A Framework for Estimating the Value of Deterrence.

Abstract

This paper presents a framework for calculating the value of deterrence related to countermeasures implemented to mitigate an attack by an adaptive adversary. We offer a methodology for adapting Defender-Attacker Decision Trees to partition the utility of countermeasures into three components: (1) threat reduction (deterrence), (2) vulnerability reduction, and (3) consequence mitigation. The Expected Utility of Imperfect Control (EUIC) attributable to a specific implementation of the countermeasure is based on calculations from decision analysis and is defined as the difference in the expected utilities of the no countermeasure branch and the branch representing the countermeasure variant. The EUIC represents the net benefit of implementing the countermeasure, including all costs associated with development, implementation, and operation. Benefits primarily derive from three sources: (1) changes in attack probability (threat reduction), (2) changes in detection probability (vulnerability reduction), and (3) changes in the distribution of attack outcomes (consequence mitigation). We partition the EUIC and estimate the unique portion attributable to threat reduction, vulnerability reduction, and consequence mitigation. Calculations follow a subtraction logic, similar to those used to calculate the Value of Information (VOI). We provide example applications of the Value of Deterrence in an airport security domain. The proposed framework provides a methodology for explicitly accounting for deterrence in benefit-cost analyses.