Attacker’s Cost < Attacker’s Gain
Often the goal is not to eliminate the risk but, instead, to make it too expensive for the attacker. Consider the following two formulas:
• Attacker’s Cost < Attacker’s Gain—When this is true, it is appealing to the attacker.
• Attacker’s Cost > Attacker’s Gain—When this is true, the attacker is less likely to pursue the attack.
Cryptography is one of the ways to increase the attacker’s cost. If your company sends data across the network in cleartext, it can be captured and analyzed. If the company encrypts the data, an attacker must decrypt it before analyzing it. The goal of the encryption isn’t to make it impossible to decrypt the data. Instead, the goal is to make it too expensive or too time-consuming for the attacker to crack it.
(Gibson 24)
Gibson, Darril. Managing Risk in Information Systems, 2nd Edition. Jones & Bartlett Learning, 07/2014. VitalBook file.
The citation provided is a guideline. Please check each citation for accuracy before use.