We analyze the strategic interactions among endusers and between end-users and attackers in mass and targeted attacks. In mass attacks, precautions by endusers are strategic substitutes. This explains the inertia among users in taking precautions even in the face of grave potential consequences. Generally, information security can be addressed from two angles – facilitating end-user precautions and enforcement against attackers. We show that, enforcement is more effective as an all-round policy to enhance information security. Facilitating user precautions leads to increased precautions and increased end-user demand, which have conflicting effects on the total harm suffered by end-users. Hence, reduced form estimates of the impact of facilitating precautions may over- or underestimate the impact, depending on which effect is stronger. Further, in targeted attacks, the outcome of interaction between users and attackers depends on the specific cost functions. Attackers may target lowv...
Ivan P. L. Png, Qiu-Hong Wang