A Survey of Interdependent Information Security Games

Risks faced by information system operators and users are not only determined by their own security posture, but are also heavily affected by the security-related decisions of others. This interdependence between information system operators and users is a fundamental property that shapes the efficiency of security defense solutions. Game theory is the most appropriate method to model the strategic interactions between these participants. In this survey, we summarize game-theoretic interdependence models, characterize the emerging security inefficiencies, and present mechanisms to improve the security decisions of the participants. We focus our attention on games with interdependent defenders and do not discuss two-player attacker-defender games. Our goal is to distill the main insights from the state of the art and to identify the areas that need more attention from the research community.

[1]  共立出版株式会社 コンピュータ・サイエンス : ACM computing surveys , 1978 .

[2]  R. Pindyck,et al.  Study Guide for Microeconomics , 1988 .

[3]  A. Mas-Colell,et al.  Microeconomic Theory , 1995 .

[4]  Ilya Segal,et al.  Solutions manual for Microeconomic theory : Mas-Colell, Whinston and Green , 1997 .

[5]  Christos H. Papadimitriou,et al.  Worst-case Equilibria , 1999, STACS.

[6]  Ross J. Anderson Why information security is hard - an economic perspective , 2001, Seventeenth Annual Computer Security Applications Conference.

[7]  Lawrence A. Gordon,et al.  The economics of information security investment , 2002, TSEC.

[8]  Lawrence A. Gordon,et al.  Sharing Information on Computer Systems Security: An Economic Analysis , 2003 .

[9]  Luis E. Ortiz,et al.  Algorithms for Interdependent Security Games , 2003, NIPS.

[10]  H. Kunreuther,et al.  Interdependent Security , 2003 .

[11]  Hal R. Varian,et al.  System Reliability and Free Riding , 2004, Economics of Information Security.

[12]  Srinivasan Raghunathan,et al.  Cyber Insurance and IT Security Investment: Impact of Interdependence Risk , 2005, WEIS.

[13]  James Aspnes,et al.  Inoculation strategies for victims of viruses and the sum-of-squares partition problem , 2005, SODA '05.

[14]  H. Kunreuther,et al.  IDS Models of Airline Security , 2005 .

[15]  Rainer Böhme,et al.  Models and Measures for Correlation in Cyber-Insurance , 2006, WEIS.

[16]  Stefan Schmid,et al.  When selfish meets evil: byzantine players in a virus inoculation game , 2006, PODC '06.

[17]  Stuart E. Schechter,et al.  Bootstrapping the Adoption of Internet Security Protocols , 2006, WEIS.

[18]  K. Hausken Income, interdependence, and substitution effects affecting incentives for security investment , 2006 .

[19]  Tyler Moore,et al.  The Economics of Information Security , 2006, Science.

[20]  George A. Akerlof,et al.  The Market for “Lemons”: Quality Uncertainty and the Market Mechanism , 1970 .

[21]  Moshe Babaioff,et al.  Congestion games with malicious players , 2007, EC '07.

[22]  Gábor Lugosi,et al.  Learning correlated equilibria in games with compact sets of strategies , 2007, Games Econ. Behav..

[23]  Ulas C. Kozat,et al.  Using insurance to increase internet security , 2008, NetEcon '08.

[24]  Farnam Jahanian,et al.  Shades of grey: On the effectiveness of reputation-based “blacklists” , 2008, 2008 3rd International Conference on Malicious and Unwanted Software (MALWARE).

[25]  Stefan Schmid,et al.  On the windfall of friendship: inoculation strategies on social networks , 2008, EC '08.

[26]  N. Bambos,et al.  Security investment games of interdependent organizations , 2008, 2008 46th Annual Allerton Conference on Communication, Control, and Computing.

[27]  Nicholas Bambos,et al.  Security Decision-Making among Interdependent Organizations , 2008, 2008 21st IEEE Computer Security Foundations Symposium.

[28]  Cormac Herley,et al.  A profitless endeavor: phishing as tragedy of the commons , 2009, NSPW '08.

[29]  Marc Lelarge,et al.  A local mean field analysis of security investments in networks , 2008, NetEcon '08.

[30]  Nicolas Christin,et al.  Secure or insure?: a game-theoretic analysis of information security games , 2008, WWW.

[31]  Tyler Moore,et al.  The consequence of non-cooperation in the fight against phishing , 2008, 2008 eCrime Researchers Summit.

[32]  Felix C. Freiling,et al.  Learning More about the Underground Economy: A Case-Study of Keyloggers and Dropzones , 2009, ESORICS.

[33]  P. Van Mieghem,et al.  Virus Spread in Networks , 2009, IEEE/ACM Transactions on Networking.

[34]  Marc Lelarge,et al.  Economics of malware: Epidemic risks model, network externalities and incentives , 2009, 2009 47th Annual Allerton Conference on Communication, Control, and Computing (Allerton).

[35]  Josep Díaz,et al.  On the Power of Mediators , 2009, WINE.

[36]  Cormac Herley,et al.  Nobody Sells Gold for the Price of Silver: Dishonesty, Uncertainty and the Underground Economy , 2009, WEIS.

[37]  Zizhuo Wang,et al.  A unified framework for dynamic pari-mutuel information market design , 2009, EC '09.

[38]  Nicolas Christin,et al.  The Price of Uncertainty in Security Games , 2009, WEIS.

[39]  Piet Van Mieghem,et al.  Protecting Against Network Infections: A Game Theoretic Perspective , 2009, IEEE INFOCOM 2009.

[40]  Rajmohan Rajaraman,et al.  Existence Theorems and Approximation Algorithms for Generalized Network Security Games , 2010, 2010 IEEE 30th International Conference on Distributed Computing Systems.

[41]  Alvaro A. Cárdenas,et al.  Nudge: intermediaries' role in interdependent network security , 2010, SAC '10.

[42]  Rainer Böhme,et al.  Modeling Cyber-Insurance: Towards a Unifying Framework , 2010, WEIS.

[43]  Tansu Alpcan,et al.  Coalitional Game Theory for Security Risk Management , 2010, 2010 Fifth International Conference on Internet Monitoring and Protection.

[44]  Cormac Herley,et al.  The Plight of the Targeted Attacker in a World of Scale , 2010, WEIS.

[45]  Jean C. Walrand,et al.  How Bad Are Selfish Investments in Network Security? , 2011, IEEE/ACM Transactions on Networking.

[46]  S. Shankar Sastry,et al.  On the interdependence of reliability and security in Networked Control Systems , 2011, IEEE Conference on Decision and Control and European Control Conference.

[47]  He Liu,et al.  Click Trajectories: End-to-End Analysis of the Spam Value Chain , 2011, 2011 IEEE Symposium on Security and Privacy.

[48]  M. Dufwenberg Game theory. , 2011, Wiley interdisciplinary reviews. Cognitive science.

[49]  Pan Hui,et al.  Modeling Internet Security Investments: Tackling Topological Information Uncertainty , 2011, GameSec.

[50]  Tudor Dumitras,et al.  Toward a standard benchmark for computer security research: the worldwide intelligence network environment (WINE) , 2011, BADGERS '11.

[51]  Rainer Böhme,et al.  Security Audits Revisited , 2012, Financial Cryptography.

[52]  Luis E. Ortiz,et al.  Interdependent Defense Games: Modeling Interdependent Security under Deliberate Attacks , 2012, UAI.

[53]  Levente Buttyán,et al.  Duqu: Analysis, Detection, and Lessons Learned , 2012 .

[54]  S. Shankar Sastry,et al.  Security of interdependent and identical networked control systems , 2013, Autom..

[55]  Aron Laszka,et al.  Mitigating Covert Compromises - A Game-Theoretic Model of Targeted and Non-Targeted Covert Attacks , 2013, WINE.

[56]  John S. Baras,et al.  Selfish Response to Epidemic Propagation , 2010, IEEE Transactions on Automatic Control.

[57]  Quanyan Zhu,et al.  Game theory meets network security and privacy , 2013, CSUR.

[58]  Aron Laszka,et al.  Estimating Systematic Risk in Real-World Networks , 2014, Financial Cryptography.

[59]  Aron Laszka,et al.  How many down?: toward understanding systematic risk in networks , 2014, AsiaCCS.