"We propose a definition of critical infrastructure deterrence and develop a methodology to explicitly quantify the deterrent effects of critical infrastructure security strategies. We leverage historical work on analyzing deterrence, game theory and utility theory. Our methodology quantifies deterrence as the extent to which an attacker's expected utility from an infrastructure attack changes after a defender has invested to deter attacks, as compared to their expected utility absent deterrence. We derive expected utilities from a modified game theory approach, which uses probabilistic utility functions, wherein utility function probabilities are functions of investment. We vary these functions based on different information availability assumptions (e.g., perfect vs imperfect attacker information). We produce evidence that it is quantifiably more advantageous to overtly deter, rather than conceal security information, under specific conditions. We also leverage these utility functions to determine the unconditional risk to a defender if deterrence strategies fail, and we determine cost efficiency of those strategies."
2012 by the author(s). Posted here with permission. Documents are for personal use only and not for commercial profit. See document for full rights information.
Homeland Security Affairs Journal: http://www.hsaj.org/
Homeland Security Affairs (August 2012), v.8, article 12