Are Security Experts Useful? Bayesian Nash Equilibria for Network Security Games with Limited Information

A common assumption in security research is that more individual expertise unambiguously leads to a more secure overall network. We present a game-theoretic model in which this common assumption does not hold. Our findings indicate that expert users can be not only invaluable contributors, but also free-riders, defectors, and narcissistic opportunists. A direct application is that user education needs to highlight the cooperative nature of security, and foster the community sense, in particular, of higher skilled computer users. As a technical contribution, this paper represents, to our knowledge, the first formal study to quantitatively assess the impact of different degrees of information security expertise on the overall security of a network.

[1]  Rahul Telang,et al.  An Empirical Analysis of the Impact of Software Vulnerability Announcements on Firm Stock Price , 2007, IEEE Transactions on Software Engineering.

[2]  Group size and the private supply of a best-shot public good , 2001 .

[3]  Paola Manzini,et al.  Alliances and negotiations: an incomplete information example , 2009 .

[4]  Lawrence A. Gordon,et al.  Sharing Information on Computer Systems Security: An Economic Analysis , 2003 .

[5]  Nicolas Christin,et al.  Security and insurance management in networks with heterogeneous agents , 2008, EC '08.

[6]  Nicolas Christin,et al.  Secure or insure?: a game-theoretic analysis of information security games , 2008, WWW.

[7]  Anindya Ghose,et al.  The Economic Incentives for Sharing Security Information , 2004, Inf. Syst. Res..

[8]  L. Camp Economics of Information Security , 2006 .

[9]  David C. Parkes,et al.  On non-cooperative location privacy: a game-theoretic analysis , 2009, CCS.

[10]  H. Uhlig,et al.  Rules of Thumb versus Dynamic Programming , 1999 .

[11]  K. Burnett Introductions of Invasive Species: Failure of the Weaker Link , 2006, Agricultural and Resource Economics Review.

[12]  Lei Zhou,et al.  The Economic Cost of Publicly Announced Information Security Breaches: Empirical Evidence from the Stock Market , 2003, J. Comput. Secur..

[13]  Hal R. Varian,et al.  System Reliability and Free Riding , 2004, Economics of Information Security.

[14]  A. Tversky,et al.  Prospect theory: an analysis of decision under risk — Source link , 2007 .

[15]  R. Palmer,et al.  Characterizing effective trading strategies: Insights from a computerized double auction tournament , 1994 .

[16]  Nicolas Christin,et al.  Three Case Studies in Quantitative Information Risk Analysis , 2008 .

[17]  C. Shapiro,et al.  Network Externalities, Competition, and Compatibility , 1985 .

[18]  Srikanth Kandula,et al.  Botz-4-sale: surviving organized DDoS attacks that mimic flash crowds , 2005, NSDI.

[19]  A. Tversky,et al.  Prospect theory: analysis of decision under risk , 1979 .

[20]  Sarit Kraus,et al.  Playing games for security: an efficient exact algorithm for solving Bayesian Stackelberg games , 2008, AAMAS.

[21]  Nicolas Christin,et al.  When Information Improves Information Security , 2010, Financial Cryptography.

[22]  J. Hirshleifer From weakest-link to best-shot: The voluntary provision of public goods , 1983 .

[23]  G. Stigler An Introduction to Privacy in Economics and Politics , 1980, The Journal of Legal Studies.

[24]  M. Rabin A Perspective on Psychology and Economics , 2002 .

[25]  Nicolas Christin,et al.  Uncertainty in Interdependent Security Games , 2010, GameSec.

[26]  Benjamin Johnson,et al.  Uncertainty in the weakest-link security game , 2009, 2009 International Conference on Game Theory for Networks.

[27]  Gilad Ravid,et al.  Testing social theories in computer-mediated communication through gaming and simulation , 2006 .

[28]  Shou-De Lin,et al.  Designing the Market Game for a Trading Agent Competition , 2001, IEEE Internet Comput..

[29]  J. Huyck,et al.  Tacit Coordination Games, Strategic Uncertainty, and Coordination Failure , 1990 .

[30]  Lorrie Faith Cranor,et al.  Anti-Phishing Phil: the design and evaluation of a game that teaches people not to fall for phish , 2007, SOUPS '07.

[31]  Paul Ferguson,et al.  Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing , 1998, RFC.

[32]  Revealed Preferences in Intertemporal Decision Making , 2004 .

[33]  Nicolas Christin,et al.  Predicted and Observed User Behavior in the Weakest-link Security Game , 2008, UPSEC.

[34]  Alessandro Acquisti,et al.  Privacy in electronic commerce and the economics of immediate gratification , 2004, EC '04.

[35]  Cristina Comaniciu,et al.  A Bayesian game approach for intrusion detection in wireless ad hoc networks , 2006, GameNets '06.

[36]  Ted O’Donoghue,et al.  Doing It Now or Later , 1999 .

[37]  Nicolas Christin,et al.  The Price of Uncertainty in Security Games , 2009, WEIS.

[38]  Alessandro Acquisti,et al.  Privacy and rationality in individual decision making , 2005, IEEE Security & Privacy.

[39]  H. Varian,et al.  Conditioning Prices on Purchase History , 2005 .

[40]  R. Cornes Dyke Maintenance and Other Stories: Some Neglected Types of Public Goods , 1993 .

[41]  David Chaum,et al.  Untraceable electronic mail, return addresses, and digital pseudonyms , 1981, CACM.

[42]  M. Spence Job Market Signaling , 1973 .