network security: an economic perspective
DESCRIPTION
Network Security: an Economic Perspective. Marc Lelarge (INRIA-ENS) currently visiting STANFORD TRUST seminar, Berkeley 2011. Threats and Vulnerabilities. Attacks are exogenous. Contribution. Optimal security investment for a single agent Gordon and Loeb model, 1/e rule - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Network Security: an Economic Perspective](https://reader036.vdocuments.us/reader036/viewer/2022070406/568142a4550346895daeddbe/html5/thumbnails/1.jpg)
Network Security:an Economic Perspective
Marc Lelarge (INRIA-ENS)currently visiting STANFORD
TRUST seminar, Berkeley 2011.
![Page 2: Network Security: an Economic Perspective](https://reader036.vdocuments.us/reader036/viewer/2022070406/568142a4550346895daeddbe/html5/thumbnails/2.jpg)
Threats and Vulnerabilities
Attacks are exogenous
![Page 3: Network Security: an Economic Perspective](https://reader036.vdocuments.us/reader036/viewer/2022070406/568142a4550346895daeddbe/html5/thumbnails/3.jpg)
Contribution
(1) Optimal security investment for a single agent- Gordon and Loeb model, 1/e rule- Monotone comparative statics
(2) Optimal security investment for an interconnected agent
- Network externalities
(3) Equilibrium analysis of the security game- Free-rider problem, Critical mass, PoA
![Page 4: Network Security: an Economic Perspective](https://reader036.vdocuments.us/reader036/viewer/2022070406/568142a4550346895daeddbe/html5/thumbnails/4.jpg)
(1) Single agent
• Two parameters: – Potential monetary loss:– Probability of security breach without additional
security: • Agent can invest to reduce the probability of
loss to:• Optimal investment:
![Page 5: Network Security: an Economic Perspective](https://reader036.vdocuments.us/reader036/viewer/2022070406/568142a4550346895daeddbe/html5/thumbnails/5.jpg)
(1) Gordon and Loeb
• Class of security breach probability functions:
• measure of the productivity of security.
Gordon and Loeb (2002)
![Page 6: Network Security: an Economic Perspective](https://reader036.vdocuments.us/reader036/viewer/2022070406/568142a4550346895daeddbe/html5/thumbnails/6.jpg)
(1) Gordon and Loeb (cont.)
vulnerability
Optimal investment(size of potential loss fixed)
![Page 7: Network Security: an Economic Perspective](https://reader036.vdocuments.us/reader036/viewer/2022070406/568142a4550346895daeddbe/html5/thumbnails/7.jpg)
(1) Gordon and Loeb (cont.)
Probability of loss for a given investment
![Page 8: Network Security: an Economic Perspective](https://reader036.vdocuments.us/reader036/viewer/2022070406/568142a4550346895daeddbe/html5/thumbnails/8.jpg)
(1) Gordon and Loeb (cont.)
High vulnerability
Low vulnerability
![Page 9: Network Security: an Economic Perspective](https://reader036.vdocuments.us/reader036/viewer/2022070406/568142a4550346895daeddbe/html5/thumbnails/9.jpg)
(1) Conditions for monotone investment
• If
then is non-decreasing• Augmenting return of investment with
vulnerability:
• Extension to submodular functions.
![Page 10: Network Security: an Economic Perspective](https://reader036.vdocuments.us/reader036/viewer/2022070406/568142a4550346895daeddbe/html5/thumbnails/10.jpg)
(1) The 1/e rule
• If the function is log-convex in x then the optimal security investment is bounded by: ,i.e
of the expected loss
![Page 11: Network Security: an Economic Perspective](https://reader036.vdocuments.us/reader036/viewer/2022070406/568142a4550346895daeddbe/html5/thumbnails/11.jpg)
Contribution
(1) Optimal security investment for a single agent- Gordon and Loeb model, 1/e rule- Monotone comparative statics
(2) Optimal security investment for an interconnected agent
- Network externalities
(3) Equilibrium analysis of the security game- Free-rider problem, Critical mass, PoA
![Page 12: Network Security: an Economic Perspective](https://reader036.vdocuments.us/reader036/viewer/2022070406/568142a4550346895daeddbe/html5/thumbnails/12.jpg)
(2) Effect of the network
• Agent faces an internal risk and an indirect risk.
• Information available to the agent: in a poset (partially ordered set).
• Optimal security investment:
![Page 13: Network Security: an Economic Perspective](https://reader036.vdocuments.us/reader036/viewer/2022070406/568142a4550346895daeddbe/html5/thumbnails/13.jpg)
(2) How to estimate the probability of loss?
• Epidemic risk model• Binary choice for protection • Limited information on the network of
contagion (physical or not): degree distribution.– Best guess: take a graph uniformly at random.
Galeotti et al. (2010)
![Page 14: Network Security: an Economic Perspective](https://reader036.vdocuments.us/reader036/viewer/2022070406/568142a4550346895daeddbe/html5/thumbnails/14.jpg)
• Attacker directly infects an agent N with prob. p.
• Each neighbor is contaminated with prob. q if in S or if in N.
(2) Epidemic ModelAttacker
N
S
![Page 15: Network Security: an Economic Perspective](https://reader036.vdocuments.us/reader036/viewer/2022070406/568142a4550346895daeddbe/html5/thumbnails/15.jpg)
(2) Monotone comparative statics
• If the function is strictly decreasing in for any
then the optimal investment is non-decreasing.
• Equivalent to:Network externalities function is decreasing:
![Page 16: Network Security: an Economic Perspective](https://reader036.vdocuments.us/reader036/viewer/2022070406/568142a4550346895daeddbe/html5/thumbnails/16.jpg)
(2) Strong protection
• An agent investing in S cannot be harmed by the actions of others: . in previous equation.
• Decreasing network externalities function.
![Page 17: Network Security: an Economic Perspective](https://reader036.vdocuments.us/reader036/viewer/2022070406/568142a4550346895daeddbe/html5/thumbnails/17.jpg)
(2) Weak protection
• If , the network externalities function is:
![Page 18: Network Security: an Economic Perspective](https://reader036.vdocuments.us/reader036/viewer/2022070406/568142a4550346895daeddbe/html5/thumbnails/18.jpg)
Contribution
(1) Optimal security investment for a single agent- Gordon and Loeb model, 1/e rule- Monotone comparative statics
(2) Optimal security investment for an interconnected agent
- Network externalities
(3) Equilibrium analysis of the security game- Free-rider problem, Critical mass, PoA
![Page 19: Network Security: an Economic Perspective](https://reader036.vdocuments.us/reader036/viewer/2022070406/568142a4550346895daeddbe/html5/thumbnails/19.jpg)
(3) Fulfilled expectations equilibrium
• Concept introduced by Katz & Shapiro (85)• Willingness to pay for the agent of type :
multiplicative specification of network externalities, Economides & Himmelberg (95).
• C.d.f of types: % with • Willingness to pay for the ‘last’ agent:
![Page 20: Network Security: an Economic Perspective](https://reader036.vdocuments.us/reader036/viewer/2022070406/568142a4550346895daeddbe/html5/thumbnails/20.jpg)
(3) Fulfilled expectations equilibrium
• In equilibrium, expectation are fulfilled:
• The willingness to pay is:
• Extension of Interdependent Security 2 players game introduced by
Kunreuther & Heal (03).
![Page 21: Network Security: an Economic Perspective](https://reader036.vdocuments.us/reader036/viewer/2022070406/568142a4550346895daeddbe/html5/thumbnails/21.jpg)
(3) Critical mass
• Equilibria given by the fixed point equation
![Page 22: Network Security: an Economic Perspective](https://reader036.vdocuments.us/reader036/viewer/2022070406/568142a4550346895daeddbe/html5/thumbnails/22.jpg)
(3) Critical mass (cont.)
• Equilibria given by the fixed point equation
fraction of population investing in security
cost
![Page 23: Network Security: an Economic Perspective](https://reader036.vdocuments.us/reader036/viewer/2022070406/568142a4550346895daeddbe/html5/thumbnails/23.jpg)
(3) Critical mass (cont.)
• If only one type: willingness to pay = network externalities function.
fraction of population investing in security
cost
![Page 24: Network Security: an Economic Perspective](https://reader036.vdocuments.us/reader036/viewer/2022070406/568142a4550346895daeddbe/html5/thumbnails/24.jpg)
(3) Price of Anarchy
• The social welfare function:
• Because of the public and private externalities, agent under-invest in security (in all cases).
Public externalities
Private externalities
![Page 25: Network Security: an Economic Perspective](https://reader036.vdocuments.us/reader036/viewer/2022070406/568142a4550346895daeddbe/html5/thumbnails/25.jpg)
Conclusion
• Simple single agent model: 1/e rule– General conditions for monotone investment
• Interconnected agents: network externalities function– General conditions to align incentives
• Equilibrium analysis of the security game– Critical mass, PoA
• Extensions: In this talk, agent is risk-neutral. What happens if risk-adverse? Insurance?