Secure or insure? a game-theoretic analysis of information security games

Jens Grossklags, Nicolas Christin, John Chuang

Research output: Chapter in Book/Report/Conference proceedingConference contribution

143 Scopus citations

Abstract

Despite general awareness of the importance of keeping one's system secure, and widespread availability of consumer security technologies, actual investment in security remains highly variable across the Internet population, allowing attacks such as distributed denial-of-service (DDoS) and spam distribution to continue unabated. By modeling security investment decision-making in established (e.g., weakest-link, best-shot) and novel games (e.g., weakest-target), and allowing expenditures in self-protection versus self-insurance technologies, we can examine how incentives may shift between investment in a public good (protection) and a private good (insurance), subject to factors such as network size, type of attack, loss probability, loss magnitude, and cost of technology. We can also characterize Nash equilibria and social optima for different classes of attacks and defenses. In the weakest-target game, an interesting result is that, for almost all parameter settings, more effort is exerted at Nash equilibrium than at the social optimum. We may attribute this to the "strategic uncertainty" of players seeking to self-protect at just slightly above the lowest protection level.

Original languageEnglish (US)
Title of host publicationProceeding of the 17th International Conference on World Wide Web 2008, WWW'08
PublisherAssociation for Computing Machinery
Pages209-218
Number of pages10
ISBN (Print)9781605580852
DOIs
StatePublished - Jan 1 2008
Event17th International Conference on World Wide Web 2008, WWW'08 - Beijing, China
Duration: Apr 21 2008Apr 25 2008

Publication series

NameProceeding of the 17th International Conference on World Wide Web 2008, WWW'08

Other

Other17th International Conference on World Wide Web 2008, WWW'08
CountryChina
CityBeijing
Period4/21/084/25/08

    Fingerprint

All Science Journal Classification (ASJC) codes

  • Computer Networks and Communications

Cite this

Grossklags, J., Christin, N., & Chuang, J. (2008). Secure or insure? a game-theoretic analysis of information security games. In Proceeding of the 17th International Conference on World Wide Web 2008, WWW'08 (pp. 209-218). (Proceeding of the 17th International Conference on World Wide Web 2008, WWW'08). Association for Computing Machinery. https://doi.org/10.1145/1367497.1367526