When Information Improves Information Security

This paper presents a formal, quantitative evaluation of the impact of bounded-rational security decision-making subject to limited information and externalities. We investigate a mixed economy of an individual rational expert and several naive near-sighted agents. We further model three canonical types of negative externalities (weakest-link, best shot and total effort), and study the impact of two information regimes on the threat level agents are facing.

[1]  Amitai Etzioni On Thoughtless Rationality (Rules-of-Thumb) , 1987 .

[2]  R. Frank Shrewdly irrational , 1987 .

[3]  Detmar W. Straub,et al.  Effective IS Security: An Empirical Study , 1990, Inf. Syst. Res..

[4]  Ross J. Anderson Liability and Computer Security: Nine Principles , 1994, ESORICS.

[5]  Dietrich Dörner,et al.  The Logic Of Failure: Recognizing And Avoiding Error In Complex Situations , 1997 .

[6]  Christos H. Papadimitriou,et al.  Worst-case Equilibria , 1999, STACS.

[7]  J.D. McCalley,et al.  An overview of risk based security assessment , 1999, 1999 IEEE Power Engineering Society Summer Meeting. Conference Proceedings (Cat. No.99CH36364).

[8]  H. Uhlig,et al.  Rules of Thumb versus Dynamic Programming , 1999 .

[9]  A. Tversky,et al.  Choices, Values, and Frames , 2000 .

[10]  Lawrence A. Gordon,et al.  The economics of information security investment , 2002, TSEC.

[11]  Branden B. Johnson,et al.  Risk, Uncertainty, and Rational Action , 2002 .

[12]  Lawrence A. Gordon,et al.  Sharing Information on Computer Systems Security: An Economic Analysis , 2003 .

[13]  Lei Zhou,et al.  The Economic Cost of Publicly Announced Information Security Breaches: Empirical Evidence from the Stock Market , 2003, J. Comput. Secur..

[14]  H. Kunreuther,et al.  Interdependent Security , 2003 .

[15]  Michael D. Smith,et al.  How Much Security Is Enough to Stop a Thief?: The Economics of Outsider Theft via Computer Systems and Networks , 2003, Financial Cryptography.

[16]  Roger Dingledine,et al.  On the Economics of Anonymity , 2003, Financial Cryptography.

[17]  Alessandro Acquisti,et al.  Privacy in electronic commerce and the economics of immediate gratification , 2004, EC '04.

[18]  Budi Arief,et al.  Computer security impaired by legitimate users , 2004, Comput. Secur..

[19]  Hal R. Varian,et al.  System Reliability and Free Riding , 2004, Economics of Information Security.

[20]  Nicolas Christin,et al.  Near rationality and competitive equilibria in networked systems , 2004, PINS '04.

[21]  Alessandro Acquisti,et al.  Privacy and rationality in individual decision making , 2005, IEEE Security & Privacy.

[22]  H. Varian,et al.  Conditioning Prices on Purchase History , 2005 .

[23]  Anindya Ghose,et al.  The Economic Incentives for Sharing Security Information , 2004, Inf. Syst. Res..

[24]  Jeffrey M. Stanton,et al.  Analysis of end user security behaviors , 2005, Comput. Secur..

[25]  Terrence August,et al.  Network Software Security and User Incentives , 2006, Manag. Sci..

[26]  Cristina Comaniciu,et al.  A Bayesian game approach for intrusion detection in wireless ad hoc networks , 2006, GameNets '06.

[27]  Rainer Böhme,et al.  Models and Measures for Correlation in Cyber-Insurance , 2006, WEIS.

[28]  Stefan Schmid,et al.  When selfish meets evil: byzantine players in a virus inoculation game , 2006, PODC '06.

[29]  Rahul Telang,et al.  An Empirical Analysis of the Impact of Software Vulnerability Announcements on Firm Stock Price , 2007, IEEE Transactions on Software Engineering.

[30]  Ulas C. Kozat,et al.  Using insurance to increase internet security , 2008, NetEcon '08.

[31]  Tobias Brosch,et al.  Beyond Fear , 2008, Psychological science.

[32]  Huseyin Cavusoglu,et al.  Decision-Theoretic and Game-Theoretic Approaches to IT Security Investment , 2008, J. Manag. Inf. Syst..

[33]  Nicolas Christin,et al.  Security and insurance management in networks with heterogeneous agents , 2008, EC '08.

[34]  Qiu-Hong Wang,et al.  The Deterrent and Displacement Effects of Information Security Enforcement:  International Evidence , 2008, Proceedings of the 41st Annual Hawaii International Conference on System Sciences (HICSS 2008).

[35]  Stefan Schmid,et al.  On the windfall of friendship: inoculation strategies on social networks , 2008, EC '08.

[36]  Nicholas Bambos,et al.  Security Decision-Making among Interdependent Organizations , 2008, 2008 21st IEEE Computer Security Foundations Symposium.

[37]  Sarit Kraus,et al.  Playing games for security: an efficient exact algorithm for solving Bayesian Stackelberg games , 2008, AAMAS.

[38]  Marc Lelarge,et al.  A New Perspective on Internet Security using Insurance , 2008, IEEE INFOCOM 2008 - The 27th Conference on Computer Communications.

[39]  Costas Lambrinoudakis,et al.  Modeling Privacy Insurance Contracts and Their Utilization in Risk Management for ICT Firms , 2008, ESORICS.

[40]  Nicolas Christin,et al.  Secure or insure?: a game-theoretic analysis of information security games , 2008, WWW.

[41]  Jens Grossklags,et al.  Blue versus Red: Towards a Model of Distributed Security Attacks , 2009, Financial Cryptography.

[42]  Cormac Herley,et al.  So long, and no thanks for the externalities: the rational rejection of security advice by users , 2009, NSPW '09.

[43]  Benjamin Johnson,et al.  Uncertainty in the weakest-link security game , 2009, 2009 International Conference on Game Theory for Networks.

[44]  Nicolas Christin,et al.  The Price of Uncertainty in Security Games , 2009, WEIS.

[45]  J. Friedrich,et al.  Security Engineering: a Guide to Building Dependable Distributed Systems Banking and Bookkeeping , 2022 .