Escolar Documentos
Profissional Documentos
Cultura Documentos
Jian Hua
a,
, Sanjay Bapna
b
a
School of Business and Public Administration, University of the District of Columbia, 4200 Connecticut Avenue, Washington, DC 20008, United States
b
School of Business and Management, Morgan State University, United States
a r t i c l e i n f o
Article history:
Received 9 November 2010
Received in revised form 2 October 2012
Accepted 21 October 2012
Available online 8 December 2012
Keywords:
Game theory
Information systems security
Security investment
Cyber terrorism
a b s t r a c t
What is the economic impact of cyber terrorism? Can organizations achieve strategic
advantage in the cyber terrorism game? A general game theoretical model is proposed
to study the optimal information systems (ISs) security investment and then applied to
compare the losses caused by cyber terrorists and common hackers. Literature is reviewed
on IS security, game theoretical models of IS security, cyber terrorism, cyber deterrence and
IS security breach function. Simulations with varying levels of attackers preference, breach
function sensitivity and deterrence level are carried out to determine sensitivity to the
optimal IS security investment. Results suggest that organizations should invest more to
protect their strategic information systems against cyber terrorists who have long-term
goals.
Published by Elsevier B.V.
1. Introduction
Modern economies are heavily dependent upon Information Technology (IT) based information systems for survival.
Increased reliance on information systems (ISs) leads to increased vulnerabilities and risks. IS security has thus become a
critical issue in the IT world (Sonnenreich et al., 2006).
Investing optimally in the security of information systems can yield comparative strategic advantages (LeVeque, 2006)
through trustworthiness and positive image as perceived by partners, customers and suppliers; trust is difcult for compet-
itors to duplicate. Investing optimally implies avoiding inappropriate investment.
Information systems are vulnerable and it is possible for terrorists to utilize the vulnerabilities of information systems to
attack their adversaries (Jormakka and Molsa, 2005; Embar-Seddon, 2002). This has given rise to a new term, cyber terror-
ism. Parks and Duggan (2001) have dened cyber terrorism as an extension of traditional terrorism and a new approach
adopted by terrorists to attack cyberspace. The FBI director, Robert S. Mueller, has warned that cyber terrorists will either
train their own recruits or hire outsiders, with an eye toward combining physical attacks with cyber attacks. Mueller also
stressed that the cyber threat cannot be fought by government alone (Nakashima, 2010).
Organizations that comprise the critical infrastructure of the national economy should be aware of the potential for ter-
rorist attack (Nickolov, 2005). Critical infrastructure refers to the essential assets which make society or a country function
well and includes energy, transportation, telecommunication, water supply and waste management, agriculture and food
supply, nance, public health, and essential government services. Organizations which form the critical infrastructure of a
national economy must protect their information systems well.
Cyber terrorists could feasibly target the information systems of critical infrastructure of countries. The threat of cyber
terrorism is more dangerous than that of common IS attacks (Verton, 2003) and is becoming a major concern for most coun-
tries (Foltz, 2004). Cyber terrorists inherit not only the characteristics of terrorists, but also the characteristics of hackers. The
0963-8687/$ - see front matter Published by Elsevier B.V.
http://dx.doi.org/10.1016/j.jsis.2012.10.004
Corresponding author. Tel.: +1 202 274 7138; fax: +1 202 274 7023.
E-mail addresses: jhua@udc.edu (J. Hua), sanjay.bapna@morgan.edu (S. Bapna).
Journal of Strategic Information Systems 22 (2013) 175186
Contents lists available at SciVerse ScienceDirect
Journal of Strategic Information Systems
j our nal homepage: www. el sevi er. com/ l ocat e/ j si s
only way to differentiate cyber terrorism from traditional hacking and other cyber crime is by ascertaining the motivation or
intention of the person or group launching the attack (Embar-Seddon, 2002).
The quality of IS security is highly related to the investments in IS security (Bojanc and Jerman-Blazic, 2008). The appro-
priate level of IS security investment can enhance the capability of organizations and governments to defend against cyber
terrorism attacks (Bodin and Gordon, 2005). The objective of IS security is to minimize an organizations potential losses by
balancing the investment cost and nancial losses from intrusions. A solid theoretical foundation based on risk analysis and
terrorists behavior prediction has not been well established in the eld of IS security. Without proper risk and behavioral
analysis, non-optimal investment decisions in IS security will be made both in organizational and critical infrastructure secu-
rity systems.
In this paper, we examine the important factors that affect the optimal investment in IS security. We aim to show that
there are differences in the optimal investment for organizations, when they face the attacks from cyber terrorists compared
to attacks by common hackers. Even though both these attacks rely on the same toolset to attack an organizations informa-
tion systems, the motivation of cyber terrorists may lead to different optimal investment levels for organizations. Game the-
ory is used to create a model that includes critical factors that impact the optimal investment level. This model will show the
economic impact of cyber terrorism.
The rest of the paper is organized as follows. In the background section we review the literature on the related IS security
research and terrorism research, providing us with the background to propose a game theoretical model for IS security. The
game theoretical model is described in the methodology section. We then apply the model to cyber-terrorism. We discuss
the implications of our work in the conclusion.
2. Background
Prevention of cyber terrorism involves the study of IS security research and implementation techniques. Research on IS
security provides an understanding of the methods, threats, risks, and behavioral aspects of cyber crimes. Currently, there
are three streams of research related to IS security. The rst stream is technology-based and concentrates on developing
and improving a variety of technological solutions to reduce IS security risks (Lee et al., 2002; Denning and Branstad,
1996; Sandhu et al., 1996; Simmons, 1994). The second stream of research is behavioral IS security which is built on
disciplines of Psychology, Criminology, and Sociology, and focuses on nding the behavioral proles of hackers and insiders
(Fagnot, 2007; Workman and Gathegi, 2007; Rogers, 2001; Kjaerland, 2005; Skinner and Fream, 1997). The third stream of
research is related to economic issues in IS security and analyzes broader IS security problems froman economic perspective,
which includes risk management and cost/benet analysis (Campbell et al., 2003; Garg et al., 2003; Ettredge and Richardson,
2002; Cavusoglu et al., 2004).
This paper presents IS security research relevant to cyber terrorism. The primary focus in this paper is to develop game
theoretical models that explain the behavior of cyber-terrorists and hackers from an organizational investment perspective.
In order to develop such behavioral based models, literature on cyber terrorism, terrorism deterrence, IS security investment,
and prior studies on game theoretical models applied to IS security are discussed. Literature on technology-based IS security
is not presented since that is peripheral to this paper.
2.1. Cyber terrorism
The word terrorism can be traced back to the French Revolution when terror was used by the government to suppress
counter-revolutionary adversaries (Harzenski, 2003). Most terrorist acts share two common features: (1) they assault civil-
ians; and (2) they target victims that are not their true targets, but these victims do inuence the target audience (Badey,
1998). The term terrorist refers to a person who practices terrorism. Terrorists know that they cannot be superior to their
adversaries in conventional resource intensive warfare, hence they rely on techniques intended to erode the enemys moral
and physical capacities (Oprea and Mesnita, 2005).
We dene cyber terrorism as attacks implemented by cyber terrorists via information systems to (1) signicantly inter-
fere with the political, social or economic functioning of a critically important group or organization of a nation, or (2) induce
physical violence and/or create panic. We dene hackers as individuals who (1) wish to access/modify data, les, and
resources without having the necessary authorization to do so, and/or (2) wish to block services to authorized users. Cyber
terrorists are individuals or groups who utilize computing and networking technologies to terrorize. In this paper, we study
the behaviors of two groups of hackers: cyber terrorists and common hackers.
Because information about cyber terrorism and cyber terrorists is generally considered classied information which
cannot be released to the public, we can usually only infer that cyber terrorism and cyber terrorists exist. However in
2010 Federal Bureau of Investigation chief, Robert Mueller, told an RSA Conference of computer security professionals,
The cyber-terrorism threat is real and rapidly expanding. He indicated that terrorists have shown a clear interest in hack-
ing skills and combining real attacks with cyber attacks.
While cyber terrorists are a sub group of hackers (Beveren, 2001; Rogers, 1999), an important difference between cyber
terrorists and other hackers pertains to their motivation. Cyber terrorists are politically or religiously motivated. Creating
fear and panic among civilians, and disrupting or destroying public and private infrastructure is the goal of terrorists. They
176 J. Hua, S. Bapna / Journal of Strategic Information Systems 22 (2013) 175186
wish to coerce a targeted government to negotiate with them, or show their existence to their community, or demonstrate
their capabilities to their political and nancial supporters (Embar-Seddon, 2002; Verton, 2003). Unlike viruses or computer
attacks that result in a denial of service a cyber terrorist attack is designed to cause physical violence or extreme nancial
harm (Poremba, 2011). In contrast, common hackers motivations include addiction to hack, curiosity, intention to gain
power, peer recognition and the sense of belonging to a group (Beveren, 2001). Increasingly the motivation is to make money
(Aaronson, 2005). Representative cases from the U.S. Department of Justice showing that most hackers tried to make money
from their hacking are presented in Appendix A.
A skilled hacker may attack the same target as a cyber terrorist; however, the cyber terrorist generally has more resources
than the hacker to support long-term uninterrupted attacks (Quigley, 2007; Furnell and Warren, 1999).
Salient characteristics of cyber terrorists listed by Schudel and Wood (2000) include:
Even though it is assumed that cyber terrorists may have limited funding, they may be able to raise from hundreds of
thousands to a few million dollars and also be willing to spend the raised funds for their attacks.
Cyber terrorists are able to access commercial resources including consultants and commercial expertise.
Cyber terrorists would be able to acquire all design information on a system of interest.
People commonly believe that terrorists are insane or psychopathic. Strictly speaking, psychopathic ailments can be
divided into two conditions: clinical illness and personality disorder. The person with clinical illness cannot differentiate
right from wrong, but the person with personality disorder can. As such, terrorists are rarely psychotic or insane (Victoroff,
2005; Hudson, 1999; Post, 2007; McCormick, 2003). Cyber terrorists are a sub group of terrorists, so we can conclude that
cyber terrorists inherit the basic psychological prole of terrorists: cyber terrorists are rational rather than insane. A cyber
terrorist has a similar prole to traditional terrorists (Poremba, 2011). The difference between a cyber terrorist and a tradi-
tional terrorist is that the former has sophisticated hacking skills.
Contrary to common opinion, terrorists are also rarely sociopathic. There is no evidence, from any empirical study, that
demonstrates that terrorists are antisocial. Considerable evidence supports the observation that terrorists are regarded as
heroes, at least by their groups or local communities. The Middle Eastern students who join an Islamic radical group may
enjoy popular support and believe that they are serving their society in a pro-social way. Contrary to common understand-
ing, terrorists are altruistic in their groups (Keet, 2003; Krueger and Maleckova, 2003).
The following literature review on terrorism indicates that some terrorists are highly educated. For example, Rees (2002)
found that since the late 1990s, Middle Eastern terrorists have come from a wide demographic range, including university
students, professionals, and young women. Other research indicates that most terrorists come from a middle class back-
ground (Hassan, 2001; Pedahzur et al., 2003; Sageman, 2004). Krueger and Maleckova (2003) found that support for terror-
ism against Israeli civilians was more common among professionals than among laborers, and more common amongst those
with a secondary education than among illiterate respondents. Sageman (2004) found that 71% of Muslim respondents who
claimed they were terrorists had at least some college education, with 43% having professional backgrounds. Thus, it is rea-
sonable to assume that many terrorists are highly educated and are computer literate. Since a pool of educated potential ter-
rorists exists, terrorist organizations can fund, and recruit such individuals and train them in the science of computer
security.
Foltz (2004) summarized some potential threats of cyber terrorism. A cyber terrorist could:
Attack electrical power systems; gas and oil production, transportation, and storage; water supply systems; banking and
nance (Embar-Seddon, 2002).
Access a drug manufacturers facility and alter its medication formulas to make them deadly (Wehde, 1998).
Access hospital records and change patient blood types (Gengler, 1999).
Report stolen information to others (e.g. troop movement) (Desouza and Hensgen, 2003).
Manipulate perception, opinion and the political and socioeconomic direction (Stanton, 2002).
Facilitate identity theft (Gordon and Ford, 2002).
The most dangerous cyber terrorism attacks are those that affect national infrastructure or business systems. Although
cyber terrorism may not be able to generate the same effect as a physical explosion, cyber terrorism can lead to extensive
monetary loss. If cyber terrorists shut down the Amazon.com website, potential customers would buy goods from other
online sellers. In this case, only Amazon.com would lose the sale, however other online sellers would benet from this inci-
dent. However, if the intrusion resulted in the creation of spurious transactions, especially to key nancial institutions, such
as the national/federal banks, then this could create a panic amongst businesses, which would, in turn, impact the national
economy adversely. Compared with other terrorism approaches, cyber terrorism requires fewer people and fewer inputs.
Cyber terrorism does not require the cyber terrorists to be physically present. Cyber terrorists can remotely launch attacks
and remain anonymous by using proxy servers and IP-change methods to hide their real addresses. Because cyber terrorists
can easily hide their identity, it is difcult for government agents to trace and capture them.
The easiest attack approach adopted by cyber terrorists is sending virus infected e-mails. If the virus is new or unknown
and unable to be detected by the victims antivirus software, it could behave in the interest of the cyber terrorists. A
J. Hua, S. Bapna / Journal of Strategic Information Systems 22 (2013) 175186 177
computer worm, launched by a cyber terrorist, can burrow through a network, hide itself and can either steal information, or
disrupt the functioning of the computer systems.
2.2. IS security investment models
IS security investment models either borrow concepts from the nancial domain such as Net Present Value, and Value-At-
Risk, or from the economic domain such as utility theory, or game theory. In this section, key papers in each of these disci-
plines are mentioned, with greater focus on the literature on economic models.
Bojanc and Jerman-Blazic (2008) presented a nancial approach for assessing the required information and communica-
tion technology (ICT) security investment through the identication of assets and vulnerabilities. They used three methods
to quantify the costs and benets of security investments: return on investment (ROI), net present value (NPV), and internal
rate of return (IRR). Huang et al. (2008) used expected utility theory to determine the optimal security investment level and
showed how an organization could manage its investment in information security based on the different characteristics of
threat environments and system congurations.
Wang et al. (2008) introduced the value-at-risk (VAR) approach to measure the daily risk of an organizational information
system. Using extreme value theory, they modeled the probability distribution of daily losses and time trends in the extreme
behavior of daily risks, but did not provide an operational approach to determine an appropriate security investment.
2.2.1. The breach function of IS security
Gordon and Loeb (2002) believed that previous studies related to the economic aspects of information security provided
little generic guidance on how to derive the proper investment in IS security. Hence, they built a model that considered how
the vulnerability of information and the potential loss from such vulnerability affected the optimal funding to secure that
information. They proposed two classes of security breach probability functions. The rst class of security breach probability
functions proposed was S
I
z; v
v
az1
b
, where z is the investment, and v is the vulnerability. Their second class is not
considered in this paper. The parameters, a and b, are measures of the productivity of information security. The probability
of breaches decreases with increases in both of these parameters. Hausken (2006) proposed a logistic breach function
S
III
z; v
v
1qe
sz
1
(third class of breach functions) to address some of the drawbacks of the Gordon and Loebs classes of
breach functions. Hauskens other classes of breach functions are not considered in this paper. The parameters, q and s,
measure the productivity of information security. By varying the parameters of the functions, it is possible to model the
sensitivity of breaching information systems to investment levels. A sensitive breach function is a function where a moderate
increase in the amount of investment can decrease breaching probability considerably. In other words, a sensitive breach
function has a steeper slope at a particular investment level, compared to an insensitive breach function.
Liu et al. (2008) empirically analyzed information security investment based on a survey of Japanese rms and used Jap-
anese survey results to test Gordon and Loebs model. They found that the effects of the information security investment
were to reduce the vulnerability effects. Their empirical results suggested that the defense measures associated with infor-
mation security policy and employee training could signicantly reduce virus incidents, and that information security
investments were signicantly affected by industry type.
2.2.2. The game theoretical model of IS security
Using game theory, Schechter and Smith (2003) developed a model for companies to gauge their attractiveness to thieves
and determine the proper level of security required for packaged systems. Under varying conditions of attack, their research
revealed that a company would benet substantially by increasing the probability of detection and/or the probability of
repelling the attack, and by increasing the likelihood of hacker convictions.
Cavusoglu et al. (2008) claimed that the traditional decision-theoretic risk management techniques used to determine IS
security investments were incomplete, because the traditional techniques did not recognize that hackers alter their hacking
strategies in response to the rms security investment strategies. They compared game theory and decision theory ap-
proaches on the investment levels, vulnerability, and payoffs from investment and concluded that game theory was appro-
priate to model IS security investment.
2.3. The deterrence function in IS security
Deterrence theory has been widely employed in the elds of economics and criminology to study the behavior of crim-
inals and antisocialists (Becker, 1968; Pearson and Weiner, 1985). In criminology, deterrence theory asserts that the prob-
ability of criminal behavior varies with the expected punishment, which consists of the perceived probability of being caught
and the punishment level (Pearson and Weiner, 1985). In the realm of cyber terrorism, the expected punishment to cyber
terrorists depends upon national and international legal frameworks, the cooperation for information sharing between na-
tions, and states ability to identify the perpetrators (Hua and Bapna, 2012).
Workman and Gathegi (2007) studied the effects of attitudes towards the law and the effects of social inuence and con-
cluded that punishment was more effective in deterring people who tried to avoid punishment or negative consequences,
while ethics education was more effective in deterring people who had a strong social consciousness.
178 J. Hua, S. Bapna / Journal of Strategic Information Systems 22 (2013) 175186
Oksanen and Valimaki (2007) conducted research on copyright violations and found that the strategy of minimizing risk
was not only theoretically practiced, but was also extensively used. They found that the classic deterrence model should
incorporate both the reputational cost of violations and the reputational benet of violations (Sunstein, 2003). The reputa-
tional cost means the unofcial sanction applied by the individuals peers. Reputational benet comes from the support of
the individuals community, or peers (Rebellon and Manasse, 2004). The reputational benet may play a signicant role in
individual decision-making. This literature shows that there are possible reputational benets behind cyber terrorism. The
increased reputation from peer groups after a successful cyber attack may motivate cyber terrorists.
Straub and Welke (1998) considered deterrence theory as a theoretical basis for security countermeasures to reduce IS
risks and posited that managers and administrative policies were the key to successfully deterring, preventing, detecting,
and pursuing remedies to cyber terrorism.
Determining the proper punishment is an important issue in the legal eld. Legal systems in most societies specify pun-
ishments that increase with the level of social harm caused by the criminal activities (Rasmusen, 1995). The punishment
may include punishment of a person or a group or the party to which the lawbreakers belong. For cyber terrorism, the pun-
ishment may include anti-terrorism wars against the state where the cyber terrorists reside. Thus, for cyber terrorism the
punishment may be more severe, and in some cases exceed the losses caused to the victims.
3. Methodology
Game theory is a branch of applied mathematics widely applied in economics, accounting, nance, biology, and political
science. Game theory attempts to model interactions among rational players and mathematically predicts their choices of
action. Game theory has numerous applications, ranging from solving problems involving offense and defense (Cavusoglu
et al., 2008; Lye and Wing, 2005; Sallhammar et al., 2007) to the design of optimal penalties to deter crime, which can be
viewed as a rational choice decision (Saha and Poole, 2000; Chu et al., 2000). Game theory is a very useful approach to study
cyber terrorism (Matusitz, 2009).
In most applications of game theory, all players are assumed to be rational and desiring to maximize their rewards. Each
player also assumes that the other players will act rationally. This assumption guarantees that each player makes a correct
prediction on the choices of the other players, and hence, is able to make the best choice for himself/herself.
Sandler and Arce (2003) listed six strengths of game theory in analyzing the behavior of a hacker and a target. First, game
theory captures the strategic interactions between a hacker and a target, that is, the players actions are interdependent. Sec-
ond, it captures the strategic interactions among the rational actors, who act according to their analysis about the opponents
actions. Third, each side has to consider the impacts of threat and punishment from the opponent. Fourth, hackers can
observe that the targets actions are constrained and vice versa. Fifth, game-theoretic notions of bargaining can predict
outcomes. Finally, game theory incorporates uncertainty and learning in a strategic environment.
In the game theory, the Nash equilibrium is a solution concept used in non-cooperative games whereby no player can
gain more by changing his/her strategy unilaterally (Osborne and Rubinstein, 1994). This strategy choice constitutes the
Nash equilibrium and every nite game (nite players, nite strategies, and nite payoffs) has at least one equilibrium in
mixed strategies. Pure strategies specify the nonrandom action selection of players. In this case, a player always selects
one action from his/her action set, without any uncertainty. Contrary to pure strategies, mixed strategies specify the set
of actions from which a random selection will be made. For example, if a cyber terrorist has an action set {Attack, Do Not
Attack}, a mixed strategy of (30%, 70%) will result in selecting the action Attack with a probability of 30% and the action
Do Not Attack with a probability with 70%, respectively.
3.1. Model development
For the sake of clarity only, we combine the groups of cyber terrorists and common hackers under the term attacker.
Henceforth, in the rest of the paper, hackers will refer to common hackers, and attackers will refer to both cyber terrorists
and common hackers. In this paper, we propose a one-state static 2 2 general-sum game between an attacker and a target.
The normal form of the common IS security game is presented in Table 1. A target will be an information system. This general
game model can be applied to all cyber crimes including common hackers and cyber terrorism, allowing us to compare their
Table 1
A general-sum IS security Game.
Player 1: Attacker Player 2: Target organization
Invest More in IS Security Do Not Invest More in IS Security
Attack lP
1
M kz
1
Q
1
; P
1
M z
1
lP
0
M kz
0
Q
0
; P
0
M z
0
Do Not Attack kz
1
; z
1
kz
0
; z
0
. When
the investment z is higher or lower than z
and z
1
< z
; lP
1
M kz
1
Q
1
> kz
1
, the game reduces to a pure-strategy game. The prole of best response in
the static game is: the attacker will choose the action Attack regardless of the action of the target. The value of a is 100%
until z increases to the breakpoint z
.
When z
0
< z
and z
1
> z
, lP
1
M kz
1
Q
1
< kz
1
, the game becomes a mixed strategy game. When the target chooses the
action Invest More in IS Security, the attacker will choose the action Do Not Attack. When the target chooses the action
Do Not Invest More in IS Security, the attacker will choose the action Attack.
The attackers mixed strategy (a, 1 a) indicates that the attacker chooses the action Attack and the action Do Not
Attack with a probability of a and 1 a respectively. The attacker chooses a to make the target indifferent between its
two strategic choices.
P
1
M z
1
a z
1
1 a P
0
M z
0
a z
0
1 a 2
Rearranging yields
a
z
1
z
0
MP
0
P
1
3
H
lP
0
M Q
0
kz
1
kz
0
lP
1
M Q
1
lP
0
M Q
0
lP
1
M Q
1
4
When the attacker chooses the above mixed strategy (a, 1 a), the targets rewards from two action rewards are indifferent.
Regardless of the targets strategy, the total reward to the target will not change, because the attacker chooses the Nash
Equilibrium.
The targets mixed strategy (b, 1 b) indicates that the target chooses the action Invest More in IS Security and the ac-
tion Do Not Invest More in IS Security with a probability of b and 1 b respectively. Equating the two rewards results in
blP
1
M kz
1
Q
1
1 blP
0
M kz
0
Q
0
bkz
1
1 bkz
0
5
From the above equation, we get
b
lP
0
M Q
0
lP
0
M Q
0
lP
1
M Q
1
6
L
P
0
z
1
P
1
z
0
P
0
P
1
7
When z
0
Pz
and z
1
> z
, lP
1
M kz
1
Q
1
< kz
1
and lP
0
M kz
0
Q
0
< kz
0
The function PM + z has its minimum value with
z = z
#
. When the probability that the attacker chooses the action Do Not Attack is 100%, the target will choose the action
Do Not Invest More in IS Security with 100%. There is no reason for the target to increase the investment in IS security. The
values of a and b both equal 0. The expected reward to the attacker, H, is kz
0
. The expected reward to the target, L, is z
0
.
When we assume z
1
z
0
= e and e ?0, we can get a dynamic game model. z