How To Understand Network Security

Similar documents

Coordination in Network Security Games

Individual security and network design

Economic Incentives to Increase Security in the Internet: The Case for Insurance

Voluntary Participation in Cyber-insurance Markets

Modeling Internet Security Investments Tackling Topological Information Uncertainty

Voluntary Participation in Cyber-insurance Markets

Unraveling versus Unraveling: A Memo on Competitive Equilibriums and Trade in Insurance Markets

Role of Network Topology in Cybersecurity

When Information Improves Information Security

Econ 430 Lecture 9: Games on Networks

Network Security A Decision and Game-Theoretic Approach

Computational Game Theory and Clustering

Sharing Information on Computer Systems Security: An Economic Analysis

Microeconomic Theory Jamison / Kohlberg / Avery Problem Set 4 Solutions Spring (a) LEFT CENTER RIGHT TOP 8, 5 0, 0 6, 3 BOTTOM 0, 0 7, 6 6, 3

1. Write the number of the left-hand item next to the item on the right that corresponds to it.

How To Play A Static Bayesian Game

INVESTING IN CYBERSECURITY:

Security Audits Revisited

Competitive Cyber-Insurance and Internet Security

Incentives for Improving Cybersecurity in the Private Sector: A Cost-Benefit Perspective

Vulnerability Assessment. U.S. Food Defense Team

Economics of Insurance

QUANTITATIVE MODEL FOR INFORMATION SECURITY RISK MANAGEMENT

Rural and Agricultural Finance. Day 1: Block 1 What and Why of Rural Finance?

Marginal cost. Average cost. Marginal revenue

Summary of Doctoral Dissertation: Voluntary Participation Games in Public Good Mechanisms: Coalitional Deviations and Efficiency

e-book Platform Competition in the Presence of Two-Sided Network Externalities

Midterm March (a) Consumer i s budget constraint is. c i b i c i H 12 (1 + r)b i c i L 12 (1 + r)b i ;

Modeling Insurance Markets

Not Only What But also When: A Theory of Dynamic Voluntary Disclosure

Introduction to Probability

Does One Soros Make a Difference? A Theory of Currency Crises with Large and Small Traders

A Simple Model of Price Dispersion *

ECO 199 GAMES OF STRATEGY Spring Term 2004 March 23 ADVERSE SELECTION SCREENING AND SIGNALING. EXAMPLE 1 FAILURE OF EQUILIBRIUM Akerlof s Lemons

Lecture 11: The Design of Trading Platforms (Alos-Ferrer et al. 2010)

ECON Game Theory Exam 1 - Answer Key. 4) All exams must be turned in by 1:45 pm. No extensions will be granted.

The Max-Distance Network Creation Game on General Host Graphs

COS 116 The Computational Universe Laboratory 9: Virus and Worm Propagation in Networks

Business Continuity & Disaster Recovery

Liquidity Cycles and Make/Take Fees in Electronic Markets

Behavioural Economics: Introduction to Behavioral Game Theory and Game Experiments. University of Oxford, Michaelmas Term 2013.

Chapter 11. Market-Clearing Models of the Business Cycle

Part IV. Pricing strategies and market segmentation

Information in Mechanism Design

2. Information Economics

NATIONAL STRATEGY FOR GLOBAL SUPPLY CHAIN SECURITY

How To Perform An External Security Vulnerability Assessment Of An External Computer System

System Dynamics Modelling using Vensim

CPC/CPA Hybrid Bidding in a Second Price Auction

IMPROVING NETWORK SECURITY THROUGH CYBER-INSURANCE. Ranjan Pal

Richard Schmidtke: Private Provision of a Complementary Public Good

Let the Pirates Patch? An Economic Analysis of Network Software Security Patch Restrictions

Work incentives and household insurance: Sequential contracting with altruistic individuals and moral hazard

Knowledge Transfer and Partial Equity Ownership

The Four-Step Guide to Understanding Cyber Risk

21. Unverifiable Investment, Hold Up, Options and Ownership

Cybersecurity Awareness. Part 1

Two Papers on Internet Connectivity and Quality. Abstract

Alok Gupta. Dmitry Zhdanov

Cooperation with Network Monitoring

The Impact of Commercial Open Source Software on Proprietary Software Producers and Social Welfare

Patent Litigation with Endogenous Disputes

Competition and Fraud in Online Advertising Markets

Paul Belleflamme, CORE & LSM, UCL

Transcription:

Network Security: an Economic Perspective Marc Lelarge (INRIA-ENS) currently visiting STANFORD TRUST seminar, Berkeley 2011.

Threats and Vulnerabilities Attacks are exogenous

Contribution (1) Optimal security investment for a single agent - Gordon and Loeb model, 1/e rule - Monotone comparative statics (2) Optimal security investment for an interconnected agent - Network externalities (3) Equilibrium analysis of the security game - Free-rider problem, Critical mass, PoA

(1) Single agent Two parameters: Potential monetary loss: Probability of security breach without additional security: Agent can invest loss to: Optimal investment: to reduce the probability of

(1) Gordon and Loeb Class of security breach probability functions: measure of the productivity of security. Gordon and Loeb (2002)

(1) Gordon and Loeb (cont.) Optimal investment (size of potential loss fixed) vulnerability

(1) Gordon and Loeb (cont.) Probability of loss for a given investment

(1) Gordon and Loeb (cont.) Low vulnerability High vulnerability

(1) Conditions for monotone investment If then is non-decreasing Augmenting return of investment with vulnerability: Extension to submodular functions.

(1) The 1/e rule If the function is log-convex in x then the optimal security investment is bounded by:,i.e of the expected loss

Contribution (1) Optimal security investment for a single agent - Gordon and Loeb model, 1/e rule - Monotone comparative statics (2) Optimal security investment for an interconnected agent - Network externalities (3) Equilibrium analysis of the security game - Free-rider problem, Critical mass, PoA

(2) Effect of the network Agent faces an internal risk and an indirect risk. Information available to the agent: poset (partially ordered set). Optimal security investment: in a

(2) How to estimate the probability of loss? Epidemic risk model Binary choice for protection Limited information on the network of contagion (physical or not): degree distribution. Best guess: take a graph uniformly at random. Galeotti et al. (2010)

(2) Epidemic Model N S Attacker Attacker directly infects an agent N with prob. p. Each neighbor is contaminated with prob. q if in S or if in N.

(2) Monotone comparative statics If the function is strictly decreasing in investment Equivalent to: for any then the optimal is non-decreasing. Network externalities function is decreasing:

(2) Strong protection An agent investing in S cannot be harmed by the actions of others:. in previous equation. Decreasing network externalities function.

(2) Weak protection If, the network externalities function is:

Contribution (1) Optimal security investment for a single agent - Gordon and Loeb model, 1/e rule - Monotone comparative statics (2) Optimal security investment for an interconnected agent - Network externalities (3) Equilibrium analysis of the security game - Free-rider problem, Critical mass, PoA

(3) Fulfilled expectations equilibrium Concept introduced by Katz & Shapiro (85) Willingness to pay for the agent of type : multiplicative specification of network externalities, Economides & Himmelberg (95). C.d.f of types: % with Willingness to pay for the last agent:

(3) Fulfilled expectations equilibrium In equilibrium, expectation are fulfilled: The willingness to pay is: Extension of Interdependent Security 2 players game introduced by Kunreuther & Heal (03).

(3) Critical mass Equilibria given by the fixed point equation

(3) Critical mass (cont.) Equilibria given by the fixed point equation cost fraction of population investing in security

(3) Critical mass (cont.) If only one type: willingness to pay = network externalities function. cost fraction of population investing in security

(3) Price of Anarchy The social welfare function: Private externalities Public externalities Because of the public and private externalities, agent under-invest in security (in all cases).

Conclusion Simple single agent model: 1/e rule General conditions for monotone investment Interconnected agents: network externalities function General conditions to align incentives Equilibrium analysis of the security game Critical mass, PoA Extensions: In this talk, agent is risk-neutral. What happens if risk-adverse? Insurance?

Thank you! Feedbacks are welcome: marc.lelarge@ens.fr