论文信息 - Security investment games of interdependent organizations

Security investment games of interdependent organizations

In various computer security settings, such as when customers use the same passwords at several independent Web sites, security decisions made by one organization may have significant impact on the security of another. We develop a model for security decision-making in inter-dependent organizations described by a linear influence network. In this model, a matrix represents how one organization's investments are augmented by some linear function of its neighbors investments. Each element of the matrix, representing the strength of influence of one organization on another, can be positive or negative and need not be symmetric with respect to two organizations. A simple matrix condition implies the existence and uniqueness of Nash equilibria, which can be reached by a natural iterative algorithm. We demonstrate that there are ways of improving the matrix such that two organizations decrease their investments while all others maintain the same level of investment. We apply this framework to the setting of Web site security with shared passwords.

N. Bambos | R.A. Miura-Ko | B. Yolken | J. Mitchell

[1] Robert J. Plemmons,et al. Nonnegative Matrices in the Mathematical Sciences , 1979, Classics in Applied Mathematics.

[2] John N. Tsitsiklis,et al. Parallel and distributed computation , 1989 .

[3] D. Fudenberg,et al. The Theory of Learning in Games , 1998 .

[4] Edward W. Felten,et al. Password management strategies for online accounts , 2006, SOUPS '06.

[5] John N. Tsitsiklis,et al. Parallel and distributed computation , 1989 .

[6] Richard W. Cottle,et al. Linear Complementarity Problem. , 1992 .

[7] Nicholas Bambos,et al. Security Decision-Making among Interdependent Organizations , 2008, 2008 21st IEEE Computer Security Foundations Symposium.

[8] Dan Boneh,et al. Stronger Password Authentication Using Browser Extensions , 2005, USENIX Security Symposium.

[9] John C. Mitchell,et al. Client-Side Defense Against Web-Based Identity Theft , 2004, NDSS.

[10] H. Kunreuther,et al. You Only Die Once: Managing Discrete Interdependent Risks , 2003 .

[11] Hal R. Varian,et al. System Reliability and Free Riding , 2004, Economics of Information Security.

[12] L. J. Camp. Pricing Security , 2000 .

[13] Tyler Moore,et al. Information Security Economics - and Beyond , 2007, DEON.