Traditional cost-benefit analysis (CBA) quantifies the value of information security safeguards in terms of their expenses compared to their savings before and after their implementation. This paper considers CBA from the attacker's viewpoint, adding another type of measurement, the willingness to endure consequences. The authors propose a new set of equations and examine their implications vis-à-vis two typical network attacks, identity theft and intellectual property theft.
