Defensive dissuasion in security risk management

The purpose of this paper is to explore ways of integrating defensive dissuasion into a probabilistic framework for security risk analysis. Dissuasion influences attacker perceptions and choice with the effect of reducing the probability of occurrence for a particular course of action. Presently, few security risk analysis models offer an approach that explicitly incorporates the dissuasive effect of security in their assessments. This paper offers such an approach based on a simple model of attacker choice. This model suggests a number of alternative strategies for dissuading attackers from acting on a particular opportunity that threatens the interests of a protector. When uncertainty about the attacker is severe, this paper suggests an approach for estimating probability of attack that accounts for the dissuasive effects of countermeasures based on a worst-case attacker whose interests mirror the concerns of the protector. In addition, this paper discusses how an approach that explicitly accounts for dissuasion would enable decision makers to assess the benefits of countermeasures aimed solely at influencing attacker behavior in a manner favorable to the protector. This paper concludes by identifying directions for future research.