The Price of Uncertainty in Security Games

Transcription

1 The Prie of Unertainty in Seurity Games Tehnial Report Jens Grossklags a Benjamin Johnson iolas Christin a Shool of Information University of California, Berkeley Berkeley, CA 947 jensg@ishool.erkeley.edu Information etworking Institute & Cya Carnegie Mellon University Fores Avenue Pittsurgh, PA 3 {johnson,niolas}@andrew.mu.edu May 3, 9 Astrat In the realm of information seurity, lak of information aout other users inentives in a network an lead to ineffiient seurity hoies and redutions in individuals payoffs. We propose, ontrast and ompare three metris for measuring the prie of unertainty due to the departure from the payoffoptimal seurity outomes under omplete information. Per the analogy with other effiieny metris, suh as the prie of anarhy, we define the prie of unertainty as the maximum disrepany in expeted payoff in a omplete information environment versus the payoff in an inomplete information environment. We onsider differene, payoff-ratio, and ost-ratio metris as anonial nontrivial measurements of the prie of unertainty. We ondut an algerai, numerial, and graphial analysis of these metris applied to different well-studied seurity senarios proposed in prior work i.e., est shot, weakest-link, and total effort. In these senarios, we study how a fully rational expert agent ould utilize the metris to deide whether to gather information aout the eonomi inentives of multiple nearsighted and naïve agents. We find sustantial differenes etween the various metris and evaluate the appropriateness for seurity hoies in networked systems.

2 Introdution The importane of the lak of information aout seurity threats, response mehanisms, and assoiated expeted losses and ost has long een identified in the omputer siene, risk management and eonomis ommunities. Granik, for example, argues that weaknesses in our understanding of the measuraility of losses serve as an impediment in sentening yerrime offenders [3]. Swire adds that deterring fraudsters and riminals online is hampered if we annot orretly aggregate their offenses aross different jurisditions [33]. The question arises how muh defenders an gain y investing in tehniques or other efforts to improve information availaility for deision-making? Swire s analysis foreshadows signifiant osts to reate an information exhange for law enforement that ould support evidene gathering. Similarly, private organizations struggle with how to aumulate data aout seurity risks and inidents in their respetive industries. Past work has, for example, onsidered the role of intermediaries suh as Information Sharing & Analysis Centers to reate inentives for exhanging and dislosing data etween ompanies. Researhers investigated under whih onditions organizations are willing to ontriute to an information pool aout seurity reahes and investments when negative ompetitive effets may result from this ooperation [9, ]. In different ontexts dislosure is not always voluntary and ompanies may question how muh profit they squander when undesirale information is released. For example, other eonomis researh explores the impat of mandated reah dislosures [4] or puliation of software vulnerailities [34] on the finanial market value of orporations. Some work shows that the information gathering or dislosure effet is not always unamigiously positive or negative, respetively. Choi et al. [6], for example, present another model on mandatory dislosure of seurity vulnerailities. They present senarios in whih dislosure is and is not welfare-improving. This trade-off etween ost and enefits of information gathering, sharing or dislosure reappears in many ontexts. From a viewpoint of individual rationality it is deided ased on the differene of how muh the individual an learn in omparison to the advantage gained y attakers or ompetitors [3]. Our ontriution is to propose and evaluate a set of generi metris that are appliale to different seurity deision-making situations to help with this trade-off alulation. In partiular, we are interested in quantifying the payoff differential that results from the hanges in seurity hoies given different information availale. In eonomi terms we therey refer to the differenes in payoff that results from hanges in the underlying information struture of the senario that makes expliit the nature of the utility of information to agents [3]. Speifially, we introdue the prie of unertainty metri that quantifies the maximum disrepany in the total expeted payoff etween exatly two information onditions. Our terminology is made per analogy with Koutsoupias and Papadimitriou s prie of anarhy []. We onsider differene, payoff-ratio, and ost-ratio su-metris as anonial nontrivial measurements of the prie of unertainty. Sine the possiilities for the eonomi formalization of information are vast we illustate our approah on a speifi example. In our model for seurity hoies, we assume that eah agent faes a randomly drawn

3 proaility of eing sujet to a diret attak. We study how the deisions and payoffs of an individual agent differ if all draws are ommon knowledge, ompared to a senario where this information is only privately known []. We ondut this analysis within the framework of seurity games [4]. This allows us to understand the important of the prie of unertainty aross different anonial ases of interdependeny: est shot, weakest-link and total effort [3]. In a reent extention of this work we distinguish etween the roles of a fully rational expert agent and naïve end users. The latter ondut a simple self-entered ost-enefit analysis, and neglet interdependenies. In the urrent paper, we analyze the prie of unertainty from the perspetive of the expert agent that fully omprehends the enefits of information in the ontext of the interrelationship with other naïve users []. This allows us to make a general oservation. The value of information for the expert agent is always weakly positive [3] sine naïve users do not strategize ased on additional information. In this model, the prie of unertainty an depend on several different parameters: the ost of seurity measures, the magnitude of potential losses, the initial seurity udget or endowment, and the numer of other naïve agents. We study the impat of these parameters algeraially, numerially and graphially. We show that a simple differene metri of the prie of unertainty inreases linearly in losses,, and dereases superlinearly in the numer of agents,. That is, only in the presene of extremely large losses would a deision-maker stritly prefer to explore the threat proailities of other agents at a reasonale ost. We additionally present a ratio metri that is stritly dereasing in. Interestingly, we demonstrate that this metri is independent of the magnitude of potential losses,. Finally, our third purely ost-ased metri suggests that it might lead to misleading onlusions aout the neessity of information gathering y overemphasizing the need for ation in the presene of relatively small osts. By evaluating the prie of unertainty for a range of parameters in different seurity senarios, we an determine whih onfigurations an aomodate limited information environments i.e., when eing less informed does not signifiantly jeopardize an expert user s payoff. We also provide a framework for future work in the area of analysis of the value of seurity-relevant information. For example, we elieve that the game-theoreti analysis in speialized senarios, e.g., intrusion detetion games [4], and seurity patrol versus roer avoidane senarios [8] an enefit from a sustantiation of the signifiane of informational assumptions y studying the prie of unertainty. In Setion, we summarize the seurity games framework we developed in prior work, and detail our assumptions aout agent ehaviors and information onditions. We present the different metris for the prie of unertainty and desrie our analysis methodology in Setion 3. We ondut our analysis and disuss the results in Setion 4. Finally, we lose with a disussion and onluding remarks in Setion. Deision Theoreti Model Our study of the prie of unertainty is onduted within the ontext of a deision-theoreti seurity analysis that we have ompleted in prior work []. We studied the deision-making of a sophistiated expert agent 3

4 who interats with a group of users that follow a simple ut reasonale rule-of-thum strategy. The analysis in [] signifiantly differs from prior deision-theoreti approahes that we summarize riefly in the following. Gordon and oe present a model that highlights the trade-off etween perfet and ost-effetive seurity []. They onsider the protetion of an information set that has an assoiated loss if ompromised, proaility of attak, and proaility that attak is suessful. They show that an optimizing firm will not always defend highly vulnerale data, and only invest a fration of the expeted loss. Cavusoglu et al. [] onsider the deision-making prolem of a firm when attak proailities are externally given ompared to a senario when the attaker is expliitly modeled as a strategi player in a game-theoreti framework. Their model shows that if the firm assumes that the attaker strategially responds then in most onsidered ases its profit will inrease. We next summarize the seurity games we analyze that are an extension of models we previously proposed [4] to the ase of an eonomy onsisting of an expert user and several unsophistiated users.. Basi model Self-protetion and self-insurane. In pratie, the ation portfolio of a defender may inlude different options to prevent suessful ompromises and to limit losses that result from a reah. In Grossklags et al. [4] we provide a model that allows a deoupling of investments in the ontext of omputer seurity. On the one hand, the perimeter an e strengthened with a higher self-protetion investment e.g., implementing or updating a firewall. On the other hand, the amount of losses an e redued y introduing self-insurane tehnologies and praties e.g., akup provisions. Formally, player i deides whether to invest in protetion e i = or not e i =. Similarly, eah player an adopt a self-insurane tehnology s i = or not s i =. In other words, e i and s i are two disrete deision variales. Disrete hoie deision-making aptures many pratial seurity prolems. Examples inlude purhase and adoption investments as well as updating and pathing of protetion and self-insurane tehnologies [,,, 6]. We have further onduted a sensitivity analysis with respet to the disrete hoie assumption and find that, for the study in the present paper, the only differenes etween the disrete and ontinuous ases where e i and s i are ontinuous variales over the interval, as opposed to e mere inary variales arise when there is strit equality etween some of the terms in our ase-speifying inequality onditions see derivations in [] and in the Appendix. We elieve that fousing on these oundary ases is of limited pratial appliaility, and ould even e misleading. For omparison, we refer to our prior work where we onsidered the ontinuous ase in a full information environment [4]. We further denote y and the ost of protetion and self-insurane, respetively, whih are homogeneous for the agent population. So, player i pays e i for protetion and s i for self-insurane. 4

5 Interdependeny. We fous in this work on tightly oupled networks [3]. In a tightly oupled network all defenders will fae a loss if the ondition of a seurity reah is fulfilled whereas in a loosely oupled network onsequenes may differ for network partiipants. We denote H as a ontriution funtion that haraterizes the effet of e i on agent s utility U i, sujet to the protetion levels hosen ontriuted y all other players. We require that H e defined for all values over,. We distinguish three anonial ases that we disussed in-depth in prior work [4]: Best shot: H = maxe i, e i. Weakest-link: H = mine i, e i. Total effort: H = k e k. where, following ommon notation, e i denotes the set of protetion levels hosen y players other than i. Attak proailities, network size and endowment. Eah of agents reeives an endowment M. If she is attaked and ompromised suessfully she faes a loss. We assume that eah agent i draws an individual attak proaility p i p i from a uniform random distriution. This models the heterogeneous preferenes that attakers have for different targets, due to their eonomi, politial, or reputational agenda. The hoie of a uniform distriution ensures the analysis remains tratale, while already providing numerous insights. We onjeture that different distriutions e.g., power law may also e appropriate in pratie.. Player ehavior At the ore of our analysis is the oservation that expert and non-expert users differ in their understanding of the omplexity of networked systems. Indeed, onsumers knowledge aout risks and means of protetion with respet to privay and seurity an e quite varied [], and field surveys separate etween high and low expertise users [3]. Sophistiated expert user. Advaned users an rely on their superior tehnial and strutural understanding of omputer seurity threats and defense mehanisms, to analyze and respond to hanges in the environment [7]. In the present ontext, expert users, for example, have less diffiulty to onlude that the goal to avoid ensorship points is a est shot senario, whereas the protetion of a orporate network frequently suggests a weakest-link optimization prolem [4]. Aordingly, a sophistiated user orretly understands her utility to e dependent on the interdependenies that exist in the network: U i = M p i s i He i, e i e i s i. There is an ongoing deate whether researhers should assume full onnetivity of a network graph given modern omputer seurity threats suh as worms and viruses. Personal ommuniation with iholas Weaver, ICSI.

6 aïve non-expert user. Average users underappreiate the interdependeny of network seurity goals and threats [, 3]. We model the pereived utility of eah naïve agent to only depend on the diret seurity threat and the individual investment in self-protetion and self-insurane. The investment levels of other players are not onsidered in the naïve user s deision making, despite the existene of interdependenies. We define the pereived utility for a speifi naïve agent j as: P U j = M p j s j e j e j s j. Clearly, pereived and realized utility atually differ: y failing to inorporate the interdependenies of all agents investment levels in their analysis, naïve users may ahieve su-optimal expeted payoffs far elow their antiipated expeted payoffs. This paper does not aim to resolve this onflit, and, in fat, there is little evidene that users will learn the omplexity of network seurity over time [3]. We argue that nonexpert users would repeatedly at in an inonsistent fashion. This hypothesis is supported y findings in ehavioral eonomis that onsumers repeatedly deviate from rationality, however, in the same preditale ways [9]..3 Information onditions Our analysis is foused on the deision making of the expert user sujet to the ounded rational ehaviors of the naïve network partiipants. That is, more preisely, the expert agent maximizes their expeted utility sujet to the availale information aout other agents drawn threat proailities and their resulting ations. Two different information onditions may e availale to the expert agent: Complete information: Atual draws of attak proailities p j for all j i, and her own drawn proaility of eing attaked p i. Inomplete information: Known proaility distriution of the unsophistiated users attak threat, and her own drawn proaility of eing attaked p i. Therefore, the expert agent an aurately infer what eah agent s investment levels are in the omplete information senario. Under inomplete information the sophistiated user has to develop an expetation aout the ations of the naïve users..4 Remarks on asi results We have onduted the asi analysis of this senario in []. Below we are making several general oservations to guide the reader through the results summarized in the appendix. Every seurity senario i.e., est-shot, weakest-link and total effort involves simple ost-enefit analyses for oth sophistiated and naïve agents []. Agents remain passive when the ost of self-protetion and self-insurane exeeds the expeted loss. Further, they differentiate etween the two types of seurity ations ased on their relative ost. This ehavior desries what we would usually onsider as asi risk-taking that is part of everyday life: It is not always worth proteting against known risks. 6

7 One important feature of our model is the availaility of self-insurane. If < the deision senario signifiantly simplifies for all games and oth information onditions. This is eause one insurane is applied, the risk and interdependeny among the players is removed. The interesting ases for all three games arise when and protetion is a potentially ost-effetive option. Within this realm insurane has a more sutle effet on the payoffs. There are several key differenes etween the games, and etween the information onditions. In partiular, we enourage the reader to rowse the results for the proailities of self-protetion, self-insurane and passivity within eah ase that are viewale in Tales 3, 8, and 3 in the ompanion Appendix. For example, in the weakest-link game only ases 3 and 4 allow for investments in self-protetion. We find that inreasing the numer of agents,, results in a shrinkage of oth ases 3 and 4 to the enefit of ase. In ontrast, the determination of ase oundaries in the est shot game is independent of the size of the network. Finally, in the total effort game only ases 3 and 4 allow for rational self-protetion investments. Again an inrease in the network size redues the prevalene of these ases sine is a neessary ondition. Tales,, and ontain the total expeted payoff for deisions made y the sophistiated agent, ut also for the naïve agents. We have already highlighted that for < all agents follow the same simple deision rule to deide etween passivity and self-insurane. Therefore, payoffs in this region are idential for all agent types in the ase of homogeneous seurity osts. But, there are payoff differenes among all three information onditions for some parts of the parameter range when. It is intuitive that the naïve agents suffer in the weakest-link game sine they do not appreiate the diffiulty to ahieve system-wide protetion. Similarly, in the est shot game too many unsophistiated agents will invest in protetion lowering the average payoff. In the total effort game, sophistiated agents realize that their ontriution is only valued in relation to the network size. In omparison, naïve agents invest more often. Further, the payoff profile of the unsophistiated agents remains flat for <. This reflets the fat that the naïve agent ignores the insurane option whenever protetion is heaper. We an oserve that the sophistiated agents will suffer from their misalloation of resoures in the weakest-link game when information is inomplete. In the est shot game this impat is limited, ut there is a residual risk that no naïve agent willingly protets due to an unlikely set of draws. In suh ases the fully informed expert ould have hosen to take it upon herself to seure the network. In the total effort game we oserve a limited payoff disrepany for expert users as a result of limited information.. Outlook on further analyses Aove we have onduted a short summary of the key results that help to distinguish the three anonial senarios and the deision-making of the expert and naïve agents detailed in []. From this point on we venture into new territory. Our starting point are the total payoff results in Tales,, and. We will derive metris to ompare the impat of the important deision making parameters on the payoffs ahievale in the two different 7

8 information onditions. Therey, we fous on the hoies and payoffs garnered y the expert agent. 3 Prie of unertainty metris 3. The prie of unertainty In previous work we disussed two information onditions omplete information and inomplete information for an expert player in three anonial seurity games. In this ontext, the prie of unertainty measures the disadvantage of the expert player when she has inomplete information, ompared to when she has omplete information. Depending on the form this measure takes, the prie of unertainty potentially depends on five different parameters:. the ost of protetion,. the ost of insurane, 3. the magnitude of potential losses, 4. the initial endowment M, and. the numer of other players. Beause the analysis of five-variale funtions is somewhat umersome, a entral ojetive in our metrireation exerise is to redue the numer of parameters in a manner suh that something oth relevant and interesting an e said. In this work we fous on how the prie of unertainty depends on the magnitude of potential losses and the numer of other players. To eliminate M we hoose a anonial value of either or, and to eliminate and we hose the values that ause the prie of unertainty to have the greatest signifiane. This hoie depends on the metri. 3. Three metris for the prie of unertainty For eah of our three seurity games, est shot, weakest link, and total effort, we define metris for the prie of unertainty having the following three forms:. The differene metri P ou,, defined y max [Expeted Payoff Complete,,,, Expeted Payoff Inomplete,,,, ], [,]. The payoff-ratio metri P ou, defined y max, [,] 3. The ost-ratio metri P ou 3, defined y min, [,] [ Expeted Payoff Complete,,,, Expeted Payoff Inomplete,,,, [ Expeted Payoff Complete,,,, Expeted Payoff Inomplete,,,, ] ] 8

9 3.3 Disussion of the definitions 3.3. The differene metri The differene metri is our most straightforward metri. It says the prie of unertainty is the worst ase differene in payoff etween omplete and inomplete information, where the maximum is taken over all possile pries for protetion and insurane. In this metri, a ompletely insignifiant prie of unertainty yields an output of zero, and the metri s output inreases diretly as the prie of unertainty eomes more signifiant The payoff-ratio metri The payoff-ratio metri is motivated y the game-theoreti notion of the prie of anarhy, whih is defined as a payoff-ratio of a game s soially optimal equilirium to its worst ase ash equilirium []. By analogy, we defined the prie of unertainty as the worst ase payoff-ratio of the expert with omplete information to the expert with inomplete information, with the worst ase taken over all possile pries of protetion and insurane. One advantage of using a ratio-style metri of this type is that its output is urreny-independent. In other words, while our differene metri might depend on say dollars or euros, this ratio metri is just a pure numer. In the payoff-ratio metri, a ompletely insignifiant prie of unertainty yields an output of, and the metri s output inreases as the prie of unertainty eomes more signifiant The ost-ratio metri The ost-ratio metri is similar to the payoff-ratio metri, ut with a different anonial hoie of for the initial endowment M. This metri diretly measures the ratio of osts indued y the expert s hoies. These osts are refleted in formulas involving,,, and. Mathematially, the ost ratio allows for a simpler algerai analysis due to an aundane of term anellations. A minor disadvantage of this metri s formulation is that it has a somewhat nonstandard orientation, in the sense that it dereases as the prie of unertainty eomes more signifiant. There are two justifiations for this hoie. First we wanted to ast this metri as eing a simpler analogue to the payoff-ratio metri; and seond we wanted to avoid values at infinity, whih would have resulted had we used this metri s multipliative inverse. In our ost-ratio metri, a ompletely insignifiant prie of unertainty yields an output of, and the metri s output dereases toward zero as the prie of unertainty eomes more signifiant. 4 Analysis In this setion, we analyze the prie of unertainty as defined y eah of our three metris in eah of our three seurity games. In eah ase the analysis proeeds as follows. First, onsidering the magnitude of potential loss and the numer of other players as fixed parameters, we determine the protetion ost and insurane ost whih ause the metri under onsideration to yield its most signifiant value. This 9

10 proess defines a funtion of two parameters and, whih we then analyze as a measure of the prie of unertainty. In some senarios we are ale to produe lean algerai results with tight asymptoti ounds. For others we must rely almost ompletely on omputer-aided numerial analysis and graphs. Eah susetion ontains graphs of all relevant metris and maximizing parameters, and onludes with some important oservations. 4. Best shot game 4.. The est shot differene metri: BP ou, In this setion we analyze the prie of unertainty metri BP ou, defined as: max [Best Shot Exp. Payoff Complete,,, M, Best Shot Exp. Payoff Inomplete,,, M, ], [,] In the est shot game, the omplete and inomplete payoffs are the same when < ; hene to ompute the maximum payoff differene we may assume that. Oserve that in this ase, the payoffs do not depend on at all. This will help to simplify our analysis. Best Shot Exp Payoff Complete,,, M, Best Shot Exp. Payoff Inomplete,,, M, [ = M ] [ M ] = + = + = This expression is maximized as a funtion of when its partial derivative with respet to is zero. So we ompute:

11 Best shot Maximizing Figure : Best shot differene metri: the maximizing for BP ou,. = + + = + + = = = + The expression is zero if and only if = or = or =. + + From the seond derivative test we find that = and = give loal minima, hene the maximizing value of this expression for [, ] ours when = +. Figure plots this maximizing as a funtion of. For the prie of unertainty, we have

12 Best shot BPoU, Figure : Best shot differene metri: BP ou,. The metri grows linearly in the potential loss for a fixed network size, and dereases inverse-quadratially in the network size for a fixed loss. BP ou, = max, [,] = max [,] = = = [Best Shot Exp. Payoff Complete,,, M, Best Shot Exp. Payoff Inomplete,,, M, ] [ ] = To give an asymptoti analysis, we egin y noting that lim n + =. Rewriting the e expression aove as +, we see that the first part approahes as gets large, and + e that the seond part dereases to zero quadratially in. Hene this metri for the prie of unertainty

13 inreases linearly in for fixed and dereases quadratially to zero in for fixed. Figure shows a graph of the metri BP ou as a funtion of and. Oservations. The interpretation of our numerial results for this metri is that the prie of unertainty inreases with the potential losses, ut as the numer of players inreases, the prie of unertainty diminishes unless the losses are quite high approahing the square of the numer of players. 4.. The est shot payoff-ratio metri BP ou, In this setion we analyze the prie of unertainty metri BP ou,, defined as [ ] Best Shot Exp. Payoff Complete,,,, max, [,] Best Shot Exp. Payoff Inomplete,,,, BP ou, [ ] Best Shot Exp. Payoff Complete,,,, = max, [,] Best Shot Exp. Payoff Inomplete,,,, = max [,] = max [,] = max B [,] B B B B B + = max B+ B [,] B = max B [,] + B + B+ + B B = max + B B B [,] B To ompute the maximum, we take the derivative with respet to B and set it equal to zero. We get: 3

14 Best shot Maximizing Figure 3: Best shot payoff-ratio metri: the maximizing for BP ou,. B B + B B B = B = B B B B B = B B B B 4 = B B B B + B B B = BB B + B = BB B + + B = B B B B + + B B B + B 3 B 4 B 3 B + B B + B 3 B 4 Both B = and B = are roots of this equation, ut when put ak into the maximizing formula, they eah give the gloal minimum value of. It remains to find a solution to this derivative equation for B in,. We know there is suh a root eause the value of B B + + is positive at B = and negative at B =. Unfortunately, this root, whih must maximize the BP ou metri, is not generally expressile in losed form for. Figure 3 plots a graph of the maximizing = B as a funtion of and. 4

15 Best shot BPoU, Figure 4: Best shot payoff-ratio metri: BP ou,. The metri is independent of. It follows from our derivations that this measure of the prie of unertainty does not depend on. Figure 4 plots BP ou as a funtion of. As an e seen from the graph, this metri approahes as inreases. Oservations. Sine represents the smallest prie possile in this metri, the interpretation would e that the prie of unertainty eomes insignifiant as the numer of players inreases, independent of the magnitude of potential losses The est shot ost-ratio metri P ou 3 B,, In this setion we analyze the prie of unertainty metri BP ou 3,, defined as [ ] Best Shot Exp. Payoff Complete,,,, min, [,] Best Shot Exp. Payoff Inomplete,,,, 3 This metri is expressed in terms of our payoff funtions, ut y starting with an initial endowment of zero, it really is a ratio of osts. If the ost of limited information is great ompared to the ost of omplete information, this ratio will tend toward zero. On the other hand, if the osts are similar, then the ratio will tend toward one. We selet the minimizing and for this ratio so as to otain the most signifiant prie of unertainty under the metri. We have

16 Best shot Maximizing Figure : Best shot ost-ratio metri: the maximizing for BP ou 3,. Here is onstantly equal to zero. BP ou 3, [ ] Best Shot Exp. Payoff Complete,,,, = min, [,] Best Shot Exp. Payoff Inomplete,,,, = min [,] = min [,] Clearly the minimum value of zero for this expression assuming is ahieved y taking =. Or if the value = is to e avoided, the minimum is ahieved y taking aritrarily lose to zero. We oserve that for the est shot game, this ost-ratio metri always measures the prie of unertainty at its greatest possile value, independent of or. The graphs for the maximizing and the ost-ratio metri are oth trivial ut are inluded for onsisteny in Figures and 6 respetively. Oservations. The most diret interpretation for this result would e that the prie of unertainty is very signifiant, regardless of the numer of players or the potential losses. An alternative, and argualy etter explanation is that this partiular metri is not a very useful provider of information for the est shot game. 6

17 Best shot BPoU3, Figure 6: Best shot ost-ratio metri: BP ou 3,. As an e seen here, this metri is onstant and equal to zero throughout the parameter spae. 4. Weakest link game In the weakest link game, the omplete and inomplete payoffs are the same when <, ut for there are a wide variety of ases to onsider, and without some diretion it is not lear whih equations we should use. Unlike the est shot game in whih most of our equational analysis involved a single variale in a relatively-simple expression, a soft algerai analysis of the weakest link game is muh more diffiult to ondut. Our strategy is to use numerial approximations and graphs to determine whih ases to onsider, and onsequently whih equations to work with. Thus most of our algerai work for this game takes the form of supporting, verifying, and larifying the numerial analysis. 4.. The weakest link differene metri: W P ou, In this setion we analyze the prie of unertainty metri W P ou, defined as: max [Weakest ink Exp. Payoff Complete,,,, Weakest ink Exp. Payoff Inomplete,,,, ], [,] 4 Our numerial analysis of this differene metri indiates that all the highest values lie in the weakest link game s ase WI3, in whih we have < < +. Assuming that the minimizing values of and do lie in this ase, we an analyze the payoff equations for this ase to get 7

18 more speifi information. Weakest ink Exp Payoff Complete,,,, Weakest ink Exp. Payoff Inomplete,,,, [ = ] + + = + + = + = + To find onditions on a minimum for this expression we take the partial derivative with respet to and set it equal to zero. We get: = + = = = = = + + [ ] 8

19 Weakest link Maximizing for WPoU, Weakest link Maximizing for WPoU, Figure 7: Weakest ink - differene metri: the maximizing and for W P ou,. So this formula gives us the maximizing as a funtion of,, and. The dependene on is quite weak in the sense that that is a funtion of and. By making the assumption = and solving for, we immediately get as the maximizing solution for the same equation if were not equal to. ow to algeraially ompute the maximizing, we would just need to sustitute the value of from aove into the payoff differene formula: + ; then take the derivative with respet to and find a root of this derivative in the interval [, ]. We will spare the reader the omputation of this derivative, as there is no losed form expression for the root of the degree polynomial we would eventually need to find. Instead we refer to the graphs relevant to this metri. Figure 7 gives the maximizing and respetively as funtions of and. Then Figure 8 gives the weakest link differene metri W P ou as a funtion of and. Oserve that the maximizing dereases to as a funtion of ut inreases linearly in. The maximizing also dereases in and inreases linearly in. The differene metri itself inreases linearly in, ut remains relatively-onstant as grows. This phenomenon an e explained y the following oservation. The maximizing for this metri satisfies the relation O, whene the expression approahes a onstant as inreases. All terms in W P ou, involving have this form; thus as grows the funtion value does not hange. The graph shows additionally that the onvergene to onstant is quite fast in. Oservations. The interpretation for these numerial results is that the prie of unertainty in the weakest link game is highest when protetion is heap and insurane is ompetitively-pried. This prie of unertainty inreases diretly with the potential loss, and it is not affeted y the numer of other players. 9

20 Weakest link WPoU, Figure 8: Weakest ink differene metri: W P ou,. The metri grows linearly in the losses and remains relatively onstant for fixed regardless of the network size. 4.. The weakest link payoff-ratio metri P ou W,, In this setion we analyze the prie of unertainty metri W P ou,, defined as [ ] Weakest ink Exp. Payoff Complete,,,, max, [,] Weakest ink Exp. Payoff Inomplete,,,, We egin y onsidering the graphs in Figure 9,whih give as funtions of and the and respetively whih maximize the prie of unertainty under this metri. We see that the maximizing inreases linearly with, ut dereases to zero super-linearly in. The maximizing also inreases linearly with, and dereases with. For the weakest link payoff-ratio metri, we oserve that the metri has no dependene on, and that there is a loal maximum very lose to = 4, and that after = 4 the ratio dereases toward zero as inreases. The graph for the payoff ratio metri is given in Figure. We see from the figure that it does not depend on. We an also derive this oservation y onsidering the equations as we did in the est shot ase, speifially noting that it is without loss of generality to onsider a maximum over and in plae of and respetively. Beause the metri only depends on and with the onditions,, it follows that = without loss of generality, and hene the metri does not depend on. Oservations. We oserve that in the weakest link payoff-ratio metri, the prie of unertainty is highest when there are exatly 4 players, and it dereases toward its minimum possile value as the numer of players inreases.

21 Weakest link Maximizing for WPoU, Weakest link Maximizing for WPoU, Figure 9: Weakest ink payoff-ratio metri: the maximizing and for W P ou,. ote that the funtions are atually expeted to e ontinuous; the different steps that an e seen are due to sampling errors in our numerial evaluations. Weakest link WPoU, Figure : Weakest ink payoff-ratio metri: W P ou,. umeri simulations onfirm the metri is independent of.

22 Weakest link Maximizing for WPoU3, Weakest link Maximizing for WPoU3, ε ε Figure : Weakest ink ost-ratio metri: the maximizing and for W P ou 3,. ε is an extremely small positive quantity limited y mahine preision, in this ase, and ε > ε is another extremely small positive quantity, arely greater than ε The weakest link ost-ratio metri P ou 3 W,, In this setion we analyze the prie of unertainty metri W P ou 3,, defined as [ ] Weakest ink Exp. Payoff Complete,,,, min, [,] Weakest ink Exp. Payoff Inomplete,,,, 6 Consider the graphs in Figure, whih give as funtions of and the and respetively whih maximize the prie of unertainty under this metri. We see that the maximum value for is ahieved when and onsequently is lose to zero. The maximizing is attained when is saled with appropriately. The graph for the payoff ratio metri is given in Figure. As with the payoff-ratio metri onsidered aove, this ratio-ased metri does not depend on. The plot gives nonzero values for all ut dereases to zero as inreases. Reall that zero in this metri represents the most signifiant prie of unertainty. Oservations. The results for this metri an e interpreted as saying that the prie of unertainty eomes more signifiant as the numer of players inreases. This interpretation ontradits our oservations in the differene and payoff-ratio metris for this game, and serves as a prime example to illustrate that the hoie of metri makes a signifiant differene in the interpretation. Our explanation of the disrepany is that this ost-ratio metri fouses on omparing osts whih are insignifiantly small in oth the omplete and inomplete information environments, ut whose limiting ratio indiates a signifiant disrepany. Based on this oservation, a lunt assessment is that the ost-ratio metri for the weakest link game does not measure what we most generally think of as important.

23 Weakest link WPoU3, Figure : Weakest ink - ost-ratio metri: W P ou 3,. umeri simulations onfirm the metri is independent of. 4.3 Total effort game 4.3. The total effort differene metri: T P ou, In this setion we analyze the prie of unertainty metri T P ou, defined as: max [Total Effort Exp. Payoff Complete,,, M, Total Effort Exp. Payoff Inomplete,,, M, ], [,] 7 As with the weakest link game, there are a numer of ases to onsider when eginning to analyze the prie of unertainty metris. umerial evidene suggests that the maximizing and for this game are in the total effort game s ase TI3, in whih we have and + < <. Using the payoff equations from this ase, we have: 3

24 Expeted Payoff CompleteT,,,, M, Expeted Payoff InompleteT,,,, M, = + P r[k] M + k k= P r[k] M + + k+ k= + k= P r[k] M k P r[k] k= [ ] M + + = P r[k] k k= + P r[k] k+ k= + + k + ow eause ours in the terms of this expression only quadratially, we ould ompute an expression for the partial derivative with respet to that is almost-everywhere valid, then set the derivative equal to zero and solve for. In fat, we did ompute this, otaining Apr[k] k= = + k+ k= P r[k] k k= + k= + P r[k] P r[k] k+ The prolem with this formulation in terms of an algerai analysis is that the variale also ours in the terms of the summands, and it is not lear how to use algera to get it out of there. Proeeding with our numerial analysis, Figure 3 plots the prie of unertainty as a funtion of and. We oserve that the prie of unertainty in this metri inreases linearly in and dereases to zero with signifiantly more quikly than.. 4

25 Total effort PoU, Figure 3: Total effort differene metri: T P ou,. Oservations. The interpretation of our numerial results for this metri is that the prie of unertainty inreases with the potential losses, ut as the numer of players inreases, the prie of unertainty diminishes quikly The total effort payoff-ratio metri: T P ou, In this setion we analyze the prie of unertainty metri T P ou, defined as: [ ] Total Effort Exp. Payoff Complete,,,, max, [,] Total Effort Exp. Payoff Inomplete,,,, 8 For the remaining total effort metris, our analysis relies exlusively on numerial approximations. Figure 4 plots the total effort game s payoff-ratio prie of unertainty as a funtion of. The figure shows that the prie of unertainty does not depend on and that it dereases toward as inreases. Oservations. In the total effort game, the payoff-ratio metri depends only on the numer of players, and it diminishes to its least signifiant possile value as the numer of players inreases The total effort ost-ratio metri: T P ou 3, In this setion we analyze the prie of unertainty metri T P ou 3, defined as: [ ] Total Effort Exp. Payoff Complete,,,, max, [,] Total Effort Exp. Payoff Inomplete,,,, 9

26 Total effort TPoU, Figure 4: Total effort payoff-ratio metri: T P ou,. Total Effort TPou3, Figure : Total effort ost-ratio metri: T P ou 3,. 6

27 Figure plots the total effort game s ost-ratio prie of unertainty as a funtion of. As an e seen from the graph, the prie of unertainty does not depend on, and dereases as inreases. Oservations. Using the ost-ratio metri for the total effort game, the prie of unertainty eomes more signifiant with an inrease in the numer of players. One again this goes against the analogous onlusions for the other two metris. Again we surmise that this happens eause the ost-ratio metri fouses on the ases where the ost for oth omplete and inomplete information senarios are quite small, ut the ratio shows a signifiant distintion. Conlusions Users frequently fail to deploy, or upgrade seurity tehnologies, or to arefully preserve and akup their valuale data [8, 7], whih leads to onsiderale monetary losses to oth individuals and orporations every year. This state of affairs an e partly attriuted to eonomi onsiderations. Signifiant hallenges for average users arise when they have to determine optimal seurity strategies in the presene of interdependenies etween seurity hoies of other agents [4, ]. Struggling with this task we antiipate the vast majority of users to e naïve, and to apply approximate deision-rules that fail to aurately appreiate the impat of their deisions on others []. In this paper we ontinue our investigation into the inentives of an individual expert user that rationally responds to the seurity hoies of unsophistiated end-users under different informational assumptions []. In partiular, we study how the expert evaluates the importane of improving the information availale for her deision-making. We propose three variations of the prie of unertainty metri that may serve as a deision help for the expert user. We distinguish etween a differene, a payoff-ratio, and a ost-ratio metri. Our work omplements the rih area of seurity metris that are ommonly tehnial, finanial [7] or market-ased [3]. However, the prie of unertainty is motivated y game-theory and, more speifially, y Koutsoupias and Papadimitriou s metri to evaluate worst-ase equiliria [], and adds to the rih literature on information sharing, mandatory dislosure, and notie and onsent that we reviewed in the introdutory setion. Our researh yields a numer of somewhat ounter-intuitive results: Using ost-ratio metris an e misleading, as two negligile osts in front of a large endowment may still produe a large ratio when divided y eah other. While mathematially trivial, suh a pitfall is relatively easy to get into. We showed that, unfortunately, for all games we studied, ost-ratios are never an appropriate metri. The yni in ourselves ould atually point out that their main use would e for marketing purposes. Beware of snake oil! Aside from the ost-ratio metri, the other metris show a relatively low prie of unertainty aross all the senarios we onsidered, and this is espeially true with a large numer of players. The differene 7

28 metri shows some signs of a penalty for lak of information, ut if we onsider the asolute payoff values reported in Tales,, and we find the prie of unertainty in the differene metri is at most % of the magnitude of the potential loss. Aordingly, we an summarize that in senarios with many players the lak of information does not penalize an expert too muh. On the other hand, the lak of knowledge aout interdependenies that makes a user naïve, as opposed to expert, results in signifiant payoff degradation regardless of the numer of players []. Assuming fixed possile losses, the more players are in a network, the less information matters. This is atually good news, as full information typially gets inreasingly diffiult to gather as the numer of players grows large. In ontrast to our arguments in favor of differene-ased metris ehavioral researh has shown that individuals are frequently influened y ratio-differene evaluations [9]. However, this makes onsumers more vulnerale to numerial framing differenes that hange pereptions aout the enefits of additional information. For example, experimental researh has reported roust evidene for onsumers preferenes for enefits that are presented as large ratios in omparison to small ratios []. In the seurity ontext, marketers ould easily swith the framing from a seurity to a reliaility measure and therey vary the size of the enefit ratio e.g., from 3% vs. % failure to 97% vs. 9% reliaility. As a result, individuals may exaggerage the importane of hanges when risks or enefits are small [6, 3]. We have also shown that the payoff-ratio and the ost-ratio metris are independent of the size of the losses,. Human-sujet experiments suggest, however, that deision-makers may falsely utilize ratio onsiderations in the presene of apparently irrelevant information. For example, psyhologists have found that investments in measures leading to savings of a fixed numer of lives were prefered if the total numer of individuals at risk was dereased [8]. Unfortunately, suh a ias would lead to even less optimal deisions when onsidering the differene metri sine the loss,, is shown to e positively and linearly related to the prie of unertainty. Of ourse, we should not forget that we onsider a rather speialized environment, where only one single expert is alone in a population of naïve users. However stringent this assumption may sound, one should note that in reality, the numer of expert users is dwarfed y the numer of lamda users, that may not have the expertise, or inlination, to at very strategially. Regardless of these limitations, we hope that our work will e a useful starting point for a serious disussion of information metris applied to interdependent seurity senarios. As we have shown here, piking the right metri is not an straightforward hoie, and several pitfalls exist. Referenes [] A. Aquisti and J. Grossklags. Privay and rationality in individual deision making. IEEE Seurity & Privay, 3:6 33, January Feruary. 8

29 [] T. August and T. Tuna. etwork software seurity and user inentives. Management Siene, :73 7, ovemer 6. [3] R. Böhme and T. owey. Eonomi seurity metris. In I. Eusgeld, F. Freiling, and R. Reussner, editors, Dependaility Metris eture otes in Computer Siene, o. 499, pages Springer-Verlag, 8. [4] K. Campell,. Gordon, M. oe, and. Zhou. The eonomi ost of pulily announed information seurity reahes: Empirial evidene from the stok market. Journal of Computer Seurity, 3:43 448, 3. [] H. Cavusoglu, S. Raghunathan, and W. Yue. Deision-theoreti and game-theoreti approahes to IT seurity investment. Journal of Management Information Systems, :8 34, Fall 8. [6] J. Choi, C. Fershtman, and. Gandal. etwork seurity: Vulnerailities and dislosure poliy, Deemer 8. Working paper. [7] D. Dörner. The ogi Of Failure: Reognizing And Avoiding Error In Complex Situations. Metropolitan Books, 996. [8] D. Fetherstonhaugh, P. Slovi, S. Johnson, and J. Friedrih. Insensitivity to the value of human life: A study of psyhophysial numing. Journal of Risk and Unertainty, 43:83 3, May 997. [9] E. Gal-Or and A. Ghose. The eonomi inentives for sharing seurity information. Information Systems Researh, 6:86 8, June. []. Gordon and M. oe. Managing Cyer-Seurity Resoures: A Cost-Benefit Analysis. MGraw-Hill, ew York, Y, 6. [].A. Gordon and M. oe. The eonomis of information seurity investment. ACM Transations on Information and System Seurity, 4:438 47, ovemer. [].A. Gordon, M. oe, and W. uyshyn. Sharing information on omputer systems seurity: An eonomi analysis. Journal of Aounting and Puli Poliy, 6:46 48, ovemer 3. [3] J. Granik. Faking it: Calulating loss in omputer rime sentening. I/S: A Journal of aw and Poliy for the Information Soiety, :7 8, Spring/Summer 6. [4] J. Grossklags,. Christin, and J. Chuang. Seure or insure? A game-theoreti analysis of information seurity games. In Proeedings of the 8 World Wide We Conferene WWW 8, pages 9 8, Beijing, China, April 8. [] J. Grossklags, B. Johnson, and. Christin. When information improves information seurity. Tehnial Report CMU-Cya-9-4, UC Berkeley & Carnegie Mellon University, Cya, Feruary 9. Availale at http: // [6] J. Hershey and J. Baron. Clinial reasoning and ognitive proesses. Medial Deision Making, 74:3, Deemer 987. [7] A. Jaquith. Seurity Metris: Replaing Fear, Unertainty, and Dout. Pearson Eduation, Upper Saddle River, J, 7. [8] Kaooza. Gloal akup survey: Aout akup haits, risk fators, worries and data loss of home PCs, January 9. Availale at: 9

30 [9] D. Kahneman and A. Tversky. Choies, values and frames. Camridge University Press, Camridge, UK,. [] E. Koutsoupias and C. Papadimitriou. Worst-ase equiliria. In Proeedings of the 6th Annual Symposium on Theoretial Aspets of Computer Siene, pages 44 43, 999. [] H. Kunreuther and G. Heal. Interdependent seurity. Journal of Risk and Unertainty, 6 3:3 49, Marh 3. [] J. Kwong and K. Wong. The role of ratio differenes in the framing of numerial information. International Journal of Researh in Marketing, 34:38 394, Deemer 6. [3] J. affont. The eonomis of unertainty and information. MIT Press, Camridge, MA, 989. [4] Y. iu, C. Comaniiu, and H. Man. A ayesian game approah for intrusion detetion in wireless ad ho networks. In Proeedings of the Workshop on Game Theory for Communiations and etworks, page Artile o. 4, 6. [] D. Meier, Y. Oswald, S. Shmid, and R. Wattenhofer. On the windfall of friendship: Inoulation strategies on soial networks. In Proeedings of the 9th ACM Conferene on Eletroni Commere EC 8, pages 94 3, Chiago, I, July 8. [6] T. Mosiroda, S. Shmid, and R. Wattenhofer. When selfish meets evil: Byzantine players in a virus inoulation game. In Proeedings of the th Annual ACM Symposium on Priniples of Distriuted Computing PODC 6, pages 3 44, Denver, CO, July 6. [7] CSA/Symante. Home user study, Otoer 8. Availale at: [8] P. Paruhuri, J. Peare, J. Mareki, M. Tame, F. Ordonez, and S. Kraus. Playing games for seurity: An effiient exat algorithm for solving ayesian stakelerg games. In Proeedings of the 7th Int. Conf. on Autonomous Agents and Multiagent Systems AAMAS 8, pages 89 9, Estoril, Portugal, May 8. [9] G. Quattrone and A. Tversky. Contrasting rational and psyhologial analyses of politial hoie. The Amerian Politial Siene Review, 83:79 736, Septemer 988. [3] J. Stanton, K. Stam, P. Mastrangelo, and J. Jolton. Analysis of end user seurity ehaviors. Computers & Seurity, 4:4 33, Marh. [3] E. Stone, F. Yates, and A. Parker. Risk Communiation: Asolute versus Relative Expressions of ow- Proaility Risks. Organizational Behavior and Human Deision Proesses, 36:387 48, Deemer 994. [3] P. Swire. A Model for When Dislosure Helps Seurity: What is Different Aout Computer and etwork Seurity? Journal on Teleommuniations and High Tehnology aw, 3:63 8, 4. [33] P. Swire. o Cop on the Beat: Underenforement in E-Commere and Cyerrime. Journal on Teleommuniations and High Tehnology aw, forthoming 8. [34] R. Telang and S. Wattal. An empirial analysis of the impat of software vulneraility announements on firm stok prie. IEEE Transations on Software Engineering, 338:44 7, 7. [3] H.R. Varian. System reliaility and free riding. In.J. Camp and S. ewis, editors, Eonomis of Information Seurity Advanes in Information Seurity, Volume, pages. Kluwer Aademi Pulishers, Dordreht, The etherlands, 4. 3