We compare alternative information security policies--facilitating end-user precautions and enforcement against attackers. The context is mass and targeted attacks, taking account of strategic interactions between end users and attackers. For both mass and targeted attacks, facilitating end-user precautions reduces the expected loss of end users. However, the impact of enforcement on expected loss depends on the balance between deterrence and slackening of end-user precautions. Facilitating end-user precautions is more effective than enforcement against attackers when the cost of precautions and the cost of attacks are lower. With targeted attacks, facilitating end-user precautions is more effective for users with relatively high valuation of information security, while enforcement against attackers is more effective for users with relatively low valuation of security.
We adapt the event study methodology from research in financial economics to study the impact of government enforcement and economic opportunities on information security attacks. We found limited evidence that domestic enforcement deters attacks within the country. However, we found compelling evidence of a displacement effect: U.S. enforcement substantially increases attacks originating from other countries. We also found strong evidence that attackers are economically motivated in that the number of attacks is increasing in the U.S. unemployment rate. Our findings were robust to differences in the effective time window of enforcement and the measurement of vulnerabilities.