Protocol failure in the escrowed encryption standard
CCS '94 Proceedings of the 2nd ACM Conference on Computer and communications security
The Art of Deception: Controlling the Human Element of Security
The Art of Deception: Controlling the Human Element of Security
The economics of information security investment
ACM Transactions on Information and System Security (TISSEC)
Near rationality and competitive equilibria in networked systems
Proceedings of the ACM SIGCOMM workshop on Practice and theory of incentives in networked systems
Privacy and Rationality in Individual Decision Making
IEEE Security and Privacy
Managing Cybersecurity Resources (The Mcgraw-Hill Homeland Security Series)
Managing Cybersecurity Resources (The Mcgraw-Hill Homeland Security Series)
When selfish meets evil: byzantine players in a virus inoculation game
Proceedings of the twenty-fifth annual ACM symposium on Principles of distributed computing
Password security: an empirical study
Journal of Management Information Systems
Network Software Security and User Incentives
Management Science
Experimental economics and experimental computer science: a survey
Proceedings of the 2007 workshop on Experimental computer science
An inquiry into the nature and causes of the wealth of internet miscreants
Proceedings of the 14th ACM conference on Computer and communications security
Secure or insure?: a game-theoretic analysis of information security games
Proceedings of the 17th international conference on World Wide Web
Security and insurance management in networks with heterogeneous agents
Proceedings of the 9th ACM conference on Electronic commerce
Predicted and observed user behavior in the weakest-link security game
UPSEC'08 Proceedings of the 1st Conference on Usability, Psychology, and Security
Decision-Theoretic and Game-Theoretic Approaches to IT Security Investment
Journal of Management Information Systems
Lest we remember: cold boot attacks on encryption keys
SS'08 Proceedings of the 17th conference on Security symposium
Blue versus Red: Towards a Model of Distributed Security Attacks
Financial Cryptography and Data Security
Security metrics and security investment models
IWSEC'10 Proceedings of the 5th international conference on Advances in information and computer security
Uncertainty in interdependent security games
GameSec'10 Proceedings of the First international conference on Decision and game theory for security
When information improves information security
FC'10 Proceedings of the 14th international conference on Financial Cryptography and Data Security
Modeling internet security investments: tackling topological information uncertainty
GameSec'11 Proceedings of the Second international conference on Decision and Game Theory for Security
International Journal of Strategic Information Technology and Applications
Game theory meets network security and privacy
ACM Computing Surveys (CSUR)
Hi-index | 0.00 |
Individuals in computer networks not only have to invest to secure their private resources from potential attackers, but have to be aware of the existing interdependencies that exist with other network participants. Indeed, a user's security is frequently negatively impacted by protection failures of even just one other individual, the weakest link. In this paper, we are interested in the impact of bounded rationality and limited information on user payoffs and strategies in the presence of strong weakest-link externalities. As a first contribution, we address the problem of bounded rationality by proposing a simple but novel modeling approach. We anticipate the vast majority of users to be unsophisticated and to apply approximate decision-rules that fail to accurately appreciate the impact of their decisions on others. Expert agents, on the other hand, fully comprehend to which extent their own and others' security choices affect the network as a whole, and respond rationally. The second contribution of this paper is to address how the security choices by users are mediated by the information available on the severity of the threats the network faces. We assume that each individual faces a randomly drawn probability of being subject to a direct attack. We study how the decisions of the expert user differ if all draws are common knowledge, compared to a scenario where this information is only privately known. We further propose a metric to quantify the value of information available: the payoff difference between complete and incomplete information conditions, divided by the payoff under the incomplete information condition. We study this ratio metric graphically and isolate parameter regions where being more informed creates a payoff advantage for the expert agent.