Although system administrators are frequently urged to protect the machines in their network, the fact remains that the decision to mandate protection is far from universal. To better understand this decision, we formulate a model of interdependent network security where there is a system administrator responsible for a network of size n against autonomous attackers attempting to penetrate the network and infect the network machines with viruses or other exploits. We introduce the concept of a loss profile, which encapsulates the idea of variable loss due to infection. Through the application of a simple loss profile to this interdependent network security scenario, we conclude that the decision is dependent upon a number of factors including external and internal vulnerabilities, the types and likelihoods of different amounts of loss, and the interaction of all of these effects. Through this analysis, we form a model for decision-making that is simple to understand and applicable to many other interdependent security scenarios.
[1]
Benjamin Johnson,et al.
Uncertainty in the weakest-link security game
,
2009,
2009 International Conference on Game Theory for Networks.
[2]
Nicolas Christin,et al.
Security and insurance management in networks with heterogeneous agents
,
2008,
EC '08.
[3]
Nicolas Christin,et al.
Uncertainty in Interdependent Security Games
,
2010,
GameSec.
[4]
Lawrence A. Gordon,et al.
The economics of information security investment
,
2002,
TSEC.
[5]
H. Kunreuther,et al.
Interdependent Security
,
2003
.
[6]
Larry Samuelson,et al.
Choosing What to Protect: Strategic Defensive Allocation Against an Unknown Attacker
,
2005
.
[7]
Herbert J. Mattord,et al.
Principles of Information Security
,
2004
.
[8]
Herbert J. Mattord,et al.
Principles of Information Security, 4th Edition
,
2011
.