Secure or insure?: a game-theoretic analysis of information security games

Despite general awareness of the importance of keeping one's system secure, and widespread availability of consumer security technologies, actual investment in security remains highly variable across the Internet population, allowing attacks such as distributed denial-of-service (DDoS) and spam distribution to continue unabated. By modeling security investment decision-making in established (e.g., weakest-link, best-shot) and novel games (e.g., weakest-target), and allowing expenditures in self-protection versus self-insurance technologies, we can examine how incentives may shift between investment in a public good (protection) and a private good (insurance), subject to factors such as network size, type of attack, loss probability, loss magnitude, and cost of technology. We can also characterize Nash equilibria and social optima for different classes of attacks and defenses. In the weakest-target game, an interesting result is that, for almost all parameter settings, more effort is exerted at Nash equilibrium than at the social optimum. We may attribute this to the "strategic uncertainty" of players seeking to self-protect at just slightly above the lowest protection level.

[1]  J. Nash NON-COOPERATIVE GAMES , 1951, Classics in Game Theory.

[2]  T. Schelling,et al.  The Strategy of Conflict. , 1961 .

[3]  S. Vajda,et al.  The Strategy of Conflict , 1964 .

[4]  G. Hardin,et al.  Tragedy of the Commons , 1968 .

[5]  I. Ehrlich,et al.  Market Insurance, Self-Insurance, and Self-Protection , 1972, Journal of Political Economy.

[6]  J. P. Brown Toward an Economic Theory of Liability , 1973, The Journal of Legal Studies.

[7]  R. Radner Collusive behavior in noncooperative epsilon-equilibria of oligopolies with long but finite lives , 1980 .

[8]  J. Hirshleifer From weakest-link to best-shot: The voluntary provision of public goods , 1983 .

[9]  Jerome H. Saltzer,et al.  End-to-end arguments in system design , 1984, TOCS.

[10]  Janet L. Yellen,et al.  Can Small Deviations from Rationality Make Significant Differences to Economic Equilibria , 1985 .

[11]  T. Sandler,et al.  Free riding and uncertainty , 1987 .

[12]  J. Shogren On increased risk and the voluntary provision of public goods , 1990 .

[13]  J. Huyck,et al.  Tacit Coordination Games, Strategic Uncertainty, and Coordination Failure , 1990 .

[14]  Karen R. Sollins,et al.  Towards Security in an Open Systems Federation , 1992, ESORICS.

[15]  S. Shenker Making greed work in networks: a game-theoretic analysis of switch service disciplines , 1994, SIGCOMM.

[16]  Ross J. Anderson Why cryptosystems fail , 1994, CACM.

[17]  R. McKelvey,et al.  Quantal Response Equilibria for Normal Form Games , 1995 .

[18]  E. Fehr,et al.  Cooperation and Punishment in Public Goods Experiments , 1999, SSRN Electronic Journal.

[19]  S. Malphrus Statement to Congress, May 18, 2000 (the "I Love You" computer virus and the financial services industry) , 2000 .

[20]  Eytan Adar,et al.  Free Riding on Gnutella , 2000, First Monday.

[21]  Sarah Gordon Virus Writers: The End of The Innocence? , 2000 .

[22]  Ross J. Anderson Why information security is hard - an economic perspective , 2001, Seventeenth Annual Computer Security Applications Conference.

[23]  T. Sandler,et al.  Economics of Alliances: The Lessons for Collective Action , 2001 .

[24]  Ross J. Anderson Security engineering - a guide to building dependable distributed systems (2. ed.) , 2001 .

[25]  Bettina Berendt,et al.  E-privacy in 2nd generation E-commerce: privacy preferences versus actual behavior , 2001, EC '01.

[26]  Lawrence A. Gordon,et al.  The economics of information security investment , 2002, TSEC.

[27]  David Moore,et al.  Code-Red: a case study on the spread and victims of an internet worm , 2002, IMW '02.

[28]  Colin Camerer Behavioral Game Theory: Experiments in Strategic Interaction , 2003 .

[29]  Eric Rescorla Security Holes . . . Who Cares? , 2003, USENIX Security Symposium.

[30]  H. Kunreuther,et al.  Interdependent Security , 2003 .

[31]  Stefan Savage,et al.  Inside the Slammer Worm , 2003, IEEE Secur. Priv..

[32]  Niels Provos,et al.  A Virtual Honeypot Framework , 2004, USENIX Security Symposium.

[33]  Jason Shachat,et al.  Do we detect and exploit mixed strategy play by opponents? , 2004, Math. Methods Oper. Res..

[34]  Hal R. Varian,et al.  System Reliability and Free Riding , 2004, Economics of Information Security.

[35]  Jacob K. Goeree,et al.  A model of noisy introspection , 2004, Games Econ. Behav..

[36]  Scott Shenker,et al.  An experiment on learning with limited information: nonconvergence, experimentation cascades, and the advantage of being slow , 2004, Games Econ. Behav..

[37]  Nicolas Christin,et al.  Near rationality and competitive equilibria in networked systems , 2004, PINS '04.

[38]  Alessandro Acquisti,et al.  Privacy and rationality in individual decision making , 2005, IEEE Security & Privacy.

[39]  David D. Clark,et al.  Tussle in cyberspace: defining tomorrow's Internet , 2002, IEEE/ACM Transactions on Networking.

[40]  George Danezis,et al.  Economics of Information Security , 2005 .

[41]  Terrence August,et al.  Network Software Security and User Incentives , 2006, Manag. Sci..

[42]  Rainer Böhme,et al.  Models and Measures for Correlation in Cyber-Insurance , 2006, WEIS.

[43]  Kjell Hausken,et al.  Returns to information security investment: The effect of alternative information security breach functions on optimal investment and sensitivity to vulnerability , 2006, Inf. Syst. Frontiers.

[44]  Tyler Moore,et al.  The Economics of Information Security , 2006, Science.

[45]  Jens Grossklags,et al.  Experimental economics and experimental computer science: a survey , 2007, ExpCS '07.

[46]  Stefan Savage,et al.  An inquiry into the nature and causes of the wealth of internet miscreants , 2007, CCS '07.

[47]  Peter Honeyman,et al.  Interdependence of Reliability and Security , 2007, WEIS.