Economics of malware: Epidemic risks model, network externalities and incentives

Malicious softwares or malwares for short have become a major security threat. While originating in criminal behavior, their impact are also influenced by the decisions of legitimate end users. Getting agents in the Internet, and in networks in general, to invest in and deploy security features and protocols is a challenge, in particular because of economic reasons arising from the presence of network externalities. Our goal in this paper is to model and quantify the impact of such externalities on the investment in security features in a network. We study a network of interconnected agents, which are subject to epidemic risks such as those caused by propagating viruses and worms. Each agent can decide whether or not to invest some amount to self-protect and deploy security solutions which decreases the probability of contagion. Borrowing ideas from random graphs theory, we solve explicitly this 'micro'-model and compute the fulfilled expectations equilibria. We are able to compute the network externalities as a function of the parameters of the epidemic. We show that the network externalities have a public part and a private one. As a result of this separation, some counter-intuitive phenomena can occur: there are situations where the incentive to invest in self-protection decreases as the fraction of the population investing in self-protection increases. In a situation where the protection is strong and ensures that the protected agent cannot be harmed by the decision of others, we show that the situation is similar to a free-rider problem. In a situation where the protection is weaker, then we show that the network can exhibit critical mass. We also look at interaction with the security supplier. In the case where security is provided by a monopolist, we show that the monopolist is taking advantage of these positive network externalities by providing a low quality protection.

[1]  Marc Lelarge,et al.  Economic Incentives to Increase Security in the Internet: The Case for Insurance , 2009, IEEE INFOCOM 2009.

[2]  Marc Lelarge,et al.  Network externalities and the deployment of security features and protocols in the internet , 2008, SIGMETRICS '08.

[3]  Hal R. Varian,et al.  System Reliability and Free Riding , 2004, Economics of Information Security.

[4]  N. Economides The Economics of Networks , 1995 .

[5]  J. Bauer,et al.  Economics of Malware: Security Decisions, Incentives and Externalities , 2008 .

[6]  N. Economides,et al.  Critical Mass and Network Size with Application to the Us Fax Market , 1995 .

[7]  Nicolas Christin,et al.  Security Investment (Failures) in Five Economic Environments: A Comparison of Homogeneous and Heterogeneous User Agents , 2008, WEIS.

[8]  Tyler Moore,et al.  Information Security Economics - and Beyond , 2007, DEON.

[9]  C. Shapiro,et al.  Network Externalities, Competition, and Compatibility , 1985 .

[10]  Marc Lelarge,et al.  Cyber Insurance as an Incentivefor Internet Security , 2009, Managing Information Risk and the Economics of Security.

[11]  Donald F. Towsley,et al.  The effect of network topology on the spread of epidemics , 2005, Proceedings IEEE 24th Annual Joint Conference of the IEEE Computer and Communications Societies..

[12]  Nicholas Bambos,et al.  Security Decision-Making among Interdependent Organizations , 2008, 2008 21st IEEE Computer Security Foundations Symposium.

[13]  Ross J. Anderson Why information security is hard - an economic perspective , 2001, Seventeenth Annual Computer Security Applications Conference.

[14]  Béla Bollobás,et al.  Random Graphs: Notation , 2001 .

[15]  Robert K. Cunningham,et al.  A taxonomy of computer worms , 2003, WORM '03.

[16]  Marc Lelarge,et al.  A local mean field analysis of security investments in networks , 2008, NetEcon '08.

[17]  P. Klemperer,et al.  Coordination and Lock-In: Competition with Switching Costs and Network Effects , 2006 .

[18]  H. Kunreuther,et al.  Interdependent Security , 2003 .

[19]  Lawrence A. Gordon,et al.  Sharing Information on Computer Systems Security: An Economic Analysis , 2003 .

[20]  J. Bolot Cyber Insurance as an Incentive for Internet Security , 2008 .

[21]  Jean C. Walrand,et al.  Efficiency of selfish investments in network security , 2008, NetEcon '08.

[22]  Donald F. Towsley,et al.  Monitoring and early warning for internet worms , 2003, CCS '03.

[23]  Marc Lelarge,et al.  A New Perspective on Internet Security using Insurance , 2008, IEEE INFOCOM 2008 - The 27th Conference on Computer Communications.

[24]  James Aspnes,et al.  Inoculation strategies for victims of viruses and the sum-of-squares partition problem , 2005, SODA '05.

[25]  P. Klemperer,et al.  Chapter 31 Coordination and Lock-In: Competition with Switching Costs and Network Effects , 2007 .

[26]  Piet Van Mieghem,et al.  Protecting Against Network Infections: A Game Theoretic Perspective , 2009, IEEE INFOCOM 2009.