect IS systems from cyber-terrorists (high discount rate) than from common hack-
ers (low discount rate).
Compared with a common hacker without a long-term goal, the cyber terrorist with a long-term goal could push the tar-
get organization to increase its IS security investment. Any organization comprising the national critical information infra-
structure must invest more funds to protect itself against cyber terrorism, than from the common hackers.
5. Discussion
Cyber terrorists breach organizations information systems not for monetary gain but to create chaos and inuence civil-
ian audiences. Common hackers usually work for money. Most cyber terrorism targets are of little value to common hackers
and common hackers will not pursue these targets long term. Relatively speaking, cyber terrorists will exert a lot more effort
than common hackers who may not have the network support and nancial resources to launch a very sophisticated attack
against highly protected systems.
Organizations can change the breach function sensitivity and national governments can inuence the deterrence level to
some extent. They cannot inuence the attackers preference, because the value of an organizations role in national security
and information determines its adversaries and their preferences. The breach function sensitivity reects the quality of an
organizations security administration and conguration. Compared with the deterrence level, the breach function sensitiv-
ity is almost totally controlled by an organization itself. In other words, a small investment can result in a signicant
decrease in the breaching probability, and is more effective than an increase in the deterrence level. We believe that orga-
nizations should improve the breach function sensitivity and leave the job of increasing the deterrence level to legal frame-
works. The role of the deterrence function is to reduce the attackers rewards by penalizing the attacker. All attacks require
effort and may result in negative consequences. Our deterrence function incorporates the attackers costs and the potential
punishment. It is well known that terrorists are willing to sacrice their lives to inict damage to the target so more efforts
should be spent to deter cyber terrorists.
Many things can affect the sensitivity of an IS security breach function in the real world. From the IS security architec-
tures perspective, the conguration of IS security can affect the sensitivity of the breach function. From the IS security con-
trols perspective, the preventive control and/or detective control can be improved upon to increase the sensitivity of the
breach function. Preventive control includes improving the effectiveness of the rewall, antivirus, access control, social engi-
neering management policies, and cryptography to reduce the probability of breaches. Detective control involves improving
the effectiveness of intrusion detection systems.
The vulnerabilities of an information system fall into two categories: technical vulnerability and administrative vulner-
ability. Organizations must decrease both vulnerabilities to increase the sensitivity of the breach function. Decreasing only
one type of vulnerability will not achieve a satisfactory result. Technical vulnerability includes the improper conguration of
software and hardware, a lack of advanced security software and vulnerable hardware. Administrative vulnerability includes
a lack of experienced security professionals and poor employee security education. Compared with breach function sensitiv-
ity, the deterrence level has less of an effect on the optimal investment for IS security. Deterrence is a psychological process.
Before a cyber terrorist takes action, he/she may consider the potential reputational gain. If the cyber terrorists peers
encourage his/her actions, the cyber-terrorist will commit the cyber crime, despite the high risk of punishment.
Attackers preference (discount rate) is important in determining the optimal investment depending on whether attackers
are more likely to be common hackers or cyber terrorists. In this paper, we use a high discount rate to represent cyber ter-
rorists, and a low discount rate to represent hackers. The simulation results indicate that cyber terrorists can cause greater
losses to target organizations. The reasons are clear: cyber terrorists have very clear goals and may spend years (Mitnick and
J. Hua, S. Bapna / Journal of Strategic Information Systems 22 (2013) 175186 183
Simon, 2005) attempting to intrude into the target organization. They are driven by political purposes and/or a sense of self
achievement. By pursuing long term attacks on the target it is possible that they will eventually intrude into the systems.
Compared with common hackers, cyber terrorists are more dangerous. Common hackers prefer instant payoffs and act
like shoplifters. They are opportunistic and cannot dedicate a long time to intruding into a single organization. Because com-
mon hackers are likely to cause less damage a lower level of security investment can deter them. However, if an organization
is attractive to cyber terrorists because of the information it holds or its role in critical infrastructure, the IS security level
should be higher.
6. Conclusion
Our novel approach to exploring the economic impact of cyber terrorism combines economic theory, deterrence theory,
and IS security. Our ndings should assist academics and practitioners to understand cyber terrorism and its economic im-
pact. Organizations that comprise the national critical infrastructure need to invest more heavily in information security
than other organizations. Since penetrating such systems may also impact national security, national governments also have
a stake in protecting these systems. There are several strategies available to national governments such as subsidizing IS
security investments, crafting cyber terrorism intrusion compliance policies, certifying such compliance, periodic IS secu-
rity auditing of rms that comprise the national critical infrastructure, and sharing lessons learned. It is not only organiza-
tions that comprise the critical infrastructure that need to be concerned with the optimal investments in information system
security; all organizations accrue benets from protecting themselves.
This research can also be generalized to other elds such as nancial fraud prevention. If we view inside employees as
potential cyber criminals, this game model tells us that building a strong internal control system is as important as increas-
ing deterrence levels and that internal fraud committed by employees with long-range goals for their fraudulent activity is
potentially more dangerous than fraudulent actions originating from employees with short term goals.
Appendix A
The following cases were obtained from the United States Department of Justice (cybercrime.gov).
Attila Nemeth, 26, a Hungarian citizen, was sentenced on 02/03/2012 by U.S. District Judge J. Frederick Motz to 30 months
in prison for transmitting a malicious code to Marriott International Corporation computers and threatening to reveal
condential information obtained from the companys computers if Marriott did not offer him a job.
Luis Mijangos, 32, an illegal alien from Mexico, received the 6-year prison term from United States District Judge George
H. King on 09/01/2011. Luis a computer hacker who infected the computers of hundreds of victims by sending Trojan
emails and instant messages embedded with malicious software that gave him complete access to and control over
the victims computers. In addition to stealing nancial information, Luis also read victims emails and IMs, watched
them through their webcams, and listened to them through the microphones on their computers.
Lawrence R. Marino, 41, pleaded guilty on 07/13/2011 in federal court to his repeated hacking into his former employers
computer systems to steal customer information from his former employer. Lawrence faces a maximum penalty of
5 years in prison and a ne of up to $250,000, and restitution.
Kenneth Joseph Lucas, II, 27, was sentenced to totally 13 years in prison for 49 counts of bank and wire fraud, aggravated
identity theft, computer fraud, and money laundering conspiracy charges.
Former Montgomery County Police ofcer, Delores Culmer, 37, pleaded guilty on 04/27/2011 for obtaining unauthorized
information from protected government computers for her personal nancial gain or commercial advantage. Culmer faces
a maximum sentence of 5 years in prison and a $250,000 ne.
Rogelio Hackett Jr., 26, pleaded guilty on 04/21/2011 before U.S. District Judge Anthony J. Trenga in Alexandria, Va., for
hacking into business computer networks and downloading credit card databases.
Lin Mun Poo, a resident and citizen of Malaysia, pleaded guilty on 04/13/2011 before United States District Judge Dora L.
Irizarry at Brooklyn, New York. Poo compromised computer servers belonging to nancial institutions, defense contrac-
tors, and major corporations such as Federal Reserve Bank.
References
Aaronson, L., 2005. For love of money-malicious hacking takes an ominous turn. Spectrum, IEEE 42 (11), 1719.
Badey, T.J., 1998. Dening international terrorism: a pragmatic approach. Terrorism and Political Violence 10 (1), 90107.
Becker, S., 1968. Crime and punishment: an economic approach. Journal of Politic Economy 76 (2), 167217.
Beveren, J.V., 2001. A conceptual model of hacker development and motivations. Journal of E-business 1 (2), 19.
Bodin, L.D., Gordon, L.A., 2005. Evaluating information security investments using the analytic hierarchy process. Communication of ACM 48 (2), 7983.
Bojanc, R., Jerman-Blazic, B., 2008. An economic modelling approach to information security risk management. International Journal of Information
Management 28 (5), 413422.
Campbell, K., Gordon, L., Loeb, M.P., Zhou, L., 2003. The economic cost of publicly announced information security breaches: empirical evidence from the
stock market. Journal of Computer Security 11 (3), 431448.
184 J. Hua, S. Bapna / Journal of Strategic Information Systems 22 (2013) 175186
Cavusoglu, H., Mishra, B., Raghunathan, S., 2004. The effect of Internet security breach announcements on market value: capital market reaction for
breached rms and Internet security developers. International Journal of Electronic Commerce 9 (1), 70104.
Cavusoglu, H., Raghunathan, S., Yue, W.T., 2008. Decision-theoretic and game-theoretic approaches to IT security investment. Journal of Management
Information Systems 25 (2), 281304.
Chu, C.C., Hu, S., Huang, T., 2000. Punishing repeat offenders more severely. International Review of Law and Economics 20 (1), 127140.
Denning, D., Branstad, D., 1996. A taxonomy of key escrow encryption systems. Communications of the ACM 39 (3), 3440.
Desouza, K., Hensgen, T., 2003. Semiotic emergent framework to address the reality of cyberterrorism. Technological Forecasting and Social Change 70 (4),
385396.
Embar-Seddon, A., 2002. Cyberterrorism. American Behavioral Scientist 45 (6), 10331043.
Ettredge, M., Richardson, V., 2002. Assessing the risk in e-Commerce. In: The 35th Hawaii International Conference on System Sciences. IEEE Computer
Security, Big Island, Hawaii, pp. 194204.
Fagnot, I., 2007. Behavioral information security. In: Janczewski, L. (Ed.), Cyber Warfare and Cyber Terrorism. Idea Group Inc. (IGI), Hershey, PA, pp. 199
205.
Foltz, C., 2004. Cyberterrorism, computer crime, and reality. Information Management & Computer Security 12 (2/3), 154166.
Furnell, S., Warren, M., 1999. Computer hacking and cyber terrorism: the real threats in the new millennium? Computer & Security 18 (1), 2834.
Garg, A., Curtis, J., Halper, H., 2003. The nancial impact of IT security breaches: what do investors think? Information Systems Security 12 (1), 2233.
Gengler, B., 1999. Politicians speak out on cyberterrorism. Network Security 1999 (10), 6.
Gordon, S., Ford, R., 2002. Cyberterrorism? Computer & Security 21 (7), 636647.
Gordon, L.A., Loeb, M.P., 2002. The economics of information security investment. ACM Transactions on Information and System Security 5 (4), 438457.
Harzenski, S., 2003. Terrorism, a history: stage one. Journal of Transnational Law & Policy 12 (2), 137196.
Hassan, N., 2001, November 19. An Arsenal of Believers: Talking to the Human Bombs. The New Yorker.
Hausken, K., 2006. Returns to information security investment: the effect of alternative information security breach functions on optimal investment and
sensitivity to vulnerability. Information System Front 8 (5), 339349.
Hua, J., Bapna, S., 2012. How can we deter cyber terrorism? Information Security Journal: A Global Perspective 21 (2), 102114.
Huang, C.D., Hu, Q., Behara, R.S., 2008. An economic analysis of the optimal information security investment in the case of a risk-averse. International
Journal of Production Economics 114 (2), 793804.
Hudson, R.A., 1999. The Sociology and Psychology of Terrorism: Who Become a Terrorist and Why? Library of Congress, Federal Research Division. Library of
Congress, Washington, DC.
Jormakka, J., Molsa, J.V., 2005. Modeling information warfare as a game. Journal of Information Warfare 4 (2), 1225.
Keet, M., 2003. Terrorism and Game Theory: Coalitions, Negotiations and Audience Costs. University of Limerick, Limerick.
Kjaerland, M., 2005. A classication of computer security incidents based on reported attack data. Journal of Investigative Psychology and Offender Proling
2 (2), 105120.
Krueger, A., Maleckova, J., 2003. Education, poverty, political violence, and terrorism: is there a connection? Journal of Economic Perspectives 17 (4), 119
144.
Lee, W., Fan, W., Miller, M., Stolfo, S.J., Zadok, E., 2002. Towards cost-sensitive modeling for intrusion detection and response. Journal of Computer Security
10 (12), 522.
LeVeque, V., 2006. Information Security: A Strategic Approach. IEEE Computer Society, Hoboken, NJ.
Liu, W., Tanaka, H., Matsuura, K., 2008. Empirical analysis methodology for information-security investment and its application to reliable survey of
Japanese rms. Information and Media Technologies 3 (2), 464478.
Lye, K., Wing, J., 2005. Game strategies in network security. International Journal of Information Security 4 (12), 7186.
Matusitz, J., 2009. A postmodern theory of cyberterrorism: game theory. Information Security Journal: A Global Perspective 18 (6), 273281.
McCormick, G.H., 2003. Terrorist decision making. Annual Review of Political Science 6, 473507.
Mitnick, K., Simon, W.L., 2005. The Art of Intrusion: The Real Stories Behind the Exploits of Hackers, Intruders and Deceivers. Wiley Publishing, Inc.,
Indianapolis, IN.
Nakashima, E., 2010, March 4. FBI director warns of rapidly expanding cyberterrorism threat. Washington Post: <http://www.washingtonpost.com/wp-
dyn/content/article/2010/03/04/AR2010030405066.html> (retrieved 10.12.10).
Nickolov, E., 2005. Critical information infrastructure protection: analysis, evaluation and expectations. Information & Security 17, 105119.
Oksanen, V., Valimaki, M., 2007. Theory of deterrence and individual behavior. Can lawsuits control le sharing on the Internet? Review of Law and &
Economics 3 (3), 693714.
Oprea, D., Mesnita, G., 2005, August. The Information System and the Global Terrorism. SSRN: <http://www.ssrn.com/abstract=906289> (retrieved 2008).
Osborne, M., Rubinstein, A., 1994. A Course in Game Theory. The MIT Press, Cambridge, MA.
Parks, R.C., Duggan, D.P., 2001. Principle of Cyber-Warfare. Information Assurance and Security. IEEE Workshop, West point, NY.
Pearson, F.S., Weiner, N.A., 1985. Toward an integration of criminological theories. Journal of Criminal Law and Criminology 76 (1), 116150.
Pedahzur, A., Perliger, A., Weinberg, L., 2003. Altruism and fatalism: the characteristics of Palestinian suicide terrorists. Deviant Behavior 24 (4), 405423.
Poremba, S., 2011. Cyber terrorist threats loom 10 years after 9/11. msnbc.msn.com: <http://www.msnbc.msn.com/id/44415109/ns/
technology_and_science-security/t/cyber-terrorist-threats-loom-years-after/> (retrieved 14.02.12).
Post, J.M., 2007. The Mind of the Terrorist. Palgrave Macmillan, New York, NY.
Quigley, M., 2007. Encyclopedia of Information Ethics and Security. IGI Global, Hershey, PA.
Rasmusen, E., 1995. How optimal penalties change with the amount of harm. International Review of Law and Economics 15 (1), 101108.
Rebellon, C., Manasse, M., 2004. Do bad boys really get the girls? Delinquency as a cause and consequence of dating behavior among adolescents. Justice
Quarterly 21 (2), 355389.
Rees, M., 2002. Why suicide bombing is now all the rage. Time, 1933.
Rogers, M., 1999. Psychology of computer criminals. In: The Annual Computer Security Institute Conference. Computer Security Institute, St. Louis, Missouri.
Rogers, M., 2001. A Social Learning Theory and Moral Disengagement Analysis of Criminal Computer Behavior: An Exploratory Study. University of
Manitoba, Winnipeg, Manitoba.
Sageman, M., 2004. Understanding Terror Networks. University of Pennsylvania Press, Philadelphia.
Saha, A., Poole, G., 2000. The economics of crime and punishment: an analysis of optimal penalty. Economics Letters 68 (2), 191196.
Sallhammar, K., Helvik, B., Knapskog, S., 2007. A framework for predicting security and dependability measures in real-time. International Journal of
Computer Science and Network Security 7 (3), 169183.
Sandhu, R., Coyne, E., Feinstein, H., Youman, C., 1996. Role based access control models. IEEE Computing 29 (2), 3847.
Sandler, T., Arce, D., 2003. Terrorism and game theory. Simulation and Gaming 34 (3), 319337.
Schechter, S.E., Smith, M.D., 2003. How much security is enough to stop a thief? The economics of outsider theft via computer systems networks. In: The 7th
Financial Cryptography Conference. The International Financial Cryptography Association, Guadeloupe, French, pp. 122137.
Schudel, G., Wood, B., 2000. Modeling behavior of the cyber-terrorist. RAND National Security Research Division Workshop, pp. 4559.
Simmons, G., 1994. Cryptanalysis and protocol failures. Communications of the ACM 37 (11), 5665.
Skinner, W., Fream, A., 1997. A social learning theory analysis of computer crime among college students. Journal of Research in Crime and Delinquency 34,
495518.
Sonnenreich, W., Albanese, J., Stout, B., 2006. Return on security investment (ROSI) A practical quantitative model. Journal of Research and Practice in
Information Technology 38 (1), 4556.
J. Hua, S. Bapna / Journal of Strategic Information Systems 22 (2013) 175186 185
Stanton, J.J., 2002. Terror in cyberspace. American Behavioral Scientist 45 (6), 10171032.
Straub, D.W., Welke, R.J., 1998. Coping with systems risk: security planning models for management decision making. MIS Quarterly 22 (4), 441469.
Sunstein, C., 2003. Why Societies Need Dissent. Harvard University Press, Cambridge.
Verton, D., 2003. Black Ice: The Invisible Threat of Cyber-Terrorism. McGraw Osborne Media, Emeryville, CA.
Victoroff, J., 2005. The mind of terrorist: a review and critique of psychological approach. The Journal of Conict Resolution 49 (1), 341.
Wang, J., Chaudhury, A., Rao, H.R., 2008. A value-at-risk approach to information security investment. Information Systems Research 19 (1), 106120.
Wehde, E., 1998. US vulnerable to cyberterrorism. Computer Fraud & Security 1998 (1), 67.
Workman, M., Gathegi, J., 2007. Punishment and ethics deterrents: a study of insider security contravention. Journal of the American Society for Information
Science and Technology 58 (2), 212222.
186 J. Hua, S. Bapna / Journal of Strategic Information Systems 22 (2013) 175186