Secure or insure?: a game-theoretic analysis of information security games

  title={Secure or insure?: a game-theoretic analysis of information security games},
  author={Jens Grossklags and Nicolas Christin and John C.-I. Chuang},
Despite general awareness of the importance of keeping one's system secure, and widespread availability of consumer security technologies, actual investment in security remains highly variable across the Internet population, allowing attacks such as distributed denial-of-service (DDoS) and spam distribution to continue unabated. By modeling security investment decision-making in established (e.g., weakest-link, best-shot) and novel games (e.g., weakest-target), and allowing expenditures in self… 
Applications of game theory in information security
Game theory is used to study strategies and economic incentives of participants in security problems, e.g., attackers and defenders, to provide useful insights about the trend of behaviours/decisions these participants should take, thus helping future research or realistic solution design.
Can Competitive Insurers Improve Network Security?
Although cyber-Insurance improves user welfare, in general, competitive cyber-insurers may fail to improve network security.
Security and insurance management in networks with heterogeneous agents
It is argued that users often underestimate the strong mutual dependence between their security strategies and the economic environment (e.g., threat model) in which these choices are made and evaluated, and is compounded by heterogeneity within the user population, further reducing incentives for cooperation and coordination.
Security Investment (Failures) in Five Economic Environments: A Comparison of Homogeneous and Heterogeneous User Agents
It is argued that users often underestimate the strong mutual dependence between their security strategies and the economic environment in which these choices are made and evaluated, and this misunderstanding weakens the effectiveness of users’ security investments.
Network Security Games: Combining Game Theory, Behavioral Economics, and Network Measurements
It is important to understand the incentives of the different participants to a network, so that schemes or intervention mechanisms to re-align them with a desirable outcome are designed.
The Price of Uncertainty in Security Games
This work considers difference, payoffratio, and cost-ratio metrics as canonical nontrivial measurements of the price of uncertainty and conducts an algebraic, numerical, and graphical analysis of these metrics applied to different well-studied security scenarios proposed in prior work.
It is shown that the security of a system can be seen as an interplay between functionality requirements and the strategies adopted by users, and based on this a weaker notion of noninterference is proposed, which is called strategicnoninterference.
Cyber-Insurance: Missing Market Driven by User Heterogeneity
It is demonstrated, in a general setting, a failure of cyber-insurance market to underwrite contracts conditioning user premium on user security, and it is proved that no matter how small the fraction of malicious users is, equilibrium contract that specifies use r security does not exist.
Competitive Cyber-Insurance and Internet Security
Although cyber-insurance improves user welfare, in general, competitive cyber- Insurers fail to improve network security.
Information Leakage Games
This seems the first work to prove formally that in certain cases the optimal attack strategy is necessarily probabilistic, for both the attacker and the defender.


Interdependent Security
Do firms have adequate incentives to invest in protection against a risk whose magnitude depends on the actions of others? This paper characterizes the Nash equilibria for this type of interaction
Network Software Security and User Incentives
The results suggest that both the value generated from software and vendor profits can be significantly improved by mechanisms that target user incentives to maintain software security.
Why information security is hard - an economic perspective
  • Ross J. Anderson
  • Computer Science
    Seventeenth Annual Computer Security Applications Conference
  • 2001
The author puts forward a contrary view: information insecurity is at least as much due to perverse incentives as it is due to technical measures.
Returns to information security investment: The effect of alternative information security breach functions on optimal investment and sensitivity to vulnerability
  • K. Hausken
  • Computer Science
    Inf. Syst. Frontiers
  • 2006
This article presents classes of all four kinds of marginal return where the optimal investment is no longer capped at 1 / e, and presents an alternative class with decreasing marginal returns where the investment increases convexly in the vulnerability until a bound is reached, investing most heavily to protect the extremely vulnerable information sets.
The economics of information security investment
An economic model is presented that determines the optimal amount to invest to protect a given set of information and takes into account the vulnerability of the information to a security breach and the potential loss should such a breach occur.
Interdependence of Reliability and Security
This paper studies manufacturer incentives to invest in the improvement of reliability and security of a software system when (i) reliability and security failures are caused by the same errors in
The Economics of Information Security
The economics of information security has recently become a thriving and fast-moving discipline and provides valuable insights into more general areas such as the design of peer-to-peer systems, the optimal balance of effort by programmers and testers, why privacy gets eroded, and the politics of digital rights management.
Security engineering - a guide to building dependable distributed systems (2. ed.)
In almost 600 pages of riveting detail, Ross Anderson warns us not to be seduced by the latest defensive technologies, never to underestimate human ingenuity, and always use common sense in defending valuables.
Models and Measures for Correlation in Cyber-Insurance
This paper introduces a new classification of correlation properties of cyber-risks based on a twin-tier approach and addresses technical, managerial and policy choices influencing the correlation at both steps and the business implications thereof.
Near rationality and competitive equilibria in networked systems
It is argued that considering competitive equilibria of a more general form helps in assessing the accuracy of a game theoretic model, and can even help in reconciling predictions from game-theoretic models with empirically observed behavior.