A Survey of Interdependent Security Games Working paper

Interdependence of information systems is a fundamental property that shapes the problems in information security. The risks faced by system operators and users is not only determined by their own security posture, but is heavily affected by the security-related decisions of other connected systems. Therefore, defending networked systems relies on the correlated action of the system operators or users. In this survey, we summarize game-theoretic interdependence models, characterize the emerging security inefficiencies and present solution methods. Our goal is to distill the main insights from the state-of-theart and to identify the areas that need more attention from the research community.

[1]  George A. Akerlof The Market for “Lemons”: Quality Uncertainty and the Market Mechanism , 1970 .

[2]  A. Mas-Colell,et al.  Microeconomic Theory , 1995 .

[3]  Christos H. Papadimitriou,et al.  Worst-case equilibria , 1999 .

[4]  David Colander,et al.  Study guide for use with microeconomics , 2000 .

[5]  Ross J. Anderson Why information security is hard - an economic perspective , 2001, Seventeenth Annual Computer Security Applications Conference.

[6]  Scott Beveridge,et al.  Income , 2002 .

[7]  Lawrence A. Gordon,et al.  Sharing Information on Computer Systems Security: An Economic Analysis , 2003 .

[8]  Luis E. Ortiz,et al.  Algorithms for Interdependent Security Games , 2003, NIPS.

[9]  H. Kunreuther,et al.  Interdependent Security , 2003 .

[10]  Hal R. Varian,et al.  System Reliability and Free Riding , 2004, Economics of Information Security.

[11]  Lawrence A. Gordon,et al.  The economics of information security investment , 2002, TSEC.

[12]  Srinivasan Raghunathan,et al.  Cyber Insurance and IT Security Investment: Impact of Interdependence Risk , 2005, WEIS.

[13]  James Aspnes,et al.  Inoculation strategies for victims of viruses and the sum-of-squares partition problem , 2005, SODA '05.

[14]  H. Kunreuther,et al.  IDS Models of Airline Security , 2005 .

[15]  Stefan Schmid,et al.  When selfish meets evil: byzantine players in a virus inoculation game , 2006, PODC '06.

[16]  K. Hausken Income, interdependence, and substitution effects affecting incentives for security investment , 2006 .

[17]  Tyler Moore,et al.  The Economics of Information Security , 2006, Science.

[18]  Gábor Lugosi,et al.  Learning correlated equilibria in games with compact sets of strategies , 2007, Games Econ. Behav..

[19]  Ulas C. Kozat,et al.  Using insurance to increase internet security , 2008, NetEcon '08.

[20]  Farnam Jahanian,et al.  Shades of grey: On the effectiveness of reputation-based “blacklists” , 2008, 2008 3rd International Conference on Malicious and Unwanted Software (MALWARE).

[21]  Stefan Schmid,et al.  On the windfall of friendship: inoculation strategies on social networks , 2008, EC '08.

[22]  N. Bambos,et al.  Security investment games of interdependent organizations , 2008, 2008 46th Annual Allerton Conference on Communication, Control, and Computing.

[23]  Nicholas Bambos,et al.  Security Decision-Making among Interdependent Organizations , 2008, 2008 21st IEEE Computer Security Foundations Symposium.

[24]  Cormac Herley,et al.  A profitless endeavor: phishing as tragedy of the commons , 2009, NSPW '08.

[25]  Marc Lelarge,et al.  A local mean field analysis of security investments in networks , 2008, NetEcon '08.

[26]  Nicolas Christin,et al.  Secure or insure?: a game-theoretic analysis of information security games , 2008, WWW.

[27]  Tyler Moore,et al.  The consequence of non-cooperation in the fight against phishing , 2008, 2008 eCrime Researchers Summit.

[28]  Felix C. Freiling,et al.  Learning More about the Underground Economy: A Case-Study of Keyloggers and Dropzones , 2009, ESORICS.

[29]  Greg Mankiw,et al.  Principles of Microeconomics -5/E. , 2009 .

[30]  Marc Lelarge,et al.  Economics of malware: Epidemic risks model, network externalities and incentives , 2009, 2009 47th Annual Allerton Conference on Communication, Control, and Computing (Allerton).

[31]  Josep Díaz,et al.  On the Power of Mediators , 2009, WINE.

[32]  Cormac Herley,et al.  Nobody Sells Gold for the Price of Silver: Dishonesty, Uncertainty and the Underground Economy , 2009, WEIS.

[33]  Nicolas Christin,et al.  The Price of Uncertainty in Security Games , 2009, WEIS.

[34]  Piet Van Mieghem,et al.  Protecting Against Network Infections: A Game Theoretic Perspective , 2009, IEEE INFOCOM 2009.

[35]  Rajmohan Rajaraman,et al.  Existence Theorems and Approximation Algorithms for Generalized Network Security Games , 2010, 2010 IEEE 30th International Conference on Distributed Computing Systems.

[36]  Rainer Böhme,et al.  Modeling Cyber-Insurance: Towards a Unifying Framework , 2010, WEIS.

[37]  Tansu Alpcan,et al.  Coalitional Game Theory for Security Risk Management , 2010, 2010 Fifth International Conference on Internet Monitoring and Protection.

[38]  Cormac Herley,et al.  The Plight of the Targeted Attacker in a World of Scale , 2010, WEIS.

[39]  Alvaro A. Cárdenas,et al.  Nudge: Intermediaries' Role in Interdependent Network Security , 2010, TRUST.

[40]  Jean C. Walrand,et al.  How Bad Are Selfish Investments in Network Security? , 2011, IEEE/ACM Transactions on Networking.

[41]  S. Shankar Sastry,et al.  On the interdependence of reliability and security in Networked Control Systems , 2011, IEEE Conference on Decision and Control and European Control Conference.

[42]  He Liu,et al.  Click Trajectories: End-to-End Analysis of the Spam Value Chain , 2011, 2011 IEEE Symposium on Security and Privacy.

[43]  M. Dufwenberg Game theory. , 2011, Wiley interdisciplinary reviews. Cognitive science.

[44]  Pan Hui,et al.  Modeling Internet Security Investments: Tackling Topological Information Uncertainty , 2011, GameSec.

[45]  Tudor Dumitras,et al.  Toward a standard benchmark for computer security research: the worldwide intelligence network environment (WINE) , 2011, BADGERS '11.

[46]  Rainer Böhme,et al.  Security Audits Revisited , 2012, Financial Cryptography.

[47]  Levente Buttyán,et al.  Duqu: Analysis, Detection, and Lessons Learned , 2012 .

[48]  S. Shankar Sastry,et al.  Security of interdependent and identical networked control systems , 2013, Autom..

[49]  John S. Baras,et al.  Selfish Response to Epidemic Propagation , 2010, IEEE Transactions on Automatic Control.

[50]  Quanyan Zhu,et al.  Game theory meets network security and privacy , 2013, CSUR.