Morshed: Guiding Behavioral Decision-Makers towards Better Security Investment in Interdependent Systems

We model the behavioral biases of human decision-making in securing interdependent systems and show that such behavioral decision-making leads to a suboptimal pattern of resource allocation compared to non-behavioral (rational) decision-making. We provide empirical evidence for the existence of such behavioral bias model through a controlled subject study with 145 participants. We then propose three learning techniques for enhancing decision-making in multi-round setups. We illustrate the benefits of our decision-making model through multiple interdependent real-world systems and quantify the level of gain compared to the case in which the defenders are behavioral. We also show the benefit of our learning techniques against different attack models. We identify the effects of different system parameters on the degree of suboptimality of security outcomes due to behavioral decision-making.

[1]  Walid Saad,et al.  Prospect theory for enhanced cyber-physical security of drone delivery systems: A network interdiction game , 2017, 2017 IEEE International Conference on Communications (ICC).

[2]  Saurabh Bagchi,et al.  Determining Placement of Intrusion Detectors for a Distributed Application through Bayesian Network Modeling , 2008, RAID.

[3]  Ross J. Anderson,et al.  Security economics: a personal perspective , 2012, ACSAC '12.

[4]  Lawrence A. Gordon,et al.  The economics of information security investment , 2002, TSEC.

[5]  T. Başar,et al.  An Intrusion Detection Game with Limited Observations , 2005 .

[6]  Chase Qishi Wu,et al.  A Survey of Game Theory as Applied to Network Security , 2010, 2010 43rd Hawaii International Conference on System Sciences.

[7]  Zhen Ni,et al.  A Multistage Game in Smart Grid Security: A Reinforcement Learning Solution , 2019, IEEE Transactions on Neural Networks and Learning Systems.

[8]  Keith M. Martin,et al.  Are information security professionals expected value maximizers?: An experiment and survey-based test , 2016, J. Cybersecur..

[9]  R. Cunningham,et al.  Validating and Restoring Defense in Depth Using Attack Graphs , 2006, MILCOM 2006 - 2006 IEEE Military Communications conference.

[10]  Keith M. Martin,et al.  Experimental Elicitation of Risk Behaviour amongst Information Security Professionals , 2015, WEIS.

[11]  Andrew Schotter,et al.  Handbook of experimental economic methodology , 2015 .

[12]  Shreyas Sundaram,et al.  Behavioral and Game-Theoretic Security Investments in Interdependent Systems Modeled by Attack Graphs , 2020, IEEE Transactions on Control of Network Systems.

[13]  Lorrie Faith Cranor,et al.  A Framework for Reasoning About the Human in the Loop , 2008, UPSEC.

[14]  William H. Sanders,et al.  Model-Based Cybersecurity Assessment with NESCOR Smart Grid Failure Scenarios , 2015, 2015 IEEE 21st Pacific Rim International Symposium on Dependable Computing (PRDC).

[15]  Peng Liu,et al.  Using Bayesian networks for cyber security analysis , 2010, 2010 IEEE/IFIP International Conference on Dependable Systems & Networks (DSN).

[16]  Sushil Jajodia,et al.  Network Diversity: A Security Metric for Evaluating the Resilience of Networks Against Zero-Day Attacks , 2016, IEEE Transactions on Information Forensics and Security.

[17]  Yuval Elovici,et al.  A model of the information security investment decision-making process , 2016, Comput. Secur..

[18]  Guanhua Yan,et al.  Towards a bayesian network game framework for evaluating DDoS attacks and defense , 2012, CCS '12.

[19]  R. Faure,et al.  Introduction to operations research , 1968 .

[20]  Alessandro Acquisti,et al.  Nudging Privacy: The Behavioral Economics of Personal Information , 2009, IEEE Security & Privacy.

[21]  D. Torgerson,et al.  Test, Learn, Adapt: Developing Public Policy with Randomised Controlled Trials | Cabinet Office , 2012 .

[22]  H. Ghasemi,et al.  Optimal Transmission Switching Considering Voltage Security and N-1 Contingency Analysis , 2013, IEEE Transactions on Power Systems.

[23]  Shreyas Sundaram,et al.  Optimal and Game-Theoretic Deployment of Security Investments in Interdependent Assets , 2016, GameSec.

[24]  David A. Schmidt,et al.  Aggregating vulnerability metrics in enterprise networks using attack graphs , 2013, J. Comput. Secur..

[25]  Parinaz Naghizadeh Ardabili,et al.  Protecting Assets with Heterogeneous Valuations under Behavioral Probability Weighting , 2019, 2019 IEEE 58th Conference on Decision and Control (CDC).

[26]  A. Tversky,et al.  Prospect theory: an analysis of decision under risk — Source link , 2007 .

[27]  Elissa M. Redmiles,et al.  Dancing Pigs or Externalities?: Measuring the Rationality of Security Decisions , 2018, EC.

[28]  Binghui Wang,et al.  Attacking Graph-based Classification via Manipulating the Graph Structure , 2019, CCS.

[29]  D. Prelec The Probability Weighting Function , 1998 .

[30]  Levente Buttyán,et al.  A Survey of Interdependent Information Security Games , 2014, ACM Comput. Surv..

[31]  Shreyas Sundaram,et al.  Interdependent Security Games on Networks Under Behavioral Probability Weighting , 2015, IEEE Transactions on Control of Network Systems.

[32]  Richard Gonzalez,et al.  On the Shape of the Probability Weighting Function , 1999, Cognitive Psychology.

[33]  Somesh Jha,et al.  Automated generation and analysis of attack graphs , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[34]  Jie Gao,et al.  Detecting Wormhole Attacks in Wireless Networks Using Connectivity Information , 2007, IEEE INFOCOM 2007 - 26th IEEE International Conference on Computer Communications.

[35]  R. Thaler,et al.  Naive Diversification Strategies in Defined Contribution Saving Plans , 2001 .

[36]  Nick Feltovich,et al.  Reinforcement-based vs. Belief-based Learning Models in Experimental Asymmetric-information Games , 2000 .