Cybercriminals increasingly target the human factor rather than continuously advancing technological defense mechanisms. Consequently, institutions that allocate substantial resources to strengthening their cybersecurity infrastructure may remain vulnerable if a deceived employee voluntarily transmits sensitive information or financial assets to attackers. Therefore, alongside the implementation of technological defense mechanisms, particular emphasis must be placed on mitigating human vulnerabilities, which can be achieved through preventive awareness programs. However, such training activities can only be effective if they are organization- and context-specific. In this paper, we develop two Colonel Blotto game models to determine the optimal allocation of defensive resources across dominant social engineering attack vectors. We ground the models in Routine Activity Theory (RAT), borrowed from criminology, that describes crime as an event involving a motivated offender, a suitable target, and the absence of a capable guardian. Next, we quantify relevant factors via the VIVA (Value, Inertia, Visibility, Accessibility) framework, and operationalize the models by feeding real-world cybercrime data into them. The first model investigates optimal population-level prevention, focusing on nation-states as defenders; we present and compare use cases of three different countries. The second model focuses on the organization as a decision-maker; here, we analyze five use cases involving organizations of different characteristics. Our results demonstrate that theoretically grounded and data-driven models can provide decision support to policymakers and organizational leaders in allocating their efforts optimally to prevent social engineering attacks and improve their overall cyber resilience.

翻译：网络犯罪分子日益将目标对准人为因素，而非持续升级技术防御机制。因此，即便机构投入大量资源强化网络安全基础设施，一旦员工受骗主动向攻击者传输敏感信息或金融资产，仍可能面临安全漏洞。为此，在部署技术防御机制的同时，必须特别注重通过预防性认知计划来缓解人为漏洞。然而，此类培训活动只有针对特定组织与情境才能发挥作用。本文构建了两个Colonel Blotto博弈模型，用以确定防御资源在主要社会工程攻击向量中的最优配置方案。我们以犯罪学中的日常活动理论（Routine Activity Theory，RAT）为基础——该理论将犯罪描述为有动机的犯罪者、合适目标及有效监护人缺失三要素共同作用的事件。随后，通过VIVA（价值、惯性、可见性、可及性）框架量化相关因素，并输入真实网络犯罪数据实现模型可操作化。第一个模型聚焦以国家为防御主体的全局最优预防策略，呈现并比较了三个不同国家的应用案例。第二个模型则以组织为决策主体，分析涉及五种不同特性组织的案例场景。研究结果表明，基于理论与数据驱动的模型可为政策制定者及组织领导者在优化资源配置、预防社会工程攻击、提升整体网络韧性方面提供决策支持。