Jens Grossklags
ABSTRACT
Despite general awareness of the importance of keeping one's system secure, and widespread availability of consumer security technologies, actual investment in security remains highly variable across the Internet population, allowing attacks such as distributed denial-of-service (DDoS) and spam distribution to continue unabated. By modeling security investment decision-making in established (e.g., weakest-link, best-shot) and novel games (e.g., weakest-target), and allowing expenditures in self-protection versus self-insurance technologies, we can examine how incentives may shift between investment in a public good (protection) and a private good (insurance), subject to factors such as network size, type of attack, loss probability, loss magnitude, and cost of technology. We can also characterize Nash equilibria and social optima for different classes of attacks and defenses. In the weakest-target game, an interesting result is that, for almost all parameter settings, more effort is exerted at Nash equilibrium than at the social optimum. We may attribute this to the "strategic uncertainty" of players seeking to self-protect at just slightly above the lowest protection level.
- A. Acquisti and J. Grossklags. Privacy and rationality in individual decision making. IEEE Security & Privacy, 3(1):26--33, January-February 2005. Google Scholar
Digital Library
- E. Adar and B. Huberman. Free riding on Gnutella. First Monday, 5(10), Oct. 2000.Google Scholar
- R. Anderson. Why cryptosystems fail. In Proc. ACM CCS'93, pages 215--227, Fairfax, VA, Nov. 1993. Google ScholarDigital Library
- R. Anderson. Why information security is hard - an economic perspective. In Proc. ACSAC'01, New Orleans, LA, Dec. 2001. Google ScholarDigital Library
- R. Anderson and T. Moore. The economics of information security. Science, 314(5799):610--613, Oct. 1998.Google ScholarCross Ref
- AOL/NSCA. Online safety study, Dec. 2005. http://www.staysafeonline.org/pdf/safety_study_2005.pdf.Google Scholar
- T. August and T. Tunca. Network software security and user incentives. Mgmt. Science, 52(11):1703--1720, Nov. 2006. Google ScholarDigital Library
- R. Böhme and G. Kataria. Models and measures for correlation in cyber-insurance. In Proc. (online) WEIS'06, Cambridge, UK, June 2006.Google Scholar
- J. Brown. Toward an economic theory of liability. Journal of Legal Studies, 2(2):323--349, June 1973.Google ScholarCross Ref
- Bruskin Research. Nearly one in four computer users have lost content to blackouts, viruses and hackers according to new national survey, 2001. http://www.corporate-ir.net/ireye/ir_site.zhtml?ticker=iom&script=410&layout=-6&item_id=163653.Google Scholar
- J. Bull, L. Gong, and K. Sollins. Towards security in an open systems federation. In Proc. ESORICS'92, Springer LNCS No. 648, pages 3--20, Toulouse, France, Nov. 1992. Google ScholarDigital Library
- N. Christin, J. Grossklags, and J. Chuang. Near rationality and competitive equilibria in networked systems. In Proc. ACM SIGCOMM'04 PINS Workshop, pages 213--219, Portland, OR, Aug. 2004. Google ScholarDigital Library
- D. Clark, J. Wroclawski, K. Sollins, and R. Braden. Tussle in cyberspace: defining tomorrow's Internet. In Proc. ACM SIGCOMM'02, pages 347--356, Pittsburgh, PA, Aug. 2002. Google ScholarDigital Library
- G. Danezis and R. Anderson. The economics of resisting censorship. IEEE Security & Privacy, 3(1):45-5-50, January-February 2005. Google ScholarDigital Library
- I. Ehrlich and G. Becker. Market insurance, self-insurance, and self-protection. Journal of Political Economy, 80(4):623--648, July 1972.Google ScholarCross Ref
- E. Fehr and S. Gaechter. Cooperation and punishment in public goods experiments. American Economic Review, 90(4):980--994, Sept. 2000.Google ScholarCross Ref
- J. Franklin, V. Paxson, A. Perrig, and S. Savage. An inquiry into the nature and causes of the wealth of Internet miscreants. In Proc. ACM CCS'07, Alexandria, VA, Oct./Nov. 2007. Google ScholarDigital Library
- L. Gordon and M. Loeb. The economics of information ecurity investment. ACM Transactions on Information and System Security, 5(4):438--4572, Nov. 2002. Google ScholarDigital Library
- S. Gordon. The generic virus writer. In Proc. Intl. Virus Bulletin Conf., pages 121--138, Jersey, Channel Islands, 1994.Google Scholar
- S. Gordon. Virus writers - the end of the innocence? In 10th Annual Virus Bulletin Conference (VB2000), Orlando, FL, Sept. 2000. http://www.research.ibm.com/antivirus/SciPapers/VB2000SG.htm.Google Scholar
- G. Hardin. The tragedy of the commons. Science, 162(3859):1243--1248, Dec. 1968.Google ScholarCross Ref
- K. Hausken. Returns to information security investment: The effect of alternative information security breach functions on optimal investment and sensitivity to vulnerability. Information Systems Frontiers, 8(5):338--349, Dec. 2006. Google ScholarDigital Library
- J. Hirshleifer. From weakest-link to best-shot: the voluntary provision of public goods. Public Choice, 41(3):371--386, Jan. 1983.Google ScholarCross Ref
- P. Honeyman, G. Schwartz, and A. van Assche. Interdependence of reliability and security. In Proc. (online) WEIS'07, Pittsburgh, PA, June 2007.Google Scholar
- Information Systems Audit and Control Association. Telephone survey conducted by MARC Research, Oct. 2007. http://biz.yahoo.com/bw/071031/20071031005079.html?.v=1.Google Scholar
- H. Kunreuther and G. Heal. Interdependent security. J. Risk and Uncertainty, 26(2--3):231--249, Mar. 2003.Google ScholarCross Ref
- S. Malphrus. The "I Love You" computer virus and the financial services industry, May 2000. http://www.federalreserve.gov/BoardDocs/testimony/2000/20000518.htm.Google Scholar
- D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, and N. Weaver. Inside the Slammer worm. IEEE Security and Privacy, 1(4):33--39, July 2003. Google ScholarDigital Library
- D. Moore, C. Shannon, and J. Brown. Code-Red: a case study on the spread and victims of an internet worm. In Proc. ACM/USENIX IMW'02, pages 273--284, Marseille, France, Nov. 2002. Google ScholarDigital Library
- N. Provos. A virtual honeypot framework. In Proc. USENIX Security'04, pages 1--14, San Diego, CA, Aug. 2004. Google ScholarDigital Library
- E. Rescorla. Security holes.. who cares? In Proc. USENIX Security'03, pages 75--90, Washington, DC, Aug. 2003. Google ScholarDigital Library
- J. Saltzer, D. Reed, and D. Clark. End-to-end arguments in system design. ACM Transactions on Computer Systems, 2(4):277--288, Nov. 1984. Google ScholarDigital Library
- T. Sandler and K. Hartley. Economics of alliances: The lessons for collective action. Journal of Economic Literature, XXXIX(3):869--896, Sept. 2001.Google ScholarCross Ref
- T. Sandler, F. Sterbenz, and J. Posnett. Free riding and uncertainty. Economic Review, 31(8):1605--1617, Dec. 1987.Google Scholar
- T. Schelling. The Strategy of Conflict. Oxford University Press, Oxford, UK, 1965.Google Scholar
- J. Shachat and J. Swarthout. Do we detect and exploit mixed strategy play by opponents? Mathematical Methods of Operations Research, 59(3):359--373, July 2004.Google ScholarCross Ref
- S. Shenker. Making greed work in networks: A game-theoretic analysis of switch service disciplines. IEEE/ACM Trans. Networking, 3(6):819--831, Dec. 1995. Google ScholarDigital Library
- J. Shogren. On increased risk and the voluntary provision of public goods. Social Choice and Welfare, 7(3):221--229, Sept. 1990.Google ScholarCross Ref
- H. Simon. Altruism and economics. American Economic Review, 83(2):156--161, May 1993.Google Scholar
- S. Spiekermann, J. Grossklags, and B. Berendt. E-privacy in 2nd generation e-commerce: privacy preferences versus actual behavior. In Proc. ACM EC'01, pages 38--47, Tampa, FL, Oct. 2001. Google ScholarDigital Library
- The Honeynet Project. Know your enemy: the tools and methodologies of the script-kiddie, July 2000. http://project.honeynet.org/papers/enemy/.Google Scholar
- J. Van Huyck, R. Battallio, and R. Beil. Tacit coordination games, strategic uncertainty, and coordination failure. American Economic Review, 80(1):234--248, 1990.Google Scholar
- H. Varian. System reliability and free riding. In L. Camp and S. Lewis (ed.), Economics of Information Security (Advances in Information Security, Volume 12), pages 1--15. Kluwer Academic Publishers, Dordrecht, The Netherlands, 2004.Google ScholarCross Ref
Index Terms
Secure or insure?: a game-theoretic analysis of information security games
Recommendations
Security and insurance management in networks with heterogeneous agents
EC '08: Proceedings of the 9th ACM conference on Electronic commerceComputer users express a strong desire to prevent attacks and to reduce the losses from computer and information security breaches. However, security compromises are common and widespread and highly damaging. Next to attackers' increased sophistication, ...
Security games with market insurance
GameSec'11: Proceedings of the Second international conference on Decision and Game Theory for SecuritySecurity games are characterized by multiple players who strategically adjust their defenses against an abstract attacker, represented by realizations of nature. The defense strategies include both actions where security generates positive externalities ...
Blue versus Red: Towards a Model of Distributed Security Attacks
Financial Cryptography and Data SecurityWe develop a two-sided multiplayer model of security in which attackers aim to deny service and defenders strategize to secure their assets. Attackers benefit from the successful compromise of target systems, however, may suffer penalties for increased ...
Comments