A Linear Quadratic Differential Game Approach to Dynamic Contract Design for Systemic Cyber Risk Management under Asymmetric Information

In this paper, we consider a delegated dynamic systemic cyber risk management problem between a resource owner (principal) and a risk manager (agent). The principal can only observe cyber risk outcomes of the network rather than the efforts that the agent spends on protecting the resources. Under this asymmetric information, the principal aims to minimize the systemic cyber risks by designing a dynamic contract that specifies the compensation flows and the anticipated efforts of the manager by taking into account his incentives and rational behaviors. We formulate a bi-level mechanism design problem for dynamic contract design which can be seen as a special class of differential game. We show that the principal has rational controllability of the systemic risk by designing an incentive compatible estimator of the agent's hidden efforts. We characterize the optimal mechanism design by reformulating the problem into a stochastic optimal control program and derive the solution explicitly. We further reveal a separation principle for dynamic risk management where the effort estimation and the compensation design can be achieved separately.

[1]  M. R. James,et al.  Partially Observed Differential Games, Infinite-Dimensional Hamilton--Jacobi--Isaacs Equations, and Nonlinear $H_\infty$ Control , 1996 .

[2]  A. Lo,et al.  A Survey of Systemic Risk Analytics , 2012 .

[3]  T. Başar,et al.  Asymptotic solutions to weakly coupled stochastic teams with nonclassical information , 1992 .

[4]  Quanyan Zhu,et al.  Security as a Service for Cloud-Enabled Internet of Controlled Things Under Advanced Persistent Threats: A Contract Design Approach , 2017, IEEE Transactions on Information Forensics and Security.

[5]  Ioannis Karatzas,et al.  Brownian Motion and Stochastic Calculus , 1987 .

[6]  H. Kushner Numerical Methods for Stochastic Control Problems in Continuous Time , 2000 .

[7]  X. Zhou,et al.  Stochastic Controls: Hamiltonian Systems and HJB Equations , 1999 .

[8]  Todd P. Coleman,et al.  An Optimizer's Approach to Stochastic Control Problems With Nonclassical Information Structures , 2013, IEEE Transactions on Automatic Control.

[9]  Kevin Jones,et al.  A review of cyber security risk assessment methods for SCADA systems , 2016, Comput. Secur..

[10]  Yuliy Sannikov A Continuous-Time Version of the Principal-Agent , 2005 .

[11]  S.,et al.  Risk-Sensitive Control and Dynamic Games for Partially Observed Discrete-Time Nonlinear Systems , 1994 .

[12]  Quanyan Zhu,et al.  A Bi-Level Game Approach to Attack-Aware Cyber Insurance of Computer Networks , 2017, IEEE Journal on Selected Areas in Communications.

[13]  Shlomo Zilberstein,et al.  Dynamic Programming for Partially Observable Stochastic Games , 2004, AAAI.

[14]  Quanyan Zhu,et al.  Security investment under cognitive constraints: A Gestalt Nash equilibrium approach , 2018, 2018 52nd Annual Conference on Information Sciences and Systems (CISS).

[15]  Quanyan Zhu,et al.  Optimal Contract Design Under Asymmetric Information for Cloud-Enabled Internet of Controlled Things , 2016, GameSec.

[16]  Ilya Segal,et al.  An Efficient Dynamic Mechanism , 2013 .

[17]  T. Başar,et al.  Stochastic Teams with Nonclassical Information Revisited: When is an Affine Law Optimal? , 1986, 1986 American Control Conference.

[18]  Alex Gershkov,et al.  Dynamic Allocation and Pricing: A Mechanism Design Approach , 2014 .

[19]  J. Rochet,et al.  Large risks, limited liability, and dynamic moral hazard , 2010 .

[20]  Heinz Schättler,et al.  The First-Order Approach to the Continuous-Time Principal-Agent Problem with Exponential Utility , 1993 .

[21]  David Hutchison,et al.  A survey of cyber security management in industrial control systems , 2015, Int. J. Crit. Infrastructure Prot..