Presentation is loading. Please wait.

Presentation is loading. Please wait.

Benjamin Johnson Carnegie Mellon University Are Security Experts Useful? Bayesian Nash Equilibria for Network Security Games with Limited Information TRUST.

Similar presentations


Presentation on theme: "Benjamin Johnson Carnegie Mellon University Are Security Experts Useful? Bayesian Nash Equilibria for Network Security Games with Limited Information TRUST."— Presentation transcript:

1 Benjamin Johnson Carnegie Mellon University Are Security Experts Useful? Bayesian Nash Equilibria for Network Security Games with Limited Information TRUST November 11, 2010 slideout of 16 1 Are Security Experts Useful? Bayesian Nash Equilibria for Network Security Games with Limited Information Benjamin Johnson, Jens Grossklags, Nicolas Christin, and John Chuang Published in: Proceedings of the 15th European Symposium on Research in Computer Security (ESORICS) September 20-22, 2010, Athens, Greece.

2 Benjamin Johnson Carnegie Mellon University out of 16slide Are Security Experts Useful? Bayesian Nash Equilibria for Network Security Games with Limited Information TRUST November 11, 2010 2 Security Experts a picture of dawn http://www.cs.berkeley.edu/~daw/

3 Benjamin Johnson Carnegie Mellon University out of 16slide Are Security Experts Useful? Bayesian Nash Equilibria for Network Security Games with Limited Information TRUST November 11, 2010 3 Security Experts Real security experts are multifaceted. This paper considers as “security experts” users who understand the interdependent nature of risks associated with various security scenarios. We assume generally that they are selfish. As to the usefulness of real security experts, we defer this study to future work.

4 Benjamin Johnson Carnegie Mellon University out of 16slide Are Security Experts Useful? Bayesian Nash Equilibria for Network Security Games with Limited Information TRUST November 11, 2010 4 Outline Overview Security Games Methodology Results Implications Related Work

5 Benjamin Johnson Carnegie Mellon University out of 16slide Are Security Experts Useful? Bayesian Nash Equilibria for Network Security Games with Limited Information TRUST November 11, 2010 5 Overview Research Question: To what extent does information security expertise help to make a network more secure? We address this question in a game-theoretic context using a stylized model from our prior work. We consider three distinct types of n-player security games, in each case expressing the expected security level of the network in terms of the number of (selfish) expert players. We find that, in all the games we studied, the addition of (selfish) experts to the user population reduces the overall security of the network. On the other hand, cooperative experts dramatically increase the overall security of the network.

6 Benjamin Johnson Carnegie Mellon University out of 16slide Are Security Experts Useful? Bayesian Nash Equilibria for Network Security Games with Limited Information TRUST November 11, 2010 6 Security Games The Game Framework: There are n players. Player i chooses a protection level e i from [0,1], and consequently achieves the following utility: b is the cost of a full protection investment, (common knowledge to all players) L i is the expected loss suffered by player i if a successful attack occurs, (considered to be private knowledge to player i under conditions of limited information) H is a joint contribution function that defines how aggregate protection investments among all players mitigate against expected losses, (known to expert players).

7 Benjamin Johnson Carnegie Mellon University out of 16slide Are Security Experts Useful? Bayesian Nash Equilibria for Network Security Games with Limited Information TRUST November 11, 2010 7 Security Games Three types of interdependency best shot weakest link total effort

8 Benjamin Johnson Carnegie Mellon University out of 16slide Are Security Experts Useful? Bayesian Nash Equilibria for Network Security Games with Limited Information TRUST November 11, 2010 8 Security Games Expert vs naive players Expert players know the contribution function H and understand its effects. Naive players are myopic; they behave as if

9 Benjamin Johnson Carnegie Mellon University out of 16slide Are Security Experts Useful? Bayesian Nash Equilibria for Network Security Games with Limited Information TRUST November 11, 2010 9 Security Games Complete vs incomplete information An expert with complete information knows the expected losses for all players. An expert with incomplete information knows her own expected loss L i but does not know the expected losses of other players. Experts assume that expected losses are independently and uniformly distributed in [0,1].

10 Benjamin Johnson Carnegie Mellon University out of 16slide Are Security Experts Useful? Bayesian Nash Equilibria for Network Security Games with Limited Information TRUST November 11, 2010 10 Methodology The question: to what extent does information security expertise help to make a network more secure? The methodology: For each game and information condition, we derive conditions for existence of symmetric (Bayesian) Nash equilibria as a function of the protection cost b and the number of expert players k. Where these equilibrium conditions are met, we compute expected utilities for all players, as well as the overall security outcome. Finally, we determine the configuration yielding the expected social optimum, and we propose a system of side payments between experts to facilitate this configuration.

11 Benjamin Johnson Carnegie Mellon University out of 16slide Are Security Experts Useful? Bayesian Nash Equilibria for Network Security Games with Limited Information TRUST November 11, 2010 11 Results In the Best Shot game, experts have a strong incentive to free-ride (Tragedy of the commons). Adding experts decreases the likelihood that the network is protected. (b = protection cost)

12 Benjamin Johnson Carnegie Mellon University out of 16slide Are Security Experts Useful? Bayesian Nash Equilibria for Network Security Games with Limited Information TRUST November 11, 2010 12 Results Protection equilibria in the Weakest Link game only exist when protection costs are small; and the problem is exacerbated by the addition of expert players. (b = protection cost)

13 Benjamin Johnson Carnegie Mellon University out of 16slide Are Security Experts Useful? Bayesian Nash Equilibria for Network Security Games with Limited Information TRUST November 11, 2010 13 Results In the Total Effort game, the individual benefit of an investment is always proportional to a 1/N fraction of the investment’s cost, regardless of the actions of other players. Experts understand this feature and consequently do not protect unless protection costs are low. (b = protection cost)

14 Benjamin Johnson Carnegie Mellon University out of 16slide Are Security Experts Useful? Bayesian Nash Equilibria for Network Security Games with Limited Information TRUST November 11, 2010 14 Implications (In several contexts), security experts are useful when (and only when) they collaborate. When security is divided among independent agencies, it is important to develop mechanisms for facilitating interagency collaboration. User education should focus on the collaborative nature of security.

15 Benjamin Johnson Carnegie Mellon University out of 16slide Are Security Experts Useful? Bayesian Nash Equilibria for Network Security Games with Limited Information TRUST November 11, 2010 15 Related Publications J. Grossklags, N. Christin, and J. Chuang. Secure or Insure? A Game-Theoretic Analysis of Information Security Games. WWW'08. J. Grossklags, B. Johnson. Uncertainty in The Weakest Link Security Game. GAMENETS '09. J. Grossklags, B. Johnson and N. Christin. When Information Improves Information Security. FC’10. J. Grossklags, B. Johnson and N. Christin. The Price of Uncertainty in Security Games. WEIS’09/SPRINGER’10. B. Johnson, J. Grossklags, N. Christin and J. Chuang. Are Security Experts Useful? Bayesian Nash Equilibria for Network Security Games with Limited Information. ESORICS’10. B. Johnson, J. Grossklags, N. Christin and J. Chuang. Uncertainty in Interdependent Security Games. GAMESEC’10.

16 Benjamin Johnson Carnegie Mellon University out of 16slide Are Security Experts Useful? Bayesian Nash Equilibria for Network Security Games with Limited Information TRUST November 11, 2010 16 Questions? This research was partially supported by CyLab at Carnegie Mellon under grant DAAD19-02-1-0389 from the Army Research Office, and by the National Science Foundation under ITR award CCF-0424422 (TRUST).


Download ppt "Benjamin Johnson Carnegie Mellon University Are Security Experts Useful? Bayesian Nash Equilibria for Network Security Games with Limited Information TRUST."

Similar presentations


Ads by Google