Authors: Brent Kirkpatrick
Journal: The Intrepid Publication Series (TIPS)
Abstract: The economics of severe cyber-attacks make little sense for the attacker. This manuscript uses probability theory to demonstrate that in an adversarial setting, more intense cyber-attacks provide the defending party with more economic potential. This result indicates that sever cyber-attacks are irrational.
The results of this work suggest that industry would be well-served by offering bounties for vulnerability information. Several types of bounties are explored, including those that are correlated to the economic cost of an exploited vulnerability. This work concludes that it is sufficient to offer constant bounties, where the bounty for every vulnerability would be valued identically. Such bounties discourage potential attackers from actually carrying out attacks, as they would be giving up economic value.