A recent paper by Ross Anderson and Tyler Moore, “The Economics of Information Security: A Survey and Open Questions,” brings together the seemingly disparate fields of security and economics to discuss the reasoning behind security decisions. They provide examples such as why individual PC owners choose to install anti-virus software and why large banks choose to protect their ATMs. The authors use economics as a way to frame the choices and tradeoffs that are inherent in security design. They note the increased reliance on game and graph theory as an indicator of a changing security paradigm: “game theory and microeconomic theory are becoming just as important to the security engineer as the mathematics of cryptography.” (Anderson et al.)

Anderson and Moore propose that security can be viewed topologically where attackers and defenders can both be viewed as nodes and, as usual, their alliances or attacks can be viewed as edges. As such, the defender often tries to attack the nodes and edges of their attacker, while the attacker tries to make his system robust, flexible, and adaptive.

Here is an excerpt from their paper: “Network topology can strongly influence conflict dynamics. Often an attacker tries to disconnect a network or increase its diameter by destroying nodes or edges, while the defender counters using various resilience mechanisms. Examples include a music industry body attempting to close down a peer-to-peer file-sharing network; a police force trying to decapitate a terrorist organisation; and a totalitarian government conducting surveillance on political activists.” (Anderson et al.)

Economics of Information Security: http://www.cl.cam.ac.uk/~rja14/Papers/toulouse-summary.pdf