Subscribe
Essays

Part 3 - Designing Systems Where Attackers Lose Interest

Security improves when systems change incentives, not when they add controls. This essay explores how to design environments where rational attackers disengage because intrusion is no longer economically worthwhile.

Marco Brondani

3 min read
Part 3 - Designing Systems Where Attackers Lose Interest

If intrusion is an economic activity, and cost asymmetry is its enabling condition, then the central question of security design changes. The goal is no longer to block every attack, nor to eliminate vulnerability entirely. The goal becomes simpler and harder at the same time: to alter incentives so that rational attackers disengage.

This essay examines what it means to design systems where intrusion is no longer economically attractive. It argues that meaningful security improvement does not come from adding controls, but from reshaping cost curves, reducing asymmetry, and correcting the institutional distortions that currently subsidise attack.

Shifting Cost Curves Instead of Adding Controls

Most defensive strategies focus on accumulation. More tools. More monitoring. More policies. Each addition increases defensive effort while rarely increasing attacker effort proportionally.

Designing for attacker disengagement requires the opposite approach. The system must make each additional step of intrusion more expensive than the expected reward, not through absolute prevention, but through friction, uncertainty, and loss of scale.

This includes:

  • forcing attackers to customise rather than reuse techniques
  • increasing the cost of reconnaissance rather than detection
  • limiting the blast radius of partial success
  • ensuring that access does not compound into leverage

These measures do not promise invulnerability. They promise unattractiveness.

Making Success Non Compounding

A critical but under discussed factor in intrusion economics is compounding gain. Many systems fail because initial access scales too easily into control, persistence, or monetisation.

When a single foothold unlocks cascading advantage, attackers accept higher upfront cost. When success yields only local, temporary, or noisy access, attackers reassess.

Designing systems where success does not compound requires deliberate constraint. Privilege boundaries must be real, not nominal. Identity must degrade gracefully. Access must expire meaningfully. Lateral movement must be expensive and uncertain.

Attackers tolerate failure. They do not tolerate stalled progress.

Institutional Incentives That Subsidise Attack

Technical design alone cannot correct economic imbalance if institutions continue to subsidise insecurity.

Common distortions include:

  • treating breaches as exceptional rather than expected
  • externalising breach cost onto users or third parties
  • rewarding compliance over resilience
  • prioritising availability metrics over integrity outcomes

These incentives lower the effective cost of attack by ensuring that defenders, not attackers, absorb the consequences. Rational attackers respond accordingly.

Correcting this requires institutional courage. It requires accepting short term friction to reduce long term exposure. It requires acknowledging that some losses are the price of meaningful deterrence.

Security as Economic Engineering

Once framed economically, security begins to resemble other forms of market design. The objective is not control, but equilibrium.

Systems should be designed so that:

  • attack effort grows faster than reward
  • learning does not scale cheaply across targets
  • defenders gain information faster than attackers gain leverage
  • failures produce bounded loss rather than systemic compromise

This is not a call for perfect security. It is a call for economically sane security.

Ethical Consequences of Incentive Design

At this point, ethics re enter the analysis.

When systems are designed such that attack is cheap and consequence is externalised, harm occurs without malice. Users bear risk they did not choose. Institutions benefit from convenience while distributing cost invisibly.

Designing systems where attackers lose interest is therefore not merely a defensive improvement. It is an ethical correction. It aligns responsibility with capability. It internalises cost where power resides.

Intent matters less than structure. Harm emerges from incentives long before it emerges from intent.

The Limits of Deterrence

Not all attackers are rational in the economic sense. Some seek disruption rather than gain. Some pursue ideological goals. Some accept loss as success.

Designing for attacker disengagement does not eliminate these threats. It reduces the population for which attack is economically trivial. It reserves defensive effort for adversaries who cannot be priced out.

This distinction matters. Systems fail when they attempt to defend against everyone equally. They succeed when they narrow the field.

Conclusion

Security fails when it attempts to outbuild attackers. It improves when it outprices them.

Designing systems where attackers lose interest requires abandoning the illusion of perfect defence and embracing economic realism. It requires shifting cost curves, constraining compounding gain, and correcting institutional incentives that reward fragility.

Intrusion will not disappear. But it can become uneconomical.

When that happens, insecurity stops being a constant condition and becomes an exceptional one. Not because attackers were defeated, but because the market no longer rewards them.

Read more