1 / 22

Rational Decision-Making in Information Security: Network, Security, and Economics Perspectives

This article explores the rational decision-making process in information security from network, security, and economics perspectives. It covers topics such as risk management, cost-benefit analysis, risk attitudes, interdependent security, and various forms of attacks and defenses. The article also discusses the concepts of weakest link, best shot, total effort, protection vs. insurance, and limited information.

mminor
Download Presentation

Rational Decision-Making in Information Security: Network, Security, and Economics Perspectives

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Network SecurityAn Economics Perspective IS250 Spring 2010 John Chuang

  2. Rational Decision-Making in Information Security • Step 1. One defender • Security investment as risk management • Cost benefit analysis; expected value • Risk attitudes and deviations from expected utility • Step 2. Many defenders • Interdependent security: Weakest link, best shot, and total effort • Step 3. Many forms of attacks and defenses • Weakest target • Protection versus insurance (public versus private goods) • Limited information John Chuang

  3. How Secure is Secure? • Are we investing too little in security? Are we investing too much? • Security investment as risk management • In traditional engineering: • Risk = probability of accident * losses per accident • Can interpret risk as expected loss • Perform cost-benefit analysis of risk-mitigation alternatives • Example: highway safety regulation often uses $1 million per statistical death in analysis John Chuang

  4. Cost Benefit Analysis • Scenario 1: • New technology promises to fix a vulnerability • Loss in event of security breach: L • Probability of breach: p • Cost of security mechanism: c • Q: should CSO invest in security mechanism? • Scenario 2: • Webpage asks you to type in your social security number • Value derived from completing this transaction: v • Probability of theft: p • Loss in event of identity theft: L • Q: should you enter the information? What assumptions are made here? • A: invest if pL > c ; else do not invest • A: provide personal information if v > pL; else do not John Chuang

  5. Challenges • Difficulty in risk assessment • Especially for events with very low probability (p) and/or very high loss (L) • p *L may be off by orders of magnitude • Users may not (want to) maximize expected utility • Risk attitudes: risk neutral, risk averse, or risk seeking • Hyperbolic discounting • Small immediate payoff preferred over large payoff in the future • Framing and Prospect Theory John Chuang

  6. Risk Attitude • Offer 1: • Choice 1: win $10 with certainty • Choice 2: 50% chance of winning $20 • Offer 2: • Choice 1: win $1 million with certainty • Choice 2: 50% chance of winning $2 million John Chuang

  7. Hyperbolic Discounting • Discounted utility, U = dt·ut(x) where d is discount factor • Would you prefer $50 today; or $100 a year from today? • Would you prefer $50 five years from now, or $100 six years from now? • Humans prefer smaller payoffs immediately over larger payoffs in the future • Or: unwilling to make sacrifices now for payoffs down the road • Privacy: humans often give away personal information in exchange for small discounts or prizes John Chuang

  8. Prospect TheoryKahneman and Tversky • Choice 1: win $500 with certainty • Choice 2: 50% chance of winning $1000 • Choice 1: lose $500 with certainty • Choice 2: 50% chance of losing $1000 84% 70% John Chuang

  9. Asian Disease ExperimentKahneman and Tversky • Imagine that the U.S. is preparing for the outbreak of an unusual Asian disease, which is expected to kill 600 people. • Program A: 200 people will be saved • Program B: 33% chance all 600 people will be saved; 67% chance nobody will be saved • Program A: 400 people will die • Program B: 33% chance nobody will die; 67% chance all 600 people will die 72% 78% John Chuang

  10. WTA-WTP Gap • WTA: Willingness to accept a proposal to sell good already owned • WTP: Willingness to pay for good not already owned • Privacy study: • “When 25 Cents is too much: An Experiment on Willingness-To-Sell and Willingness-To- Protect Personal Information” (Grossklags & Acquisti, 2007) • Finding: subjects willing to sell personal information for $1/$0.25, but not willing to spend $1/$0.25 to protect information • Information: quiz performance, body weight John Chuang

  11. Rational Decision-Making in Information Security • Step 1. One defender • Security investment as risk management • Cost benefit analysis; expected value • Risk attitudes and deviations from expected utility • Step 2. Many defenders • Interdependent security: Weakest link, best shot, and total effort • Step 3. Many forms of attacks and defenses • Weakest target • Protection versus insurance (public versus private goods) • Limited information John Chuang

  12. best shot total effort weakest link Interdependent Security • Common adage: “A system is only as secure as its weakest link” • Security of entire system depends on that of individual components • Security of individual players depends on security decisions of other players defenders attacker John Chuang

  13. Interdependent Security • Utility function of player i: Ui = M − p·L (1 − H(ei , e−i )) − b·ei • where M is initial endowment, b is cost of protection, ei is protection level chosen by player i, and H is protection function • Different protection functions for different attack/defense scenarios: • Weakest link: H(ei , e−i )= min(ei , e−i ) • Best shot: H(ei , e−i )= max(ei , e−i ) • Total effort: H(ei , e−i )= Sum(ei) • Varian, 2002: Security becomes a public good • Well known result: free-riding, leading to suboptimal provisioning of the public good John Chuang

  14. Rational Decision-Making in Information Security • Step 1. One defender • Security investment as risk management • Cost benefit analysis; expected value • Risk attitudes and deviations from expected utility • Step 2. Many defenders • Interdependent security: Weakest link, best shot, and total effort • Step 3. Many forms of attacks and defenses • Weakest target • Protection versus insurance (public versus private goods) • Limited information John Chuang

  15. Protection vs. Insurance • Individual players may invest in protection to reduce the probability of loss (p) • Examples: firewall, anti-virus software, patching • Individual players may invest in insurance to reduce the magnitude of loss (L) • Examples: data backup (self-insurance), cyber-insurance (market insurance) John Chuang

  16. Protection vs. Insurance • Protection only: Ui = M − p·L (1 − H(ei , e−i )) − b·ei • Insurance only: Ui = M − p·L (1 − si) − c·si • Both available: Ui = M − p·L (1 − H(ei , e−i ))·(1 − si) − b·ei − c·si • where M is initial endowment, b is cost of protection, c is cost of insurance, ei and si are the protection and insurance levels chosen by player i, and H is protection function • Q: How should player allocate budget between ei (protection) and si (insurance)? • Note: protection is a public good, whereas insurance is a private good John Chuang

  17. Results • Total effort: • Depending on b, c, and p·L, Nash Equilibria can be to secure (full protection), to insure (full insurance), or to ignore (passivity) • Best shot: • No protection equilibrium, unless players can coordinate • Weakest link: • Depending on b, c, and p·L, Nash Equilibria can be to secure (multiple protection equilibria, all unstable), to insure (full insurance), or to ignore (passivity) • As N increases, protection equilibria collapse to either full insurance or passivity. • Weakest target: • Pure NE does not exist; mixed NE exists. • As N increases, full insurance becomes less likely • Security level in NE may be higher than in social optimum, due to effect of strategic uncertainty John Chuang

  18. In the Lab Setting… • Three players choose protection and insurance levels • Payoffs based on weakest link game • Player A experimented throughout • Player B quickly learns and settles into individually rational strategy (full insurance no protection); reinforced by compromise at around round 65 • Player C largely settles into individually rational strategy after round 50 John Chuang

  19. Weakest Target • Attacker compromises player(s) with minimum protection level; all other players unharmed • H(ei , e−i ) = 0 if ei = min(ei , e−i ); 1 otherwise defenders attacker John Chuang

  20. Results • Total effort: • Depending on b, c, and p·L, Nash Equilibria can be to secure (full protection), to insure (full insurance), or to ignore (passivity) • Best shot: • No protection equilibrium, unless players can coordinate • Weakest link: • Depending on b, c, and p·L, Nash Equilibria can be to secure (multiple protection equilibria, all unstable), to insure (full insurance), or to ignore (passivity) • As N increases, protection equilibria collapse to either full insurance or passivity. • Weakest target: • Pure NE does not exist; mixed NE exists. • As N increases, full insurance becomes less likely • Security level in NE may be higher than in social optimum, due to effect of strategic uncertainty John Chuang

  21. Summary • Network security is as much about economic incentives as it is about technological mechanisms • It is challenging for individuals to make the right decisions regarding security • Solutions may include economic instruments for coordination, risk pooling; policy instruments for assignment of liability; and design principles that nudge individuals toward secure choices John Chuang

  22. To Explore Further • http://netecon.berkeley.edu/security-economics/ • Workshops on Economics and Information Security (WEIS) John Chuang

More Related