Previous Work
Much of the research on information systems security focuses on the costs and risks of various security schemes. A common practice is to analyze the level of risk for any given security outcome and perform cost/benefit analysis on the results as exemplified by Gordon and Loeb (2002).
For the purposes of this research, we model attackers as a homogeneous group of rational criminals. While there are many sorts of attackers this simplification makes the results much more understandable. We base the rational activities of our attacker upon the economics of criminal activity, first studied by Becker (1968). He assumed that criminals responded rationally to a set of incentives and studied the impact of issues like likelihood of punishment and severity of punishment on their behavior. Others extended this work, for example, Block and Heineke (1975) offered a labor theoretic model of criminal activity.
Rogers (1962, 1976) offers a model of user. In his model early adopters of technology behavior differently from late adopters. There are several theoretical models of IS (Information System) use that have seen empirical justification. TAM, the Technology Acceptance Model (Davis 1989) offers a means of analyzing the impact of ease of use upon Usage. It has been successful in establishing such a link, but does not explicitly consider other IS quality issues such as data quality and completeness.
The IS Success Model (ISM) explicated by DeLone and McLean (1992) includes constructs of information and system quality and posits that system and information quality lead to increased user satisfaction and increased use which in turn leads to net benefits. DeLone and McLean (2003) recently revised that model to expand measure of quality to include service quality and to explicitly include a feedback loop from net benefits to intention to use.
Wixom and Todd (2005) recently integrated TAM and ISM, and their results suggest that there is a link between system and data quality on the one hand and system usage on the other. On the other hand, Zhu and Kraemer (2005) argue that firm value is increased by IS usage in E-business applications.
TAM also supports a link from security to usage. In general, security will reduce ease of use which TAM predicts will reduce usage. Recent reports in the popular press (Richmond 2004, Grow 2005) suggests that attackers are motivated by economic interests and therefore are attracted by high value targets. These reports confirm the notion that increases in system value lead to increases in attacks.
We have also assumed that the security and value functions are continuous in nature. While security decisions are at least partially discrete, Rajuput, Chen, and Hsu (2005) demonstrate that security is being broken up into ever smaller increments as the users are given more and more options and the systems are more refined and complex. The result is that security choices are reasonably continuous.