Thesis (Ph.D., Computer Science)--University of Idaho, June 2014 | Information systems are pervasive in our everyday life. Anyone who is online must deal with the consequences of the fact that such systems are prone to malicious attack. In our attempt to safeguard our systems, determination of the value of security measures is critical and is an area currently undergoing scrutiny by many researchers. There has been much research and development done on various technological security tools but there has been less work on the human side of computer security. One method to determine the actions and the intent of attackers in this environment is to simulate interactions between an information system, its users, and a population of attackers. Initial simulation results suggest that the marginal value of additional security may be positive or negative, as may the time rate of change of system value. Models created with this in mind have shown some predictive value, but are based on certain strong assumptions. In particular, our model assumes that the attacker's response to changes in a system's value and security are ”S” shaped. The goals of this dissertation are to support or refute these assumptions to make a more predictive model.