Part 1 – Microeconomics of Intrusion, Incentives and Rational Actors

Intrusion is usually described as a failure. A system was breached, a defence was bypassed, a control did not work as intended. This framing is comforting because it implies that security is primarily a technical problem, solvable through better tools, stronger controls, or more competent execution. Yet this framing collapses under even minimal economic scrutiny.

If we assume rational behaviour, intrusion is not an anomaly. It is a predictable outcome. It emerges from incentives, cost structures, and asymmetries that reward attackers and constrain defenders. Understanding intrusion therefore requires abandoning the language of error and adopting the language of economics.

This essay frames intrusion as an economic activity, analyses the actors involved as rational optimisers, and explains why insecurity persists even when no one is incompetent, careless, or malicious beyond self interest.

Framing the Market of Intrusion

Every system exposes assets. Data, compute, access, influence, reputation. Where assets exist, value exists. Where value exists, incentives follow.

Intrusion operates within this space as a market activity. Effort is exchanged for access. Risk is exchanged for reward. Time, skill, and tooling are invested in pursuit of asymmetric payoff. Whether the actor is criminal, political, or exploratory is secondary. The structure of the exchange remains the same.

Defensive systems often pretend this market does not exist. They treat intrusion as an external violation rather than an internal economic interaction. As a result, they optimise controls without pricing the underlying assets correctly.

This is the first failure. Markets do not disappear because they are ignored.

Defining the Actors

To analyse intrusion economically, the actors must be defined without moral colouring.

The attacker

The attacker is a rational actor operating under uncertainty. They invest effort where expected return exceeds expected cost. They abandon targets where marginal cost rises faster than marginal gain. They optimise for asymmetry.

Attackers do not need certainty. They need optionality. One success is sufficient. Nine failures are acceptable.

The defender

The defender is also a rational actor, but constrained differently. Defenders optimise for loss avoidance rather than gain. They operate under budgetary, organisational, and temporal constraints. They are accountable for failure, rarely rewarded for success.

Defenders must cover every path. Attackers need only one.

The organisation

The organisation mediates both sides, often poorly. It translates technical risk into budgets, policies, and priorities. In doing so, it introduces distortions. Costs are visible. Risks are abstract. Incentives reward stability, not resilience.

None of these actors are irrational. The system fails anyway.

Rational Behaviour Does Not Produce Security

A common security narrative assumes that breaches occur because someone made a mistake. A misconfiguration. A missed patch. A poor decision. While errors exist, they are not required to explain systemic insecurity.

If attackers are rational, they will probe until they find low cost paths.

If defenders are rational, they will prioritise controls that are affordable, auditable, and politically safe.

If organisations are rational, they will accept a level of risk that does not immediately threaten viability.

These behaviours are individually reasonable. Collectively, they produce persistent vulnerability.

This is not a coordination failure. It is an equilibrium.

The Asymmetry Embedded in the Model

At the heart of intrusion economics lies asymmetry.

The attacker faces variable cost. Each attempt has a marginal cost that can be abandoned when it rises.

The defender faces fixed cost. Controls must be built, maintained, audited, and justified regardless of whether an attack occurs.

The attacker benefits from reuse. Techniques scale across targets.

The defender absorbs uniqueness. Each system is different, each failure contextual.

The attacker needs one success.

The defender needs total coverage.

This asymmetry is not accidental. It is structural. No amount of technical competence removes it.

Why Better Tools Do Not Close the Gap

Security tooling often claims to reduce risk by increasing visibility, automation, or control coverage. These improvements matter locally, but they do not alter the underlying economic imbalance.

Tools increase defensive cost faster than they increase attacker cost. Each new layer introduces complexity, maintenance, and integration overhead. Attackers adapt once. Defenders adapt continuously.

This leads to a familiar pattern. Defences accumulate. Complexity rises. Marginal benefit declines. Attack surfaces expand in new directions. The market adjusts.

From an economic perspective, this is price inflation without value correction.

Insecurity as a Predictable Outcome

If we accept the premises above, intrusion no longer appears surprising. It appears inevitable.

Systems are breached not because defenders fail to act, but because the cost of perfect defence exceeds the cost attackers are willing to pay to try. The imbalance is persistent, not episodic.

This reframing matters. When intrusion is treated as an exception, responses focus on blame and patching. When intrusion is treated as an equilibrium, responses must focus on incentive realignment.

That discussion comes later.

Summary

Intrusion is not primarily a technical failure. It is an economic one. Rational actors, operating under asymmetric cost structures, produce predictable insecurity even in well designed systems.

Until intrusion is understood as a market outcome rather than a deviation, defensive efforts will continue to optimise locally while failing globally.

The question is no longer how to stop attackers. It is why the system makes attacking worthwhile.