Game theory is a field of economics that studies the strategic interactions between multiple agents. Since its development in the early 20th century, it has found several applications in different fields, ranging from auctions to politics, and even sports. One interesting instance where game theory can provide a better understanding of the engagement between opposite interests is criminal behavior.[1]
In just a few decades, the advent of digitalization and the invention of the World Wide Web have led to a drastic revolution in several aspects of our lives; and just like the rest of the world has evolved, so has criminality. Today extortion cases are increasingly common in a digitalized form. According to the Federal Bureau of Investigation (FBI), cybercrime extortionists are “increasingly attacking corporate websites and networks, crippling their ability to operate and demanding payments to restore their service”[2]. Cyber extortion may target corporations as well as individuals. In the latter case, it often involves threats to publish sensitive material, including passwords, data, or compromising pictures (in which case we speak of sextortion), in exchange of a monetary compensation, usually paid in bitcoins as they grant anonymity to the felon.[3]
Using Game Theory to Represent Cyber Extortion
Suppose a criminal gains access to compromising material from an individual’s computer and threatens to make it public unless he is compensated with a sum of money. We may represent this scenario as a game where the players are the blackmailer and the victim, their possible actions are given, respectively, by the choice to enact the threat (publish the material) or not, and the choice to give in to the extortion (pay the sum) or not. There are four possible payoffs: the utility of money exchanged (+S for the criminal, -S for the victim, S>0), the disutility suffered by the victim from the release of compromising materials (DU<0), for example reputation damage, and the expected loss caused by the risk of prosecution incurred by the blackmailer (EL<0), should he decide to enact his threat. We will now proceed to give representative values to these payoffs.
The sum of money the blackmailer asks for will be such that the utility of losing it is higher than the loss the victim will confront if the threat is enacted. In other words, the blackmail will be effective if the victim prefers losing his money rather than having the compromising materials published. Otherwise, he will never give in and the blackmailer will not gain any sum. We will then reasonably assume that this intimidation constraint holds.
Intimidation constraint: the victim is threatened by the blackmailer iff DU < -S.
Of course, it may be hard for the blackmailer to determine and quantify with precision the disutility caused by publishing the pictures. For this reason, the blackmailer usually threatens to do something which has very grave consequences on the victim (compared to the sum asked) to ascertain he/she will give in (Gambetta, 1994).
Next, we note that should the blackmailer choose not to publish the pictures, he will incur in the risk of being caught by authorities. Although risk-averse the criminal may be, this risk cannot be ignored as it would lead to severe consequences: in most countries, extortion is punished with severe sanctions and even conviction.[4] To determine the disutility generated by such risk we must introduce an element of probability, since it is not certain that the extorter will be caught.
The expected loss incurred by the blackmailer if he enacts his threat is EL=p*R, where p in [0,1] is the probability of being caught and R<0 is the disutility generated by the consequences he faces if caught. On the other hand, if he does not publish the material, he incurs in no risk and his disutility is 0.
At first glance, we may see that the blackmailer would always prefer not to publish the pictures and avoid the correlated risk. At the same time, if the intimidation constraint is satisfied (that is, if the blackmailer chooses the requested sum wisely), the individual will prefer to pay the sum. Hence, the resolution of this situation might seem to lie where the individual pays and the blackmailer does not to publish the material. However, by thinking strategically, we may spot a fallacy in the blackmailer’s strategy: the blackmailer wants to make the individual believe that if he does not pay the sum, the direct consequence will be the material will be published. However, this disregards a key element of the game: since this is a sequential game, the individual will have a first mover advantage by choosing whether to pay or not, and knows, based on his actions, how the extorter will respond. In any case, the blackmailer will be consequently confronted with the choice of whether to publish the pictures or not. When faced with such decision, the blackmailer will always choose not to publish the pictures since he has nothing to gain from publishing them if he cannot blackmail anymore: he only risks persecution by legal authorities.
To better understand this, we can use a diagram.
Representing Cases of Blackmailing as Sequential Games
The payoffs for the blackmailer are S, the sum of money gained from victim and EL, which is the expected utility that the blackmailer receives considering all known consequences of publishing the pictures. For now, we will assume that the blackmailer does not know the victim, and he/she is not intrinsically evil (seeks no utility in causing harm to the victim), but just acts in his own economic interest (a perfectly rational human being).
We can solve this game by identifying the subprime perfect Nash equilibrium (SPNE).[5] Working by backwards induction, we see that the blackmailer’s choice will be in any case not to publish pictures (D): given the victim chooses A, if the blackmailer chooses to publish the pictures his pay-off is S+EL, while if he does not his pay-off is S, and S>S+EL since EL <0; in case B, if he chooses C his payoff is EL, while if he chooses D it is 0, and 0>EL. In both cases, then, not publishing the pictures yields higher payoffs. This confirms that when confronted with the choice of publishing the material, the blackmailer will not do so, regardless of whether he has received the money or not. The strategy of the blackmailer is D in any case. Knowing that the blackmailer has no convenience in publishing the pictures if not for his threatening power, which disappears once the victim has made his choice, the victim should not give in, and the blackmailer will not publish the material anyways, leading to the highest possible pay-off: 0.
But then why are Blackmails so common and so successful?
The real strategy of the blackmailer hinges on his ability to convince the victim that if he/she does not pay the money, this will surely result in the threat being enacted (in our example, the compromising materials will be made public). Yet, from a rational perspective, he can’t credibly enforce the threat, since it is not convenient for him to make such choice, under any circumstance.
So why do extortions work?
A Game of Psychology
One possible explanation is that blackmailers exploit fear and other emotions to induce the victim into adopting a non-rational behavior. The extortion can be successful if it triggers an emotional response in the victim, which has been shown to severely undermine a person’s capability to make the most reasonable choices.[6] From this perspective, it can be seen as a psychological game: the outcome depends on whether the victim be intimidated, that is, if the blackmailer can convince him/her that he will publish the material even though he has nothing to gain from it.
What should the victim do?
In light of what we have found, the best strategy for the victim is to exclude the possibility of giving-in right from the beginning. By making clear he will not pay any amount of money, the blackmailer will understand that his intimidation is unfruitful and will be confronted with a lottery where he has no possible benefit, but actually incurs in a risk if he participates: the risk of being caught. In other words, he can choose to harm the victim, but he has nothing to gain from it.
What can be done to reduce cyber extortion?
We see from the diagram that the first way to reduce cyber extortion can be a rise in the disutility of publishing the material via an increase of the probability that the blackmailer will be caught. This can be achieved through a greater monitoring by the web authorities, which is likely to happen in the next few years.
Flaws of the model
During this exploration, certain assumptions have been made which are not necessarily true. For example, we can’t be sure that the extorter will act in a rational way, according to his best interest. In more complex scenarios, such as the one advanced by Gambetta, where the extorters are a criminal organization, they may have to punish the victim if he chooses not to give in, so that to establish credibility or maintain their reputation. Doing so, they will lead future victims to think that if the extortion is not respected, then the threat will be enacted, even if it means proceeding in spite of their own interests. This will presumably allow the organization to gain more money by blackmailing more individuals in the future with a higher success rate. This is an example of signaling: the blackmailer is undergoing a costly action in order to send a signal to the potential victims of its intentions and ability to cause harm (Gambetta, 1994). However, in cases of cyber extortion, which evolve through the web, anonymity makes it more difficult and in fact futile for the extorter to establish a reputation.
Furthermore, it is important to note that the blackmailer may act in multiple stages. More research could be done by analyzing bargaining in repeated games. In this context, the two agents will have a time frame to come to an agreement, and multiple actions/offers can be made throughout the process (Levin, 2002).
[1] Already In 1994, Italian economist Diego Gambetta discussed a game-theoretical approach to extortion by part of organized criminal associations, citing the Mafia as an entity that generates revenues by blackmailing entrepreneurs. Cfr. GAMBETTA, D. (1994), Inscrutable markets, Rationality and Society, 6, 353–368.
[2] https://www.fbi.gov/investigate/cyber
[3] https://www.consumer.ftc.gov/blog/2019/11/scams-telling-you-pay-bitcoin-rise
[4] https://www.oecd.org/corruption/acn/ACN-Foreign-Bribery-Offence-Enforcement-ENG.pdf
[5] Bernheim, B. Douglas, and Michael D. Whinston. Microeconomics. McGraw Hill Education Create, 2018.
[6] https://www.cnbc.com/2020/03/20/how-fear-influences-your-behavior-and-how-to-cope.html
Other Works Cited
Von Neumann, J. and Morgenstern, O.: Theory of Games and Economic Behavior. 2nd edition. Princeton University Press, Princeton, 1947,
Von Neumann, J., and Morgenstern, O.: The Theory of Games in Economic Behavior. Wiley, New York, 1944,
Nash, J.F.: Equilibrium points in n-person games.
Proceedings of the National Academy of Sciences USA 36, 48-9, 1950,
Smith A, Varese F. PAYMENT, PROTECTION AND PUNISHMENT: THE ROLE OF INFORMATION AND REPUTATION IN THE MAFIA. Rationality and Society. 2001;13(3):349-393. doi:10.1177/104346301013003003
J. Levin, 2002, https://web.stanford.edu/~jdlevin/Econ%20203/RepeatedGames.pdf