Network Security An Economics Perspective IS250 Spring 2010 John Chuang

2 Rational Decision-Making in Information Security  Step 1. One defender -Security investment as risk management -Cost benefit analysis; expected value -Risk attitudes and deviations from expected utility  Step 2. Many defenders -Interdependent security: Weakest link, best shot, and total effort  Step 3. Many forms of attacks and defenses -Weakest target -Protection versus insurance (public versus private goods) -Limited information

John Chuang3 How Secure is Secure?  Are we investing too little in security? Are we investing too much?  Security investment as risk management -In traditional engineering: -Risk = probability of accident * losses per accident -Can interpret risk as expected loss -Perform cost-benefit analysis of risk-mitigation alternatives -Example: highway safety regulation often uses $1 million per statistical death in analysis

John Chuang4 Cost Benefit Analysis  Scenario 1: -New technology promises to fix a vulnerability -Loss in event of security breach: L -Probability of breach: p -Cost of security mechanism: c -Q: should CSO invest in security mechanism?  Scenario 2: -Webpage asks you to type in your social security number -Value derived from completing this transaction: v -Probability of theft: p -Loss in event of identity theft: L -Q: should you enter the information? -A: invest if pL > c ; else do not invest -A: provide personal information if v > pL; else do not What assumptions are made here?

John Chuang5 Challenges  Difficulty in risk assessment -Especially for events with very low probability (p) and/or very high loss (L) -p *L may be off by orders of magnitude  Users may not (want to) maximize expected utility -Risk attitudes: risk neutral, risk averse, or risk seeking -Hyperbolic discounting -Small immediate payoff preferred over large payoff in the future -Framing and Prospect Theory

John Chuang6 Risk Attitude  Offer 1: -Choice 1: win $10 with certainty -Choice 2: 50% chance of winning $20  Offer 2: -Choice 1: win $1 million with certainty -Choice 2: 50% chance of winning $2 million

John Chuang7 Hyperbolic Discounting  Discounted utility, U =   t ·u t (x) where  is discount factor  Would you prefer $50 today; or $100 a year from today?  Would you prefer $50 five years from now, or $100 six years from now?  Humans prefer smaller payoffs immediately over larger payoffs in the future -Or: unwilling to make sacrifices now for payoffs down the road  Privacy: humans often give away personal information in exchange for small discounts or prizes

John Chuang8 Prospect Theory Kahneman and Tversky  Choice 1: win $500 with certainty  Choice 2: 50% chance of winning $1000  Choice 1: lose $500 with certainty  Choice 2: 50% chance of losing $ % 70%

John Chuang9 Asian Disease Experiment Kahneman and Tversky  Imagine that the U.S. is preparing for the outbreak of an unusual Asian disease, which is expected to kill 600 people.  Program A: 200 people will be saved  Program B: 33% chance all 600 people will be saved; 67% chance nobody will be saved  Program A: 400 people will die  Program B: 33% chance nobody will die; 67% chance all 600 people will die 72% 78%

John Chuang10 WTA-WTP Gap  WTA: Willingness to accept a proposal to sell good already owned  WTP: Willingness to pay for good not already owned  Privacy study: -“When 25 Cents is too much: An Experiment on Willingness- To-Sell and Willingness-To- Protect Personal Information” (Grossklags & Acquisti, 2007)  Finding: subjects willing to sell personal information for $1/$0.25, but not willing to spend $1/$0.25 to protect information -Information: quiz performance, body weight

John Chuang11 Rational Decision-Making in Information Security  Step 1. One defender -Security investment as risk management -Cost benefit analysis; expected value -Risk attitudes and deviations from expected utility  Step 2. Many defenders -Interdependent security: Weakest link, best shot, and total effort  Step 3. Many forms of attacks and defenses -Weakest target -Protection versus insurance (public versus private goods) -Limited information

John Chuang12 Interdependent Security  Common adage: “A system is only as secure as its weakest link” -Security of entire system depends on that of individual components -Security of individual players depends on security decisions of other players best shot total effort weakest link attacker defenders

John Chuang13 Interdependent Security  Utility function of player i: U i = M − p·L (1 − H(e i, e −i )) − b·e i -where M is initial endowment, b is cost of protection, e i is protection level chosen by player i, and H is protection function  Different protection functions for different attack/defense scenarios: -Weakest link: H(e i, e −i )= min(e i, e −i ) -Best shot: H(e i, e −i )= max(e i, e −i ) -Total effort: H(e i, e −i )= Sum(e i )  Varian, 2002: Security becomes a public good -Well known result: free-riding, leading to suboptimal provisioning of the public good

John Chuang14 Rational Decision-Making in Information Security  Step 1. One defender -Security investment as risk management -Cost benefit analysis; expected value -Risk attitudes and deviations from expected utility  Step 2. Many defenders -Interdependent security: Weakest link, best shot, and total effort  Step 3. Many forms of attacks and defenses -Weakest target -Protection versus insurance (public versus private goods) -Limited information

John Chuang15 Protection vs. Insurance  Individual players may invest in protection to reduce the probability of loss (p) -Examples: firewall, anti-virus software, patching  Individual players may invest in insurance to reduce the magnitude of loss (L) -Examples: data backup (self-insurance), cyber-insurance (market insurance)

John Chuang16 Protection vs. Insurance  Protection only: U i = M − p·L (1 − H(e i, e −i )) − b·e i  Insurance only: U i = M − p·L (1 − s i ) − c·s i  Both available: U i = M − p·L (1 − H(e i, e −i ))·(1 − s i ) − b·e i − c·s i  where M is initial endowment, b is cost of protection, c is cost of insurance, e i and s i are the protection and insurance levels chosen by player i, and H is protection function  Q: How should player allocate budget between e i (protection) and s i (insurance)?  Note: protection is a public good, whereas insurance is a private good

John Chuang17 Results  Total effort: -Depending on b, c, and p·L, Nash Equilibria can be to secure (full protection), to insure (full insurance), or to ignore (passivity)  Best shot: -No protection equilibrium, unless players can coordinate  Weakest link: -Depending on b, c, and p·L, Nash Equilibria can be to secure (multiple protection equilibria, all unstable), to insure (full insurance), or to ignore (passivity) -As N increases, protection equilibria collapse to either full insurance or passivity.  Weakest target: -Pure NE does not exist; mixed NE exists. -As N increases, full insurance becomes less likely -Security level in NE may be higher than in social optimum, due to effect of strategic uncertainty

John Chuang18 In the Lab Setting…  Three players choose protection and insurance levels -Payoffs based on weakest link game  Player A experimented throughout  Player B quickly learns and settles into individually rational strategy (full insurance no protection); reinforced by compromise at around round 65  Player C largely settles into individually rational strategy after round 50

John Chuang19 Weakest Target  Attacker compromises player(s) with minimum protection level; all other players unharmed -H(e i, e −i ) = 0 if e i = min(e i, e −i ); 1 otherwise attacker defenders

John Chuang20 Weakest Target with Mitigation  Attacker compromises player(s) with minimum protection level; all other players unharmed -H(e i, e −i ) = 0 if e i = min(e i, e −i ); 1 otherwise  WT with mitigation: -H(e i, e −i ) = 1 - e i if e i = min(e i, e −i ); 1 otherwise attacker defenders

John Chuang21 Results  Total effort: -Depending on b, c, and p·L, Nash Equilibria can be to secure (full protection), to insure (full insurance), or to ignore (passivity)  Best shot: -No protection equilibrium, unless players can coordinate  Weakest link: -Depending on b, c, and p·L, Nash Equilibria can be to secure (multiple protection equilibria, all unstable), to insure (full insurance), or to ignore (passivity) -As N increases, protection equilibria collapse to either full insurance or passivity.  Weakest target: -Pure NE does not exist; mixed NE exists. -As N increases, full insurance becomes less likely -Security level in NE may be higher than in social optimum, due to effect of strategic uncertainty

John Chuang22 Summary  Network security is as much about economic incentives as it is about technological mechanisms  It is challenging for individuals to make the right decisions regarding security  Solutions may include economic instruments for coordination, risk pooling; policy instruments for assignment of liability; and design principles that nudge individuals toward secure choices

John Chuang23 To Explore Further  economics/  Workshops on Economics and Information Security (WEIS)