network security an economics perspective is250 spring 2010 john chuang
TRANSCRIPT
Network SecurityAn Economics Perspective
IS250Spring 2010
John Chuang
John Chuang 2
Rational Decision-Making in Information Security
Step 1. One defender- Security investment as risk management- Cost benefit analysis; expected value- Risk attitudes and deviations from expected utility
Step 2. Many defenders- Interdependent security: Weakest link, best shot,
and total effort
Step 3. Many forms of attacks and defenses- Weakest target- Protection versus insurance (public versus private
goods)- Limited information
John Chuang 3
How Secure is Secure?
Are we investing too little in security? Are we investing too much?
Security investment as risk management- In traditional engineering:
- Risk = probability of accident * losses per accident
- Can interpret risk as expected loss
- Perform cost-benefit analysis of risk-mitigation alternatives- Example: highway safety regulation often uses $1 million per statistical death in analysis
John Chuang 4
Cost Benefit Analysis
Scenario 1:- New technology promises to fix a vulnerability
- Loss in event of security breach: L- Probability of breach: p- Cost of security mechanism: c
- Q: should CSO invest in security mechanism?
Scenario 2:- Webpage asks you to type in your social security
number- Value derived from completing this transaction: v- Probability of theft: p- Loss in event of identity theft: L
- Q: should you enter the information?
- A: invest if pL > c ; else do not invest
- A: provide personal information if v > pL; else do not
What assumptions are made here?
John Chuang 5
Challenges
Difficulty in risk assessment- Especially for events with very low probability (p) and/or very high loss (L)
- p *L may be off by orders of magnitude
Users may not (want to) maximize expected utility- Risk attitudes: risk neutral, risk averse, or risk seeking
- Hyperbolic discounting- Small immediate payoff preferred over large payoff in the future
- Framing and Prospect Theory
John Chuang 6
Risk Attitude
Offer 1:- Choice 1: win $10 with certainty- Choice 2: 50% chance of winning $20
Offer 2:- Choice 1: win $1 million with certainty
- Choice 2: 50% chance of winning $2 million
John Chuang 7
Hyperbolic Discounting
Discounted utility, U = t·ut(x) where is discount factor
Would you prefer $50 today; or $100 a year from today? Would you prefer $50 five years from now, or $100 six
years from now?
Humans prefer smaller payoffs immediately over larger payoffs in the future- Or: unwilling to make sacrifices now for payoffs down the
road
Privacy: humans often give away personal information in exchange for small discounts or prizes
John Chuang 8
Prospect TheoryKahneman and Tversky
Choice 1: win $500 with certainty Choice 2: 50% chance of winning $1000
Choice 1: lose $500 with certainty Choice 2: 50% chance of losing $1000
84%
70%
John Chuang 9
Asian Disease ExperimentKahneman and Tversky
Imagine that the U.S. is preparing for the outbreak of an unusual Asian disease, which is expected to kill 600 people.
Program A: 200 people will be saved Program B: 33% chance all 600 people will be saved; 67% chance nobody will be saved
Program A: 400 people will die Program B: 33% chance nobody will die; 67% chance all 600 people will die
72%
78%
John Chuang 10
WTA-WTP Gap
WTA: Willingness to accept a proposal to sell good already owned
WTP: Willingness to pay for good not already owned Privacy study:
- “When 25 Cents is too much: An Experiment on Willingness-To-Sell and Willingness-To- Protect Personal Information” (Grossklags & Acquisti, 2007)
Finding: subjects willing to sell personal information for $1/$0.25, but not willing to spend $1/$0.25 to protect information- Information: quiz performance, body weight
John Chuang 11
Rational Decision-Making in Information Security
Step 1. One defender- Security investment as risk management- Cost benefit analysis; expected value- Risk attitudes and deviations from expected utility
Step 2. Many defenders- Interdependent security: Weakest link, best shot,
and total effort
Step 3. Many forms of attacks and defenses- Weakest target- Protection versus insurance (public versus private
goods)- Limited information
John Chuang 12
Interdependent Security Common adage: “A system is only as secure as its weakest link”
- Security of entire system depends on that of individual components- Security of individual players depends on security decisions of
other players
best shot
total effort
weakest link
attacker
defenders
John Chuang 13
Interdependent Security
Utility function of player i: Ui = M − p·L (1 − H(ei , e−i )) − b·ei
- where M is initial endowment, b is cost of protection, ei is protection level chosen by player i, and H is protection function
Different protection functions for different attack/defense scenarios:- Weakest link: H(ei , e−i )= min(ei , e−i )- Best shot: H(ei , e−i )= max(ei , e−i )- Total effort: H(ei , e−i )= Sum(ei)
Varian, 2002: Security becomes a public good- Well known result: free-riding, leading to suboptimal
provisioning of the public good
John Chuang 14
Rational Decision-Making in Information Security
Step 1. One defender- Security investment as risk management- Cost benefit analysis; expected value- Risk attitudes and deviations from expected utility
Step 2. Many defenders- Interdependent security: Weakest link, best shot, and total
effort
Step 3. Many forms of attacks and defenses- Weakest target- Protection versus insurance (public versus private goods)- Limited information
John Chuang 15
Protection vs. Insurance
Individual players may invest in protection to reduce the probability of loss (p)- Examples: firewall, anti-virus software, patching
Individual players may invest in insurance to reduce the magnitude of loss (L)- Examples: data backup (self-insurance), cyber-insurance
(market insurance)
John Chuang 16
Protection vs. Insurance
Protection only: Ui = M − p·L (1 − H(ei , e−i )) − b·ei
Insurance only: Ui = M − p·L (1 − si) − c·si
Both available: Ui = M − p·L (1 − H(ei , e−i ))·(1 − si) − b·ei − c·si
where M is initial endowment, b is cost of protection, c is cost of insurance, ei and si are the protection and insurance levels chosen by player i, and H is protection function
Q: How should player allocate budget between ei (protection) and si (insurance)?
Note: protection is a public good, whereas insurance is a private good
John Chuang 17
Results
Total effort:- Depending on b, c, and p·L, Nash Equilibria can be to secure
(full protection), to insure (full insurance), or to ignore (passivity)
Best shot:- No protection equilibrium, unless players can coordinate
Weakest link: - Depending on b, c, and p·L, Nash Equilibria can be to secure
(multiple protection equilibria, all unstable), to insure (full insurance), or to ignore (passivity)
- As N increases, protection equilibria collapse to either full insurance or passivity.
Weakest target: - Pure NE does not exist; mixed NE exists.- As N increases, full insurance becomes less likely- Security level in NE may be higher than in social optimum,
due to effect of strategic uncertainty
John Chuang 18
In the Lab Setting…
Three players choose protection and insurance levels- Payoffs based on weakest link game
Player A experimented throughout
Player B quickly learns and settles into individually rational strategy (full insurance no protection); reinforced by compromise at around round 65
Player C largely settles into individually rational strategy after round 50
John Chuang 19
Weakest Target Attacker compromises player(s) with minimum
protection level; all other players unharmed- H(ei , e−i ) = 0 if ei = min(ei , e−i ); 1 otherwise
attacker
defenders
John Chuang 21
Results
Total effort:- Depending on b, c, and p·L, Nash Equilibria can be to secure
(full protection), to insure (full insurance), or to ignore (passivity)
Best shot:- No protection equilibrium, unless players can coordinate
Weakest link: - Depending on b, c, and p·L, Nash Equilibria can be to secure
(multiple protection equilibria, all unstable), to insure (full insurance), or to ignore (passivity)
- As N increases, protection equilibria collapse to either full insurance or passivity.
Weakest target: - Pure NE does not exist; mixed NE exists.- As N increases, full insurance becomes less likely- Security level in NE may be higher than in social optimum,
due to effect of strategic uncertainty
John Chuang 22
Summary
Network security is as much about economic incentives as it is about technological mechanisms
It is challenging for individuals to make the right decisions regarding security
Solutions may include economic instruments for coordination, risk pooling; policy instruments for assignment of liability; and design principles that nudge individuals toward secure choices
John Chuang 23
To Explore Further
http://netecon.berkeley.edu/security-economics/
Workshops on Economics and Information Security (WEIS)