Abstract
Modern distributed communication networks like the Internet are characterized by nodes (Internet users) interconnected with one another via communication links. In this regard, the security of individual nodes depend not only on their own efforts, but also on the efforts and underlying connectivity structure of neighboring network nodes. By the term ‘effort’, we imply the amount of investments made by a user in security mechanisms like antivirus softwares, firewalls, etc., to improve his security. However, often due to the large magnitude of such networks, it is not always possible for nodes to have complete effort and connectivity structure information about all their neighbor nodes. Added to this is the fact that in many applications, the Internet users are selfish and are not willing to co-operate with other users on sharing effort information.
In this paper, we adopt a non-cooperative game-theoretic approach to analyze individual user security in a communication network by accounting for both, the partial information that a network node possess about its underlying neighborhood connectivity structure and security investment of its neighbors, as well as the presence of positive externalities arising from efforts exerted by neighboring nodes. We analyze the strategic interactions between Internet users on their security investments in order to investigate the equilibrium behavior of nodes and show (i) the existence of monotonic symmetric Bayesian Nash equilibria of efforts and (ii) better connected Internet users choose lower efforts to exert but earn higher utilities than less connected peers with respect to security improvement when user utility functions exhibit strategic substitutes, i.e, are submodular. Our results extend previous work with respect to tackling topological information uncertainty, and provide useful insights to Internet users on appropriately (from improving payoffs perspective) investing in security mechanisms under realistic environments of effort and topological information uncertainty, in order to improve system security and welfare. We also discuss the implications of our results on the parameters of risk management techniques like cyber-insurance, and compare the user investment behavior in the incomplete information case with the case when users have increased topological information of their network.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Varian, H.: System Reliability and Free Riding. In: ACM ICEC (2003)
Lelarge, M., Bolot, J.: Economic Incentives to Increase Security in the Internet: The Case for Insurance. In: IEEE INFOCOM (2009)
Pal, R., Golubchik, L.: Analyzing Self-Defense Investments In The Internet Under Cyberinsurance Coverage. In: IEEE ICDCS (2010)
Bohme, R., Schwartz, G.: Modeling Cyberinsurance: Towards A Unifying Framework. In: WEIS (2010)
Shetty, N., Schwarz, G., Feleghyazi, M., Walrand, J.: Competitive Cyberinsurance and Internet Security. In: WEIS (2009)
Omic, J., Orda, A., Mieghem, V.P.: Protecting Against Network Infections: A Game-Theoretic Perspective. In: IEEE INFOCOM (2009)
Jiang, L., Ananthram, V., Walrand, J.: How Bad are Selfish Investments in Network Security. IEEE Transactions On Networking (2010)
Grossklags, J., Christin, G., Chuang, J.: Security and Insurance Management in Networks with Heterogenous Agents. In: ACM EC (2008)
Kunreuther, H., Heal, G.: Interdependent Security. Journal of Risk and Uncertainty 26 (2002)
Varian, H.R.: Microeconomic Analysis. Norton (1992)
Fultz, N., Grossklags, J.: Blue versus Red: Towards a Model of Distributed Security Attacks. In: Dingledine, R., Golle, P. (eds.) FC 2009. LNCS, vol. 5628, pp. 167–183. Springer, Heidelberg (2009)
Grossklags, J., Christin, N., Chuang, J.: Secure or Insure? A Game-Theoretic Analysis of Information Security Games. In: WWW (2008)
Grossklags, J., Christin, N., Chuang, J.: Security Investments(Failures) in Five Economic Environments
Terrence, A., Tunca, I.T.: Who Should Be Responsible for Software Security? Management Science 57(5) (2011)
Grossklags, J., Johnson, B.: Uncertainty In Weakest-Link Security Game. In: GameNets (2009)
Grossklags, J., Johnson, B., Christin, N.: The Price of Uncertainty in Security Games. Economics of Information Security and Privacy (2010)
Grossklags, J., Johnson, B., Christin, N.: When Information Improves Information Security. In: Sion, R. (ed.) FC 2010. LNCS, vol. 6052, pp. 416–423. Springer, Heidelberg (2010)
Johnson, B., Grossklags, J., Christin, N., Chuang, J.: Are Security Experts Useful? Bayesian Nash Equilibria for Network Security Games with Limited Information. In: Gritzalis, D., Preneel, B., Theoharidou, M. (eds.) ESORICS 2010. LNCS, vol. 6345, pp. 588–606. Springer, Heidelberg (2010)
Johnson, B., Grossklags, J., Christin, N., Chuang, J.: Uncertainty in Interdependent Security Games. In: Alpcan, T., Buttyán, L., Baras, J.S. (eds.) GameSec 2010. LNCS, vol. 6442, pp. 234–244. Springer, Heidelberg (2010)
Newman, M.E.J.: Assortative Mixing in Networks. Phy. Rev. Lett. 89 (2002)
Esary, J.D., Proschan, F., Walkup, W.: Association of Random Variables With Applications. Annals of Mathematical Statistics 38(5) (1967)
Fudenberg, D., Tirole, J.: Game Theory. MIT Press (1991)
Osborne, M.J., Rubinstein, A.: A Course in Game Theory. MIT Press (1994)
Galeotti, A., Goyal, S., Jackson, M.O., Vega-Redondo, F., Yariv, L.: Network Games. Review of Economic Studies 77(1) (2010)
Kreps, D.: Game Theory and Economic Modelling. Oxford University Press (1990)
Bramoulle, K., Kranton, R.: Strategic Experimentation in Networks. Journal of Economic Theory 135(1) (2007)
Galeotti, A., Goyal, S., Jackson, M.O., Vega-Redondo, F., Yariv, L.: Network Games. Technical Report (2006)
Milgrom, P., Shannon, C.: Monotone Comparative Statics. Econometrica 62 (1994)
Daskalakis, C., Goldberg, P.W., Papadimitrou, C.H.: The Complexity of Computing A Nash Equilibrium. SIAM Journal of Computing 39(1) (2009)
Schneier, B.: Secrets and Lies: Digital Security in a Networked World. John Wiley and Sons (2001)
Anderson, R.: Why Information Security is Hard - An Economic Perspective. In: Annual Computer Security Applications Conference (2001)
Anderson, R., Moore, T.: Information Security Economics and Beyond. Information Security Summit (2008)
Varian, H.: Managing Online Security Risks. The New York Times (June 1, 2000)
Ko-Miura, A.R., Yolken, B., Bambos, N., Mitchell, J.: Security Investment Games of Interdependent Organizations. Allerton (2008)
Katz, M., Shapiro, C.: Network Externalities, Competition, and Compatibility. The American Economic Review 75(3) (1985)
Kesan, J., Majuca, R., Yurcik, W.: The Economic Case for Cyber-Insurance: In Securing Privacy in the Internet Age. Stanford University Press (2005)
Kesan, J., Majuca, R., Yurcik, W.: Cyberinsurance As A Market-Based Solution To The Problem of Cyber-Security: A Case Study. In: WEIS (2005)
Scheier, B.: Its The Economics Stupid. In: WEIS (2002)
Yurcik, W., Doss, D.: Cyberinsurance: A Market Solution To The Internet Security Market Failure. In: WEIS (2002)
Lelarge, M., Bolot, J.: Cyberinsurance As An Incentive for Internet Security. In: WEIS (2008)
Majuca, R.P., Yurcik, W., Kesan, J.P.: The Evolution of Cyberinsurance. Information Systems Frontier (2005)
Schneier, B.: Insurance and the Computer Industry. Communications of the ACM 44(3) (2001)
Honeyman, P., Schwarz, G.: Interdependence of Reliability and Security. In: WEIS (2007)
Neumann, J.V., Morgenstern, O.: Theory of Games and Economic Behavior. Princeton University Press (2009)
Mascollel, A., Winston, M.D., Green, J.R.: Microeconomic Theory. Oxford University Press (1985)
Hau, A.: When is A Coinsurance-Type Insurance Policy Inferior or Even Giffen. Journal of Risk and Insurance 75(2) (2008)
Lelarge, M., Bolot, J.: A Local Mean Field Analysis of Security Investments in Networks. In: ACM NetEcon (2008)
Lelarge, M., Bolot, J.: Network Externalities and The Deployment of Security Features and Protocols in the Internet. In: ACM SIGMETRICS (2008)
Internet Wikipedia Source. Information Asymmetry
Pal, R., Golubchik, L.: Pricing and Investments in Internet Security. Arxiv (2011)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2011 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Pal, R., Hui, P. (2011). Modeling Internet Security Investments: Tackling Topological Information Uncertainty . In: Baras, J.S., Katz, J., Altman, E. (eds) Decision and Game Theory for Security. GameSec 2011. Lecture Notes in Computer Science, vol 7037. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-25280-8_18
Download citation
DOI: https://doi.org/10.1007/978-3-642-25280-8_18
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-25279-2
Online ISBN: 978-3-642-25280-8
eBook Packages: Computer ScienceComputer Science (R0)