Network SecurityAn Economics Perspective

IS250Spring 2010

John Chuang

John Chuang 2

Rational Decision-Making in Information Security

Step 1. One defender- Security investment as risk management- Cost benefit analysis; expected value- Risk attitudes and deviations from expected utility

Step 2. Many defenders- Interdependent security: Weakest link, best shot,

and total effort

Step 3. Many forms of attacks and defenses- Weakest target- Protection versus insurance (public versus private

goods)- Limited information

John Chuang 3

How Secure is Secure?

Are we investing too little in security? Are we investing too much?

Security investment as risk management- In traditional engineering:

- Risk = probability of accident * losses per accident

- Can interpret risk as expected loss

- Perform cost-benefit analysis of risk-mitigation alternatives- Example: highway safety regulation often uses $1 million per statistical death in analysis

John Chuang 4

Cost Benefit Analysis

Scenario 1:- New technology promises to fix a vulnerability

- Loss in event of security breach: L- Probability of breach: p- Cost of security mechanism: c

- Q: should CSO invest in security mechanism?

Scenario 2:- Webpage asks you to type in your social security

number- Value derived from completing this transaction: v- Probability of theft: p- Loss in event of identity theft: L

- Q: should you enter the information?

- A: invest if pL > c ; else do not invest

- A: provide personal information if v > pL; else do not

What assumptions are made here?

John Chuang 5

Challenges

Difficulty in risk assessment- Especially for events with very low probability (p) and/or very high loss (L)

- p *L may be off by orders of magnitude

Users may not (want to) maximize expected utility- Risk attitudes: risk neutral, risk averse, or risk seeking

- Hyperbolic discounting- Small immediate payoff preferred over large payoff in the future

- Framing and Prospect Theory

John Chuang 6

Risk Attitude

Offer 1:- Choice 1: win $10 with certainty- Choice 2: 50% chance of winning $20

Offer 2:- Choice 1: win $1 million with certainty

- Choice 2: 50% chance of winning $2 million

John Chuang 7

Hyperbolic Discounting

Discounted utility, U = t·ut(x) where is discount factor

Would you prefer $50 today; or $100 a year from today? Would you prefer $50 five years from now, or $100 six

years from now?

Humans prefer smaller payoffs immediately over larger payoffs in the future- Or: unwilling to make sacrifices now for payoffs down the

road

Privacy: humans often give away personal information in exchange for small discounts or prizes

John Chuang 8

Prospect TheoryKahneman and Tversky

Choice 1: win $500 with certainty Choice 2: 50% chance of winning $1000

Choice 1: lose $500 with certainty Choice 2: 50% chance of losing $1000

84%

70%

John Chuang 9

Asian Disease ExperimentKahneman and Tversky

Imagine that the U.S. is preparing for the outbreak of an unusual Asian disease, which is expected to kill 600 people.

Program A: 200 people will be saved Program B: 33% chance all 600 people will be saved; 67% chance nobody will be saved

Program A: 400 people will die Program B: 33% chance nobody will die; 67% chance all 600 people will die

72%

78%

John Chuang 10

WTA-WTP Gap

WTA: Willingness to accept a proposal to sell good already owned

WTP: Willingness to pay for good not already owned Privacy study:

- “When 25 Cents is too much: An Experiment on Willingness-To-Sell and Willingness-To- Protect Personal Information” (Grossklags & Acquisti, 2007)

Finding: subjects willing to sell personal information for $1/$0.25, but not willing to spend $1/$0.25 to protect information- Information: quiz performance, body weight

John Chuang 11

Rational Decision-Making in Information Security

Step 1. One defender- Security investment as risk management- Cost benefit analysis; expected value- Risk attitudes and deviations from expected utility

Step 2. Many defenders- Interdependent security: Weakest link, best shot,

and total effort

Step 3. Many forms of attacks and defenses- Weakest target- Protection versus insurance (public versus private

goods)- Limited information

John Chuang 12

Interdependent Security Common adage: “A system is only as secure as its weakest link”

- Security of entire system depends on that of individual components- Security of individual players depends on security decisions of

other players

best shot

total effort

weakest link

attacker

defenders

John Chuang 13

Interdependent Security

Utility function of player i: Ui = M − p·L (1 − H(ei , e−i )) − b·ei

- where M is initial endowment, b is cost of protection, ei is protection level chosen by player i, and H is protection function

Different protection functions for different attack/defense scenarios:- Weakest link: H(ei , e−i )= min(ei , e−i )- Best shot: H(ei , e−i )= max(ei , e−i )- Total effort: H(ei , e−i )= Sum(ei)

Varian, 2002: Security becomes a public good- Well known result: free-riding, leading to suboptimal

provisioning of the public good

John Chuang 14

Rational Decision-Making in Information Security

Step 1. One defender- Security investment as risk management- Cost benefit analysis; expected value- Risk attitudes and deviations from expected utility

Step 2. Many defenders- Interdependent security: Weakest link, best shot, and total

effort

Step 3. Many forms of attacks and defenses- Weakest target- Protection versus insurance (public versus private goods)- Limited information

John Chuang 15

Protection vs. Insurance

Individual players may invest in protection to reduce the probability of loss (p)- Examples: firewall, anti-virus software, patching

Individual players may invest in insurance to reduce the magnitude of loss (L)- Examples: data backup (self-insurance), cyber-insurance

(market insurance)

John Chuang 16

Protection vs. Insurance

Protection only: Ui = M − p·L (1 − H(ei , e−i )) − b·ei

Insurance only: Ui = M − p·L (1 − si) − c·si

Both available: Ui = M − p·L (1 − H(ei , e−i ))·(1 − si) − b·ei − c·si

where M is initial endowment, b is cost of protection, c is cost of insurance, ei and si are the protection and insurance levels chosen by player i, and H is protection function

Q: How should player allocate budget between ei (protection) and si (insurance)?

Note: protection is a public good, whereas insurance is a private good

John Chuang 17

Results

Total effort:- Depending on b, c, and p·L, Nash Equilibria can be to secure

(full protection), to insure (full insurance), or to ignore (passivity)

Best shot:- No protection equilibrium, unless players can coordinate

Weakest link: - Depending on b, c, and p·L, Nash Equilibria can be to secure

(multiple protection equilibria, all unstable), to insure (full insurance), or to ignore (passivity)

- As N increases, protection equilibria collapse to either full insurance or passivity.

Weakest target: - Pure NE does not exist; mixed NE exists.- As N increases, full insurance becomes less likely- Security level in NE may be higher than in social optimum,

due to effect of strategic uncertainty

John Chuang 18

In the Lab Setting…

Three players choose protection and insurance levels- Payoffs based on weakest link game

Player A experimented throughout

Player B quickly learns and settles into individually rational strategy (full insurance no protection); reinforced by compromise at around round 65

Player C largely settles into individually rational strategy after round 50

John Chuang 19

Weakest Target Attacker compromises player(s) with minimum

protection level; all other players unharmed- H(ei , e−i ) = 0 if ei = min(ei , e−i ); 1 otherwise

attacker

defenders

John Chuang 21

Results

Total effort:- Depending on b, c, and p·L, Nash Equilibria can be to secure

(full protection), to insure (full insurance), or to ignore (passivity)

Best shot:- No protection equilibrium, unless players can coordinate

Weakest link: - Depending on b, c, and p·L, Nash Equilibria can be to secure

(multiple protection equilibria, all unstable), to insure (full insurance), or to ignore (passivity)

- As N increases, protection equilibria collapse to either full insurance or passivity.

Weakest target: - Pure NE does not exist; mixed NE exists.- As N increases, full insurance becomes less likely- Security level in NE may be higher than in social optimum,

due to effect of strategic uncertainty

John Chuang 22

Summary

Network security is as much about economic incentives as it is about technological mechanisms

It is challenging for individuals to make the right decisions regarding security

Solutions may include economic instruments for coordination, risk pooling; policy instruments for assignment of liability; and design principles that nudge individuals toward secure choices

John Chuang 23

To Explore Further

http://netecon.berkeley.edu/security-economics/

Workshops on Economics and Information Security (WEIS)