Security games with market insurance
GameSec'11 Proceedings of the Second international conference on Decision and Game Theory for Security
| Hi-index | 0.00 |
Computer users express a strong desire to prevent attacks, and to reduce the losses from computer and information security breaches. However, despite the widespread availability of various technologies, actual investments in security remain highly variable across the Internet population. As a result, attacks such as distributed denial-of-service and spam distribution continue to spread unabated. Users may struggle to respond vigorously because the effectiveness of security decisions is subject to strong interdependencies in a network, and different types of threats. In this dissertation, we address this complexity by analyzing investment decision-making in a unified framework of established games (i.e., weakest-link, best shot, and total effort) and novel games (e.g., weakest-target). We examine how incentives shift between investment opportunities in a cooperative good (protection) and a private good (self-insurance), subject to factors such as network size, type of attack, loss probability, loss magnitude, and cost of technology. We capture security weaknesses due to monocultures by analyzing decision-making for an economy of homogeneous, selfish and fully rational agents under complete information. We compare our analysis to the case of heterogeneous users modeling efforts for security diversity. The findings highlight circumstances where poorly aligned incentives lead to security failures, and how interventions may be helpful. Extending our analysis and relaxing assumptions on individuals' rationality, we consider the case of a single rational expert agent in an economy of nearsighted agents that under-appreciate the effect of security interdependencies. We further measure the value of information availability in the security context. Specifically, we introduce the price of uncertainty metric that quantifies the maximum discrepancy between the total expected payoffs for different information conditions. By evaluating the metric in different inter-dependency scenarios, we can determine which configurations can better accommodate limited information environments.