Ye Hong and William Neilson have solved for the equilibrium:
This paper models cybercrime by adding an active victim to the seminal Becker model of crime. The victim invests in security that may protect her from a cybercrime and, if the cybercrime is thwarted, generate evidence that can be used for prosecution. Successful crimes leave insufficient evidence for apprehension and conviction and, thus, cannot be punished. Results show that increased penalties for cybercriminals lead them to exert more effort and make cybercrimes more likely to succeed. Above a threshold they also lead victims to invest less in security. It may be impossible to deter cybercriminals by punishing them. Deterrence is possible, but not necessarily optimal, through punishing victims, such as data controllers or processors that fail to protect their networks.
Via the excellent Kevin Lewis.