Abstract
We study users’ incentives to become cybercriminals when network security is interdependent. We present a game-theoretic model in which each player (i.e., network user) decides his type, honest or malicious. Honest users represent law-abiding network users, while malicious users represent cybercriminals. After deciding on their types, the users make their security choices. We will follow [29], where breach probabilities for large-scale networks are obtained from a standard interdependent security (IDS) setup. In large-scale IDS networks, the breach probability of each player becomes a function of two variables: the player’s own security action and network security, which is an aggregate characteristic of the network; network security is computed from the security actions of the individual nodes that comprise the network. This allows us to quantify user security choices in networks with IDS even when users have only very limited, aggregate information about security choices of other users of the network.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Acemoglu, D., Malekian, A., Ozdaglar, A.: Network security and contagion. Working Paper 19174, National Bureau of Economic Research. http://www.nber.org/papers/w19174
Anderson, R., Moore, T.: The economics of information security. Science 314(5799), 610–613 (2006)
Anderson, R., Barton, C., Böhme, R., Clayton, R., Van Eeten, M.J., Levi, M., Moore, T., Savage, S.: Measuring the cost of cybercrime. In: Böhme, R. (ed.) The Economics of Information Security and Privacy, pp. 265–300. Springer, Heidelberg (2013)
Asghari, H., Van Eeten, M., Arnbak, A., Van Eijk, N.: Security economics in the HTTPS value chain. In: 12th Workshop on the Economics of Information Security (WEIS) (2013)
Aspnes, J., Chang, K., Yampolskiy, A.: Inoculation strategies for victims of viruses and the sum-of-squares partition problem. In: Proceedings of the 16th Annual ACM-SIAM Symposium on Discrete Algorithms (SODA), pp. 43–52. SIAM (2005)
Aspnes, J., Chang, K., Yampolskiy, A.: Inoculation strategies for victims of viruses and the sum-of-squares partition problem. J. Comput. Syst. Sci. 72(6), 1077–1093 (2006)
Fultz, N., Grossklags, J.: Blue versus red: towards a model of distributed security attacks. In: Dingledine, R., Golle, P. (eds.) FC 2009. LNCS, vol. 5628, pp. 167–183. Springer, Heidelberg (2009). doi:10.1007/978-3-642-03549-4_10
Grossklags, J., Christin, N., Chuang, J.: Secure or insure?: a game-theoretic analysis of information security games. In: Proceedings of the 17th International Conference on World Wide Web (WWW), pp. 209–218. ACM (2008)
Hausken, K.: Income, interdependence, and substitution effects affecting incentives for security investment. J. Account. Public Policy 25(6), 629–665 (2006)
Heal, G., Kunreuther, H.: Interdependent security: a general model. Technical report, Working Paper 10706, National Bureau of Economic Research (2004)
Heal, G., Kunreuther, H.: Modeling interdependent risks. Risk Anal. 27(3), 621–634 (2007)
Honeyman, P., Schwartz, G., Assche, A.V.: Interdependence of reliability and security. In: 6th Workshop on the Economics of Information Security (WEIS) (2007)
Johnson, B., Grossklags, J., Christin, N., Chuang, J.: Uncertainty in interdependent security games. In: Alpcan, T., Buttyán, L., Baras, J.S. (eds.) GameSec 2010. LNCS, vol. 6442, pp. 234–244. Springer, Heidelberg (2010). doi:10.1007/978-3-642-17197-0_16
Johnson, B., Laszka, A., Grossklags, J.: The complexity of estimating systematic risk in networks. In: Proceedings of the 27th IEEE Computer Security Foundations Symposium (CSF), pp. 325–336 (2014)
Khouzani, M.R., Sen, S., Shroff, N.B.: An economic analysis of regulating security investments in the internet. In: Proceedings of the 32nd IEEE International Conference on Computer Communications (INFOCOM), pp. 818–826. IEEE (2013)
Knowles, W., Prince, D., Hutchison, D., Disso, J.F.P., Jones, K.: A survey of cyber security management in industrial control systems. Int. J. Crit. Infrastruct. Prot. 9, 52–80 (2015)
Konradt, C., Schilling, A., Werners, B.: Phishing: an economic analysis of cybercrime perpetrators. Comput. Secur. 58, 39–46 (2016). http://www.sciencedirect.com/science/article/pii/s0167404815001844
Kraemer-Mbula, E., Tang, P., Rush, H.: The cybercrime ecosystem: online innovation in the shadows? Technol. Forecast. Soc. Change 80(3), 541–555 (2013). Future-Oriented Technology Analysis. http://www.sciencedirect.com/science/article/pii/S0040162512001710
Kunreuther, H., Heal, G.: Interdependent security. J. Risk Uncertain. 26(2–3), 231–249 (2003)
Laszka, A., Felegyhazi, M., Buttyan, L.: A survey of interdependent information security games. ACM Comput. Surv. 47(2), 1–38 (2014)
Laszka, A., Johnson, B., Grossklags, J., Felegyhazi, M.: Estimating systematic risk in real-world networks. In: Proceedings of the 18th International Conference on Financial Cryptography and Data Security (FC), pp. 417–435 (2014)
Levchenko, K., Pitsillidis, A., Chachra, N., Enright, B., Félegyházi, M., Grier, C., Halvorson, T., Kanich, C., Kreibich, C., Liu, H., et al.: Click trajectories: end-to-end analysis of the spam value chain. In: Proceedings of the 32nd IEEE Symposium on Security and Privacy (S&P), pp. 431–446. IEEE (2011)
Moscibroda, T., Schmid, S., Wattenhofer, R.: When selfish meets evil: Byzantine players in a virus inoculation game. In: Proceedings of the 25th Annual ACM Symposium on Principles of Distributed Computing (PODC), pp. 35–44. ACM (2006)
Öğüt, H., Menon, N., Raghunathan, S.: Cyber insurance and IT security investment: impact of interdependence risk. In: 4th Workshop on the Economics of Information Security (WEIS) (2005)
Öğüt, H., Raghunathan, S., Menon, N.: Cyber security risk management: public policy implications of correlated risk, imperfect ability to prove loss, and observability of self-protection. Risk Anal. 31(3), 497–512 (2011)
Olson, M.: The Rise and Decline of Nations: Economic Growth, Stagflation, and Social Rigidities. Yale University Press, New Haven (2008)
Olson, M.: The logic of Collective Action, vol. 124. Harvard University Press, Cambridge (2009)
PricewaterhouseCoopers: Insurance 2020 & beyond: reaping the dividends of cyber resilience (2015). http://www.pwc.com/insurance. Accessed 16 June 2016
Schwartz, G.A., Sastry, S.S.: Cyber-insurance framework for large scale interdependent networks. In: Proceedings of the 3rd International Conference on High Confidence Networked Systems (HiCoNS), pp. 145–154. ACM (2014)
Symantec: Emerging threat: Dragonfly/Energetic Bear - APT group. Symantec Connect. http://www.symantec.com/connect/blogs/emerging-threat-dragonfly-energetic-bear-apt-group. Accessed 16 Feb 2016
Tullock, G.: The welfare costs of tariffs, monopolies, and theft. Econ. Inq. 5(3), 224–232 (1967)
Varian, H.: System reliability and free riding. In: Camp, L.J., Lewis, S. (eds.) Economics of Information Security, pp. 1–15. Springer, New York (2004)
Acknowledgment
This work was supported in part by FORCES (Foundations Of Resilient CybEr-Physical Systems), which receives support from the National Science Foundation (NSF award numbers CNS-1238959, CNS-1238962, CNS-1239054, CNS-1239166).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing AG
About this paper
Cite this paper
Laszka, A., Schwartz, G. (2016). Becoming Cybercriminals: Incentives in Networks with Interdependent Security. In: Zhu, Q., Alpcan, T., Panaousis, E., Tambe, M., Casey, W. (eds) Decision and Game Theory for Security. GameSec 2016. Lecture Notes in Computer Science(), vol 9996. Springer, Cham. https://doi.org/10.1007/978-3-319-47413-7_20
Download citation
DOI: https://doi.org/10.1007/978-3-319-47413-7_20
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-47412-0
Online ISBN: 978-3-319-47413-7
eBook Packages: Computer ScienceComputer Science (R0)