Monday, January 25, 2010

Exploiting the Rational Attacker

Attackers are often portrayed as irrational, fundamentally evil, or even demonic. They do what they do without regard to the damage that they may do. This is particularly true of amateurs doing mischief. They are simply unable to appreciate the value of public trust and confidence and the cost of the damage that they may do to it.

However, while one would not argue that rogue hackers understand that even they have an interest in an orderly world, one may argue that, at least collectively and across time and events, even they are rational. In the short run, they may underestimate the cost of attack and over-estimate the value of success, they may spend more than they gain. However, they will not do so over and over again. While an angry individual may deliberately spend more to damage another, than any psychic value to himself or even the cost of the remedy to his victim, there is some cost that will deter him, that he is unwilling or unable to pay.

Given two attacks to achieve a particular value of success, at least collectively, attackers will choose the cheaper of the two.

None of this is to suggest that the rogues are any better at estimating cost and value than any of the rest of us. They make their decisions in a "market" like the rest of us. However, within our tolerance for risk, our estimates of his cost of attack and value of success provide us with a guide for our spending on security. To the extent that we believe that his value of success is higher than his cost of attack, we should increase the cost of attack. We call that "security."

No comments:

Post a Comment