1. Risk Models and Controlled Mitigation of IT Security R. Ann Miura-Ko Stanford University February 27, 2009

2. Malicious Attackers Denial of Service Viruses and Worms Data sniffing / spoofing Unauthorized Access Malware / Trojans Port scanning Defenders Attackers and Defenders Policies Firewalls Intrusion Detection Anti-Virus Software Authentication / Authorization Encryption Backup / Redundancy

3. Thesis Overview Mathematical modeling of IT Risk encompasses a large and relatively uncharted territory Modeled selected anchor points within the space focused on different levels of decision making: Inter-Organization and Industry level Investments Enterprise level resource allocation Physical layer control How do organizations invest their limited resources given the relationships they have with one another? Given an IT budget, how should a manager spend those resources over time? How do you design the physical infrastructure to meet reliability and security requirements?

4. Motivating Example: Web Authentication Same / similar username and password for multiple sites Security not equally important to all sites Shared risk for all

5. Literature Background Interdependent Security ▫ IT Security Leads to Externalities: Camp (2004) ▫ Tipping Point for Investments: Kunreuther and Heal (2003) ▫ Free Riding: Varian (2004) Network Game Theory ▫ Network Games: Galeotti et al. (2006) ▫ Linear Influence Network Games: Balleste and Calvo- Armengol (2007)

6. Model Fundamentals Companies make investments in security Companies have complex interdependencies ▫ Complementarities and competition ▫ Leads to positive and negative interactions Who invests and how much? Can we improve this equilibrium? What does the model say about policy?

7. Network Model Network = Directed Graph ▫ Nodes = Decision making agents ▫ Links = influence / interaction ▫ Weights = degree of influence -.1.2.1

8. -.1.1.2.1.2.1.2.1 Incentive Model Each agent, i, selects investment, x i Security of i determined by total effective investment: Benefit received by agent i: Cost of investment: Net benefit:

9. How will agents react? Single stage game of complete information All agents maximize their utility function: b i is where the marginal cost = marginal benefit for agent i ViVi xixi slope = c i bibi If neighbor’s contribution > b i, x i =0 If neighbor’s contribution < b i, x i = difference

10. What is an equilibrium? Nash Equilibrium ▫ Stable point (vector of investments) at which no agent has incentive to change their current strategy ▫ This happens when: ▫ Leverage Linear Complementarity literature

11. Existence and Uniqueness Proposition 1: If W is strictly diagonally dominant,, then there exists a unique Nash Equilibrium for the proposed game Proof: Follows from standard LCP results which states that any P matrix (one with positive principal minors) will have a unique solution to the optimization problem. We simply show that a W matrix is a P matrix.

12. Convergence Proposition 2: If W is strictly diagonally dominant,, then asynchronous best response dynamics converges to the unique Nash Equilibrium from any starting point x(0)>0. The best response dynamics are described by: Proof: Follows from standard LCP results which provides a synchronous algorithm. Using the Asynchronous Convergence Theorem (Bertsekas), we can establish that the ABRD also converges

13. Contribution of player i if all players are isolated Contribution of player i in networked environment Investment made by i with no neighbors Impact of neighbors’ investments Free Riding One measure of contribution relative to what they need, free riding index: Another measure of relative contribution allows for network effects to be taken into account, fair share index:

14. Web Authentication Example Utility function: -.1.1.2.1.2.1.2.1 -.1.2.1

15. Improving the Equilibrium Theorem 1: Suppose x i > 0 and x j > 0 for some i≠j. Then, there exists continuous trajectories, W(t) = (w kl (t)) and x ∗ (t) = (x k (t)) with t ∈ [0, T ] such that: 1. x ∗ (0) = x ∗, W(0) = W 2. x ∗ (t) is the (unique) equilibrium under W(t) ∀ t 3. x i (t) and x j (t) are strictly decreasing in t 4. x k (t) is constant for all k ∉ {i, j} and all t 5. W(t) is component-wise differentiable and increasing in t (weakly, in magnitude)

16. Improving the Equilibrium Proof sketch of Theorem 1: ▫ Observe: if the effective investments over the purple links are not changed, the investments in Group B will not change 5 5 6 6 3 3 2 2 4 4 1 1 Group A Group B ▫ Pick 2 nodes: i,j ▫ For k ∉ {i.j}

17. Improvements to Equilibrium A linear increase in the strength of the links results in a nonlinear decrease in investments between nodes 1 and 2

18. Qualitative Implications For web authentication: ▫ Should high risk organizations subsidize the IT budgets of low risk organizations (e.g. Citibank works with non-profits to aid their authentication efforts)? ▫ Should government label websites by risk factor so users know which sites they can safely group together with a single password?