Uncertainty in the weakest-link security game

Jens Grossklags, Benjamin Johnson

Research output: Chapter in Book/Report/Conference proceedingConference contribution

16 Citations (Scopus)

Abstract

Individuals in computer networks not only have to invest to secure their private resources from potential attackers, but have to be aware of the existing interdependencies that exist with other network participants. Indeed, a user's security is frequently negatively impacted by protection failures of even just one other individual, the weakest link. In this paper, we are interested in the impact of bounded rationality and limited information on user payoffs and strategies in the presence of strong weakest-link externalities. As a first contribution, we address the problem of bounded rationality by proposing a simple but novel modeling approach. We anticipate the vast majority of users to be unsophisticated and to apply approximate decision-rules that fail to accurately appreciate the impact of their decisions on others. Expert agents, on the other hand, fully comprehend to which extent their own and others' security choices affect the network as a whole, and respond rationally. The second contribution of this paper is to address how the security choices by users are mediated by the information available on the severity of the threats the network faces. We assume that each individual faces a randomly drawn probability of being subject to a direct attack. We study how the decisions of the expert user differ if all draws are common knowledge, compared to a scenario where this information is only privately known. We further propose a metric to quantify the value of information available: the payoff difference between complete and incomplete information conditions, divided by the payoff under the incomplete information condition. We study this ratio metric graphically and isolate parameter regions where being more informed creates a payoff advantage for the expert agent.

Original languageEnglish (US)
Title of host publicationProceedings of the 2009 International Conference on Game Theory for Networks, GameNets '09
Pages673-682
Number of pages10
DOIs
StatePublished - Oct 20 2009
Event2009 International Conference on Game Theory for Networks, GameNets '09 - Istanbul, Turkey
Duration: May 13 2009May 15 2009

Publication series

NameProceedings of the 2009 International Conference on Game Theory for Networks, GameNets '09

Other

Other2009 International Conference on Game Theory for Networks, GameNets '09
CountryTurkey
CityIstanbul
Period5/13/095/15/09

Fingerprint

Computer networks
Uncertainty

All Science Journal Classification (ASJC) codes

  • Computer Networks and Communications
  • Computer Vision and Pattern Recognition

Cite this

Grossklags, J., & Johnson, B. (2009). Uncertainty in the weakest-link security game. In Proceedings of the 2009 International Conference on Game Theory for Networks, GameNets '09 (pp. 673-682). [5137460] (Proceedings of the 2009 International Conference on Game Theory for Networks, GameNets '09). https://doi.org/10.1109/GAMENETS.2009.5137460
Grossklags, Jens ; Johnson, Benjamin. / Uncertainty in the weakest-link security game. Proceedings of the 2009 International Conference on Game Theory for Networks, GameNets '09. 2009. pp. 673-682 (Proceedings of the 2009 International Conference on Game Theory for Networks, GameNets '09).
@inproceedings{c8f406cfe1474bb4be77a6747a272455,
title = "Uncertainty in the weakest-link security game",
abstract = "Individuals in computer networks not only have to invest to secure their private resources from potential attackers, but have to be aware of the existing interdependencies that exist with other network participants. Indeed, a user's security is frequently negatively impacted by protection failures of even just one other individual, the weakest link. In this paper, we are interested in the impact of bounded rationality and limited information on user payoffs and strategies in the presence of strong weakest-link externalities. As a first contribution, we address the problem of bounded rationality by proposing a simple but novel modeling approach. We anticipate the vast majority of users to be unsophisticated and to apply approximate decision-rules that fail to accurately appreciate the impact of their decisions on others. Expert agents, on the other hand, fully comprehend to which extent their own and others' security choices affect the network as a whole, and respond rationally. The second contribution of this paper is to address how the security choices by users are mediated by the information available on the severity of the threats the network faces. We assume that each individual faces a randomly drawn probability of being subject to a direct attack. We study how the decisions of the expert user differ if all draws are common knowledge, compared to a scenario where this information is only privately known. We further propose a metric to quantify the value of information available: the payoff difference between complete and incomplete information conditions, divided by the payoff under the incomplete information condition. We study this ratio metric graphically and isolate parameter regions where being more informed creates a payoff advantage for the expert agent.",
author = "Jens Grossklags and Benjamin Johnson",
year = "2009",
month = "10",
day = "20",
doi = "10.1109/GAMENETS.2009.5137460",
language = "English (US)",
isbn = "9781424441778",
series = "Proceedings of the 2009 International Conference on Game Theory for Networks, GameNets '09",
pages = "673--682",
booktitle = "Proceedings of the 2009 International Conference on Game Theory for Networks, GameNets '09",

}

Grossklags, J & Johnson, B 2009, Uncertainty in the weakest-link security game. in Proceedings of the 2009 International Conference on Game Theory for Networks, GameNets '09., 5137460, Proceedings of the 2009 International Conference on Game Theory for Networks, GameNets '09, pp. 673-682, 2009 International Conference on Game Theory for Networks, GameNets '09, Istanbul, Turkey, 5/13/09. https://doi.org/10.1109/GAMENETS.2009.5137460

Uncertainty in the weakest-link security game. / Grossklags, Jens; Johnson, Benjamin.

Proceedings of the 2009 International Conference on Game Theory for Networks, GameNets '09. 2009. p. 673-682 5137460 (Proceedings of the 2009 International Conference on Game Theory for Networks, GameNets '09).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

TY - GEN

T1 - Uncertainty in the weakest-link security game

AU - Grossklags, Jens

AU - Johnson, Benjamin

PY - 2009/10/20

Y1 - 2009/10/20

N2 - Individuals in computer networks not only have to invest to secure their private resources from potential attackers, but have to be aware of the existing interdependencies that exist with other network participants. Indeed, a user's security is frequently negatively impacted by protection failures of even just one other individual, the weakest link. In this paper, we are interested in the impact of bounded rationality and limited information on user payoffs and strategies in the presence of strong weakest-link externalities. As a first contribution, we address the problem of bounded rationality by proposing a simple but novel modeling approach. We anticipate the vast majority of users to be unsophisticated and to apply approximate decision-rules that fail to accurately appreciate the impact of their decisions on others. Expert agents, on the other hand, fully comprehend to which extent their own and others' security choices affect the network as a whole, and respond rationally. The second contribution of this paper is to address how the security choices by users are mediated by the information available on the severity of the threats the network faces. We assume that each individual faces a randomly drawn probability of being subject to a direct attack. We study how the decisions of the expert user differ if all draws are common knowledge, compared to a scenario where this information is only privately known. We further propose a metric to quantify the value of information available: the payoff difference between complete and incomplete information conditions, divided by the payoff under the incomplete information condition. We study this ratio metric graphically and isolate parameter regions where being more informed creates a payoff advantage for the expert agent.

AB - Individuals in computer networks not only have to invest to secure their private resources from potential attackers, but have to be aware of the existing interdependencies that exist with other network participants. Indeed, a user's security is frequently negatively impacted by protection failures of even just one other individual, the weakest link. In this paper, we are interested in the impact of bounded rationality and limited information on user payoffs and strategies in the presence of strong weakest-link externalities. As a first contribution, we address the problem of bounded rationality by proposing a simple but novel modeling approach. We anticipate the vast majority of users to be unsophisticated and to apply approximate decision-rules that fail to accurately appreciate the impact of their decisions on others. Expert agents, on the other hand, fully comprehend to which extent their own and others' security choices affect the network as a whole, and respond rationally. The second contribution of this paper is to address how the security choices by users are mediated by the information available on the severity of the threats the network faces. We assume that each individual faces a randomly drawn probability of being subject to a direct attack. We study how the decisions of the expert user differ if all draws are common knowledge, compared to a scenario where this information is only privately known. We further propose a metric to quantify the value of information available: the payoff difference between complete and incomplete information conditions, divided by the payoff under the incomplete information condition. We study this ratio metric graphically and isolate parameter regions where being more informed creates a payoff advantage for the expert agent.

UR - http://www.scopus.com/inward/record.url?scp=70349977415&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=70349977415&partnerID=8YFLogxK

U2 - 10.1109/GAMENETS.2009.5137460

DO - 10.1109/GAMENETS.2009.5137460

M3 - Conference contribution

AN - SCOPUS:70349977415

SN - 9781424441778

T3 - Proceedings of the 2009 International Conference on Game Theory for Networks, GameNets '09

SP - 673

EP - 682

BT - Proceedings of the 2009 International Conference on Game Theory for Networks, GameNets '09

ER -

Grossklags J, Johnson B. Uncertainty in the weakest-link security game. In Proceedings of the 2009 International Conference on Game Theory for Networks, GameNets '09. 2009. p. 673-682. 5137460. (Proceedings of the 2009 International Conference on Game Theory for Networks, GameNets '09). https://doi.org/10.1109/GAMENETS.2009.5137460