Skip to main content
SpringerLink
Log in
Book cover

International Conference on Decision and Game Theory for Security

GameSec 2011: Decision and Game Theory for Security pp 239–257Cite as

Modeling Internet Security Investments: Tackling Topological Information Uncertainty

  • Conference paper

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 7037))

Abstract

Modern distributed communication networks like the Internet are characterized by nodes (Internet users) interconnected with one another via communication links. In this regard, the security of individual nodes depend not only on their own efforts, but also on the efforts and underlying connectivity structure of neighboring network nodes. By the term ‘effort’, we imply the amount of investments made by a user in security mechanisms like antivirus softwares, firewalls, etc., to improve his security. However, often due to the large magnitude of such networks, it is not always possible for nodes to have complete effort and connectivity structure information about all their neighbor nodes. Added to this is the fact that in many applications, the Internet users are selfish and are not willing to co-operate with other users on sharing effort information.

In this paper, we adopt a non-cooperative game-theoretic approach to analyze individual user security in a communication network by accounting for both, the partial information that a network node possess about its underlying neighborhood connectivity structure and security investment of its neighbors, as well as the presence of positive externalities arising from efforts exerted by neighboring nodes. We analyze the strategic interactions between Internet users on their security investments in order to investigate the equilibrium behavior of nodes and show (i) the existence of monotonic symmetric Bayesian Nash equilibria of efforts and (ii) better connected Internet users choose lower efforts to exert but earn higher utilities than less connected peers with respect to security improvement when user utility functions exhibit strategic substitutes, i.e, are submodular. Our results extend previous work with respect to tackling topological information uncertainty, and provide useful insights to Internet users on appropriately (from improving payoffs perspective) investing in security mechanisms under realistic environments of effort and topological information uncertainty, in order to improve system security and welfare. We also discuss the implications of our results on the parameters of risk management techniques like cyber-insurance, and compare the user investment behavior in the incomplete information case with the case when users have increased topological information of their network.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   54.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   69.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Varian, H.: System Reliability and Free Riding. In: ACM ICEC (2003)

    Google Scholar 

  2. Lelarge, M., Bolot, J.: Economic Incentives to Increase Security in the Internet: The Case for Insurance. In: IEEE INFOCOM (2009)

    Google Scholar 

  3. Pal, R., Golubchik, L.: Analyzing Self-Defense Investments In The Internet Under Cyberinsurance Coverage. In: IEEE ICDCS (2010)

    Google Scholar 

  4. Bohme, R., Schwartz, G.: Modeling Cyberinsurance: Towards A Unifying Framework. In: WEIS (2010)

    Google Scholar 

  5. Shetty, N., Schwarz, G., Feleghyazi, M., Walrand, J.: Competitive Cyberinsurance and Internet Security. In: WEIS (2009)

    Google Scholar 

  6. Omic, J., Orda, A., Mieghem, V.P.: Protecting Against Network Infections: A Game-Theoretic Perspective. In: IEEE INFOCOM (2009)

    Google Scholar 

  7. Jiang, L., Ananthram, V., Walrand, J.: How Bad are Selfish Investments in Network Security. IEEE Transactions On Networking (2010)

    Google Scholar 

  8. Grossklags, J., Christin, G., Chuang, J.: Security and Insurance Management in Networks with Heterogenous Agents. In: ACM EC (2008)

    Google Scholar 

  9. Kunreuther, H., Heal, G.: Interdependent Security. Journal of Risk and Uncertainty 26 (2002)

    Google Scholar 

  10. Varian, H.R.: Microeconomic Analysis. Norton (1992)

    Google Scholar 

  11. Fultz, N., Grossklags, J.: Blue versus Red: Towards a Model of Distributed Security Attacks. In: Dingledine, R., Golle, P. (eds.) FC 2009. LNCS, vol. 5628, pp. 167–183. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  12. Grossklags, J., Christin, N., Chuang, J.: Secure or Insure? A Game-Theoretic Analysis of Information Security Games. In: WWW (2008)

    Google Scholar 

  13. Grossklags, J., Christin, N., Chuang, J.: Security Investments(Failures) in Five Economic Environments

    Google Scholar 

  14. Terrence, A., Tunca, I.T.: Who Should Be Responsible for Software Security? Management Science 57(5) (2011)

    Google Scholar 

  15. Grossklags, J., Johnson, B.: Uncertainty In Weakest-Link Security Game. In: GameNets (2009)

    Google Scholar 

  16. Grossklags, J., Johnson, B., Christin, N.: The Price of Uncertainty in Security Games. Economics of Information Security and Privacy (2010)

    Google Scholar 

  17. Grossklags, J., Johnson, B., Christin, N.: When Information Improves Information Security. In: Sion, R. (ed.) FC 2010. LNCS, vol. 6052, pp. 416–423. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  18. Johnson, B., Grossklags, J., Christin, N., Chuang, J.: Are Security Experts Useful? Bayesian Nash Equilibria for Network Security Games with Limited Information. In: Gritzalis, D., Preneel, B., Theoharidou, M. (eds.) ESORICS 2010. LNCS, vol. 6345, pp. 588–606. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  19. Johnson, B., Grossklags, J., Christin, N., Chuang, J.: Uncertainty in Interdependent Security Games. In: Alpcan, T., Buttyán, L., Baras, J.S. (eds.) GameSec 2010. LNCS, vol. 6442, pp. 234–244. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  20. Newman, M.E.J.: Assortative Mixing in Networks. Phy. Rev. Lett. 89 (2002)

    Google Scholar 

  21. Esary, J.D., Proschan, F., Walkup, W.: Association of Random Variables With Applications. Annals of Mathematical Statistics 38(5) (1967)

    Google Scholar 

  22. Fudenberg, D., Tirole, J.: Game Theory. MIT Press (1991)

    Google Scholar 

  23. Osborne, M.J., Rubinstein, A.: A Course in Game Theory. MIT Press (1994)

    Google Scholar 

  24. Galeotti, A., Goyal, S., Jackson, M.O., Vega-Redondo, F., Yariv, L.: Network Games. Review of Economic Studies 77(1) (2010)

    Google Scholar 

  25. Kreps, D.: Game Theory and Economic Modelling. Oxford University Press (1990)

    Google Scholar 

  26. Bramoulle, K., Kranton, R.: Strategic Experimentation in Networks. Journal of Economic Theory 135(1) (2007)

    Google Scholar 

  27. Galeotti, A., Goyal, S., Jackson, M.O., Vega-Redondo, F., Yariv, L.: Network Games. Technical Report (2006)

    Google Scholar 

  28. Milgrom, P., Shannon, C.: Monotone Comparative Statics. Econometrica 62 (1994)

    Google Scholar 

  29. Daskalakis, C., Goldberg, P.W., Papadimitrou, C.H.: The Complexity of Computing A Nash Equilibrium. SIAM Journal of Computing 39(1) (2009)

    Google Scholar 

  30. Schneier, B.: Secrets and Lies: Digital Security in a Networked World. John Wiley and Sons (2001)

    Google Scholar 

  31. Anderson, R.: Why Information Security is Hard - An Economic Perspective. In: Annual Computer Security Applications Conference (2001)

    Google Scholar 

  32. Anderson, R., Moore, T.: Information Security Economics and Beyond. Information Security Summit (2008)

    Google Scholar 

  33. Varian, H.: Managing Online Security Risks. The New York Times (June 1, 2000)

    Google Scholar 

  34. Ko-Miura, A.R., Yolken, B., Bambos, N., Mitchell, J.: Security Investment Games of Interdependent Organizations. Allerton (2008)

    Google Scholar 

  35. Katz, M., Shapiro, C.: Network Externalities, Competition, and Compatibility. The American Economic Review 75(3) (1985)

    Google Scholar 

  36. Kesan, J., Majuca, R., Yurcik, W.: The Economic Case for Cyber-Insurance: In Securing Privacy in the Internet Age. Stanford University Press (2005)

    Google Scholar 

  37. Kesan, J., Majuca, R., Yurcik, W.: Cyberinsurance As A Market-Based Solution To The Problem of Cyber-Security: A Case Study. In: WEIS (2005)

    Google Scholar 

  38. Scheier, B.: Its The Economics Stupid. In: WEIS (2002)

    Google Scholar 

  39. Yurcik, W., Doss, D.: Cyberinsurance: A Market Solution To The Internet Security Market Failure. In: WEIS (2002)

    Google Scholar 

  40. Lelarge, M., Bolot, J.: Cyberinsurance As An Incentive for Internet Security. In: WEIS (2008)

    Google Scholar 

  41. Majuca, R.P., Yurcik, W., Kesan, J.P.: The Evolution of Cyberinsurance. Information Systems Frontier (2005)

    Google Scholar 

  42. Schneier, B.: Insurance and the Computer Industry. Communications of the ACM 44(3) (2001)

    Google Scholar 

  43. Honeyman, P., Schwarz, G.: Interdependence of Reliability and Security. In: WEIS (2007)

    Google Scholar 

  44. Neumann, J.V., Morgenstern, O.: Theory of Games and Economic Behavior. Princeton University Press (2009)

    Google Scholar 

  45. Mascollel, A., Winston, M.D., Green, J.R.: Microeconomic Theory. Oxford University Press (1985)

    Google Scholar 

  46. Hau, A.: When is A Coinsurance-Type Insurance Policy Inferior or Even Giffen. Journal of Risk and Insurance 75(2) (2008)

    Google Scholar 

  47. Lelarge, M., Bolot, J.: A Local Mean Field Analysis of Security Investments in Networks. In: ACM NetEcon (2008)

    Google Scholar 

  48. Lelarge, M., Bolot, J.: Network Externalities and The Deployment of Security Features and Protocols in the Internet. In: ACM SIGMETRICS (2008)

    Google Scholar 

  49. Internet Wikipedia Source. Information Asymmetry

    Google Scholar 

  50. Pal, R., Golubchik, L.: Pricing and Investments in Internet Security. Arxiv (2011)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. University of Southern California, USA

    Ranjan Pal

  2. Deutsch Telekom Laboratories, Berlin, Germany

    Pan Hui

Authors
  1. Ranjan Pal
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Pan Hui
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. University of Maryland, College Park, 20742, Maryland, MD, USA

    John S. Baras  & Jonathan Katz  & 

  2. INRIA, 335 Chemin des Combes, 84140, Montfavet, France

    Eitan Altman

Rights and permissions

Reprints and permissions

Copyright information

© 2011 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Pal, R., Hui, P. (2011). Modeling Internet Security Investments: Tackling Topological Information Uncertainty . In: Baras, J.S., Katz, J., Altman, E. (eds) Decision and Game Theory for Security. GameSec 2011. Lecture Notes in Computer Science, vol 7037. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-25280-8_18

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-25280-8_18

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-25279-2

  • Online ISBN: 978-3-642-25280-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation