1. Learning about Protecting Distributed Infrastructure from Behavioral Economists
Saurabh Bagchi
ECE & CS, Purdue University
Joint work with:
ECE: Shreyas Sundaram, Mustafa Abdallah
Economics: Tim Cason, Daniel Woods
Supported by NSF SaTC grant CNS ( )

2. Security is Only Too Human
Security of large-scale systems (such as the power grid, industrial plants, and communication and computer networks) depend critically on human decisions
A few thousand papers on optimal decision making for protecting interconnected systems
But relies on classical economic models of perfectly rational and optimal behavior for human decision-makers
But behavioral economics shows humans are only partly rational and thus, consistently deviate from the above-mentioned classical models.
3: Or assumes some algorithm makes all the decisions. However, large-scale security decisions almost always involve humans.

3. Behavioral Weighting Function
Human perceptions of rewards and losses can differ substantially from their true values
These perceptions can have a significant impact on the investments made to protect the systems that the individuals are managing.
Humans overweight low attack probabilities and underweight large attack probabilities.
Example: Prelec [1998] weighting function:
𝑤 𝑥 = exp − − ln (𝑥) α
where parameter α ∈ 0,1 .
When α = 1 this is rational behavior. The smaller is α, the greater is the degree of bias.
Cross over happens at 1/e = 0.37

4. What’s Nobel Got to Do With It?
Daniel Kahneman (2002 Economics Nobel Laureate): Prospect theory as a model of decision making under risk, as a counterpoint to expected utility theory
Richard Thaler (2017 Economics Nobel Laureate): “I discovered the presence of human life in a place not far, far away, where my fellow economists thought it did not exist: the economy.”
2015 film The Big Short, in which Richard Thaler and Selena Gomez explain synthetic CDOs
He has been aware that he was considered heretical flying in the face of well-accepted economic theory. But it is now considered niche mainstream.

5. Our Research Direction
Game-theoretic framework involving attack graph models of large-scale interdependent systems and multiple defenders
Each human defender misperceives the probabilities of successful attack in the attack graph
We characterize impacts of such misperceptions on the security investments made by each defender
Attacker A
𝑢 𝑗
𝑢 𝑖
Defender 2
The cost of a defender 𝐷 𝑘 is:
𝐶 𝑘 x ≜ 𝑢 𝑚 ∈ 𝑉 𝑘 𝐿 𝑚 max 𝑃∈ ℙ 𝑚 𝑢 𝑖 , 𝑢 𝑗 ∈𝑃 𝒘(𝑝 𝑖,𝑗 (x))
Defender 1
𝐿 𝑖
The defender Dk will invest to minimize his cost. Summed over all his crown jewels.
𝑝 𝑖,𝑗
Defender 3

6. Initial Observations
Both games (vertex based and path based) have Convex cost function given a convex decreasing probability function
Both games have a Pure Nash Equilibrium (PNE) state
In each game, we can compute the best response by solving a convex optimization problem
They have different investment decisions than standard security game which maximizes expected utility
A rational player can benefit from a biased player
Both players rational
Player 2 biased
0.696 2 3
2.081 2 3
1.278
0.4254
2.719
L2 = 200
L2 = 200
1.516 1 1
1.974 5 6
0.4254 5 6 4
19.2 4
7.5924
L1 = 200
1.516
8.576
Overall Loss =
L1 = 200
Overall Loss =