This paper analyzes the threat of distributed attacks by developing a two-sided multiplayer model of security in which attackers aim to deny service and defenders strategize to secure their assets. Attackers benefit from the successful compromise of target systems, however, may suffer penalties for increased attack activity. Defenders weigh the likelihood of an attack against the cost of security. We model security decision-making in established (e.g., weakest-link, best-shot) and novel games (e.g., weakest target), and allow defense expenditures in protection and self-insurance technologies. We find that strategic attackers launch attacks only if defenders do not invest in protective measures. Therefore, the threat of protection can be enough to deter an attacker, but as the number of attackers grows, this equilibrium becomes increasingly unstable.

Abstract — Individuals in computer networks not only have to invest to secure their private resources from potential attackers, but have to be aware of the existing interdependencies that exist with other network participants. Indeed, a user’s security is frequently negatively impacted by protection failures of even just one other individual, the weakest link. In this paper, we are interested in the impact of bounded rationality and limited information on user payoffs and strategies in the presence of strong weakest-link externalities. As a first contribution, we address the problem of bounded rationality by proposing a simple but novel modeling approach. We anticipate the vast majority of users to be unsophisticated and to apply approximate decision-rules that fail to accurately appreciate the impact of their decisions on others. Expert agents, on the other hand, fully comprehend to which extent their own and others ’ security choices affect the network as a whole, and respond rationally. The second contribution of this paper is to address how the security choices by users are mediated by the information available on the severity of the threats the network faces. We assume that each individual faces a randomly drawn probability of being subject to a direct attack. We study how the decisions of the expert user differ if all draws are common knowledge, compared to a scenario where this information is only privately known. We further propose a metric to quantify the value of information available: the payoff difference between complete and incomplete information conditions, divided by the payoff under the incomplete information condition. We study this ratio metric graphically and isolate parameter regions where being more informed creates a payoff advantage for the expert agent. I.

Abstract not found

Abstract. It is widely acknowledged that internet security issues can be handled better through cooperation rather than competition. We introduce a game theoretic cooperative model against network security attacks, where users form coalitions and invest in joint protection. We analyze coalition formation in three canonical security games described in a previous work by Grossklags et al. Our findings reveal that the success of cooperative security efforts depends on the nature of the attack and the attitude of the defenders.

Abstract. Motivated attackers cannot always be blocked or deterred. In the physical-world security context, examples include suicide bombers and sexual predators. In computer networks, zero-day exploits unpredictably threaten the information economy and end users. In this paper, we study the conflicting incentives of individuals to act in the light of such threats. More specifically, in the weakest target game an attacker will always be able to compromise the agent (or agents) with the lowest protection level, but will leave all others unscathed. We find the game to exhibit a number of complex phenomena. It does not admit pure Nash equilibria, and when players are heterogeneous in some cases the game does not even admit mixed-strategy equilibria. Most outcomes from the weakest-target game are far from ideal. In fact, payoffs for most players in any Nash equilibrium are far worse than in the game’s social optimum. However, under the rule of a social planner, average security investments are extremely low. The game thus leads to a conflict between pure economic interests, and common social norms that imply that higher levels of security are always desirable.

Abstract. Even the most well-motivated models of information security have application limitations due to the inherent uncertainties involving risk. This paper exemplifies a formal mechanism for resolving this kind of uncertainty in interdependent security (IDS) scenarios. We focus on a single IDS model involving a computer network, and adapt the model to capture a notion that players have only a very rough idea of security threats and underlying structural ramifications. We formally resolve uncertainty by means of a probability distribution on risk parameters that is common knowledge to all players. To illustrate how this approach might yield fruitful applications, we postulate a well-motivated distribution, compute Bayesian Nash equilibria and tipping conditions for the derived model, and compare these with the analogous conditions for the original IDS model. 1

Computer and information networks are a prime example of an environment where negative externalities abound, particularly when it comes to implementing security defenses. A typical example is that of denial-of-service prevention: ingress filtering, where attack traffic gets discarded by routers close to the perpetrators, is in principle an excellent remedy, as it prevents harmful traffic not only from reaching the victims, but also from burdening the network situated between attacker and target. However, with ingress filtering, the entities (at the ingress) that have to invest in additional filtering are not the ones (at the egress) who mostly benefit from the investment, and, may not have any incentive to participate in the scheme. As this example illustrates, it is important to understand the incentives of the different participants to a network, so that we can design schemes or intervention mechanisms to re-align them with a desirable outcome. Game theory offers a solid bedrock for formally assessing the incentives of noncooperative participants. In this talk, I will start by discussing a framework for network security games [4,5] that we devised to help model how rational, individual, endusers would respond to security threats in large-scale networks. We decouple security

Abstract. Modern distributed communication networks like the Internet are characterized by nodes (Internet users) interconnected with one another via communication links. In this regard, the security of individual nodes depend not only on their own efforts, but also on the efforts and underlying connectivity structure of neighboring network nodes. By the term ‘effort’, we imply the amount of investments made by a user in security mechanisms like antivirus softwares, firewalls, etc., to improve his security. However, often due to the large magnitude of such networks, it is not always possible for nodes to have complete effort and connectivity structure information about all their neighbor nodes. Added to this is the fact that in many applications, the Internet users are selfish and are not willing to co-operate with other users on sharing effort information. In this paper, we adopt a non-cooperative game-theoretic approach to analyze individual user security in a communication network by accounting for both, the partial information that a network node possess about its

Abstract. Recent works on Internet risk management have proposed the idea of cyber-insurance to eliminate risks due to security threats, which cannot be tackled through traditional means such as by using antivirus and antivirus softwares. In reality, an Internet user faces risks due to security attacks as well as risks due to non-security related failures (e.g., reliability faults in the form of hardware crash, buffer overflow, etc.). These risk types are often indistinguishable by a naive user. However, a cyber-insurance agency would most likely insure risks only due to security attacks. In this case, it becomes a challenge for an Internet user to choose the right type of cyber-insurance contract as traditional optimal contracts, i.e., contracts for security attacks only, might prove to be sub-optimal for himself. In this paper, we address the problem of analyzing cyber-insurance solutions when a user faces risks due to both, security as well as nonsecurity related failures. We propose Aegis, a simple and novel cyberinsurance model in which the user accepts a fraction (strictly positive) of loss recovery on himself and transfers rest of the loss recovery on the cyber-insurance agency. We mathematically show that only under conditions when buying cyber-insurance is mandatory, given an option, riskaverse Internet users would prefer Aegis contracts to traditional cyberinsurance contracts 1, under all premium types. This result firmly establishes the non-existence of traditional cyber-insurance markets when Aegis contracts are offered to users. We also derive an interesting counterintuitive result related to the Aegis framework: we show that an increase(decrease) in the premium of an Aegis contract may not always lead to decrease(increase) in its user demand. In the process, we also state the conditions under which the latter trend and its converse emerge. Our work proposes a new model of cyber-insurance for Internet security that extends all previous related models by accounting for the extra dimension of non-insurable risks. Aegis also incentivizes Internet users to take up more personal responsibility for protecting their systems.

We investigate a mixed economy of an individual rational expert and several naïve near-sighted agents in the context of security decision making. Agents select between three canonical security actions to navigate the complex security risks of weakest-link, best shot and total effort interdependencies. We further study the impact of two information conditions on agents’ choices. We provide a detailed overview of a methodology to effectively determine and compare strategies and payoffs between the different regimes. To analyze the impact of the different information conditions we propose a new formalization. We define the price of uncertainty as the ratio of the expected payoff in the complete information environment over the payoff in the incomplete information environment.