Information Security: User Precautions, Attacker Efforts, and Enforcement

We analyze the strategic interactions among end-users and between end-users and attackers in mass and targeted attacks. In mass attacks, precautions by end-users are strategic substitutes. This explains the inertia among users in taking precautions even in the face of grave potential consequences. Generally, information security can be addressed from two angles - facilitating end-user precautions and enforcement against attackers. We show that, enforcement is more effective as an all-round policy to enhance information security.Facilitating user precautions leads to increased precautions and increased end-user demand, which have conflicting effects on the total harm suffered by end-users. Hence, reduced form estimates of the impact of facilitating precautions may over- or under- estimate the impact, depending on which effect is stronger. Further, in targeted attacks, the outcome of interaction between users and attackers depends on the specific cost functions. Attackers may target low-valuation users as they take fewer precautions.