Interdependency Analysis in Security Investment against Strategic Attacks

Abstract

Information security investment is of high importance in management of IT infrastructure. There are many researches focused on game theoretical modeling and analysis of security investment of interdependent firms against potential security attacks. However, these studies usually are not concerned with dynamic and strategic nature of attacks which are increasingly important features of today’s cyber systems. Strategic attackers are those who are able to substitute their investments among targets over time by shifting investments towards poorly protected targets in order to obtain more potential financial gains. In this paper we try to analyze the effects of interdependency in security investment of firms against strategic attackers. Note that although there are a limited number of works that consider the strategic nature of attack, they model the defenders as a set of isolated nodes. Hence the positive externality caused by interconnection of the firms is not considered in these models. We consider both the attackers’ actual strategic behaviors (that causes negative externality via the possibility of substituting the target) as well as structural effects of the networked firms (that leads to positive externality via attack propagation). We propose a differential game among the networked firms in which attackers act strategically. In the proposed game, by employing a linear substitution model for characterizing the process of target selection by the attacker, the open-loop Nash solutions are highlighted in an analytical form. The analytical results show how interconnectivity between firms and the strategic behavior of the attacker determines the firms’ incentives for security investment. It is shown that overinvestment or underinvestment could occur depending on the degree of interdependency among the given firms. Accordingly we designed mechanisms to encourage the firms to invest at a socially optimal level. The achieved results in this paper helps security designers to better formulate their policies in tackling strategic attackers.

Appendices

Appendix 1: Stability Analysis of Equilibrium-Decentralized Decision Case

An equilibrium \( \left({c}_i^{\infty },{\lambda}_{ii}^{\infty },{\lambda}_{ij}^{\infty}\right) \) is a solution of \( \frac{\partial {\lambda}_{ii}(t)}{\partial t}=0,\frac{\partial {\lambda}_{ij}(t)}{\partial t}=0,\frac{d{c}_i(t)}{dt}=0 \), where, the optimality condition \( \frac{\partial {H}_i(t)}{\partial {z}_i(t)}=0 \) must hold, or equivalently, where, \( {z}_i^a\left(\mathrm{t}\right) \) is expressed explicitly in terms of state and co-state through Eq. (33).

$$ {z}_i^a\left(\mathrm{t}\right)={\left[\frac{{\beta \varepsilon}_i{L}_i{\left({c}_i^a(t)\right)}^{\phi }}{1+{\lambda}_{ii}\left(\mathrm{t}\right)-\omega \sum \limits_{k=1,\mathrm{k}\ne i}^n{\lambda}_{ik}(t)}\right]}^{1/\left(\beta +1\right)} $$

(33)

An interior steady state \( \left({c}_i^{\infty },{\lambda}_{ii}^{\infty },{\lambda}_{ij}^{\infty}\right) \), defined based on optimal control z_i^∞, is the result of the following system of nonlinear equations:

$$ \delta {c}_i(t)-\frac{1-\omega \left(n-1\right)}{1+\left(n-1\right)\eta }{\left[\frac{\beta \varepsilon L{\left({c}_i^a(t)\right)}^{\phi }}{1+{\lambda}_{ii}\left(\mathrm{t}\right)-\omega \sum \limits_{k=1,\mathrm{k}\ne i}^n{\lambda}_{ik}(t)}\right]}^{1/\left(\beta +1\right)}=0 $$

(34)

$$ \left(\rho -\delta \right){\lambda}_{ii}\left(\mathrm{t}\right)+\phi \varepsilon L{\left({c}_i^a(t)\right)}^{\phi -1}{\left[\frac{1+{\lambda}_{ii}\left(\mathrm{t}\right)-\omega \sum \limits_{k=1,\mathrm{k}\ne i}^n{\lambda}_{ik}(t)}{{\beta \varepsilon}_i{L}_i{\left({c}_i^a(t)\right)}^{\phi }}\right]}^{\beta /\left(\beta +1\right)}=0 $$

(35)

$$ \left(\rho -\delta \right){\lambda}_{ij}\left(\mathrm{t}\right)+\eta \phi \varepsilon L{\left({c}_j^a(t)\right)}^{\phi -1}{\left[\frac{1+{\lambda}_{ii}\left(\mathrm{t}\right)-\omega \sum \limits_{k=1,\mathrm{k}\ne i}^n{\lambda}_{ik}(t)}{{\beta \varepsilon}_i{L}_i{\left({c}_i^a(t)\right)}^{\phi }}\right]}^{\beta /\left(\beta +1\right)}=0 $$

(36)

To evaluate the stability of the above steady state, we compute the Jacobian matrix of the system of above nonlinear equations as follows:

$$ \left(\begin{array}{ccc}-\frac{\phi }{\beta +1}\left(1-\omega \left(n-1\right)\right)\frac{z_i^a\left(\infty \right)}{c_i^a\left(\infty \right)}+\delta & \frac{1}{\beta +1}\frac{1-\omega \left(n-1\right)}{1+\left(n-1\right)\eta}\frac{z_i^a\left(\infty \right)}{1+{\lambda}_{ii}^{\infty }-\omega \sum \limits_{k=1,k\ne i}^n{\lambda}_{ik}^{\infty }}& -\frac{\omega }{\beta +1}\frac{1-\omega \left(n-1\right)}{1+\left(n-1\right)\eta}\frac{z_i^a\left(\infty \right)}{1+{\lambda}_{ii}^{\infty }-\omega \sum \limits_{k=1,k\ne i}^n{\lambda}_{ik}^{\infty }}\\ {}\frac{\phi -\beta -1}{\beta +1}\left(1+\left(n-1\right)\eta \right){\phi \varepsilon}_i{L}_i{\left({c}_i^a\left(\infty \right)\right)}^{\phi -2}{z}_i^a{\left(\infty \right)}^{-\beta }& \frac{\beta }{\beta +1}\frac{{\phi \varepsilon}_i{L}_i{\left({c}_i^a\left(\infty \right)\right)}^{\phi -1}{z}_i^a{\left(\infty \right)}^{-\beta }}{1+{\lambda}_{ii}^{\infty }-\omega \sum \limits_{k=1,k\ne i}^n{\lambda}_{ik}^{\infty }}+\rho -\delta & -\frac{\beta \omega}{\beta +1}\frac{{\phi \varepsilon}_i{L}_i{\left({c}_i^a\left(\infty \right)\right)}^{\phi -1}{z}_i^a{\left(\infty \right)}^{-\beta }}{1+{\lambda}_{ii}^{\infty }-\omega \sum \limits_{k=1,k\ne i}^n{\lambda}_{ik}^{\infty }}\\ {}\frac{\phi -\beta -1}{\beta +1}\left(1+\left(n-1\right)\eta \right){\eta \phi \varepsilon}_i{L}_i{\left({c}_i^a\left(\infty \right)\right)}^{\phi -2}{z}_i^a{\left(\infty \right)}^{-\beta }& \eta \frac{\beta }{\beta +1}\frac{{\phi \varepsilon}_i{L}_i{\left({c}_i^a\left(\infty \right)\right)}^{\phi -1}{z}_i^a{\left(\infty \right)}^{-\beta }}{1+{\lambda}_{ii}^{\infty }-\omega \sum \limits_{k=1,k\ne i}^n{\lambda}_{ik}^{\infty }}& -\omega \eta \frac{\beta }{\beta +1}\frac{{\phi \varepsilon}_i{L}_i{\left({c}_i^a\left(\infty \right)\right)}^{\phi -1}{z}_i^a{\left(\infty \right)}^{-\beta }}{1+{\lambda}_{ii}^{\infty }-\omega \sum \limits_{k=1,k\ne i}^n{\lambda}_{ik}^{\infty }}+\rho -\delta \end{array}\right) $$

(37)

The eigenvalues of the Jacobian matrix at an equilibrium point is calculated next. To calculate the eigenvalues, the roots of the characteristic of polynomial det(J − μI) = 0 are found. The resulted three eigenvalues are as follows:

$$ {\displaystyle \begin{array}{l}{\mu}_1=\rho -\delta \\ {}{\mu}_2=\frac{1}{2}\left(-\sqrt{{\left(\rho +\frac{\phi \delta}{\beta +1}\frac{\omega \left(n-\eta -1\right)}{\left(1-\omega \left(n-1\right)\right)}\right)}^2+4\frac{\phi -\beta -1}{\beta +1}\left(\frac{\delta^2\phi }{\beta}\frac{\left(1-\omega \eta \right)}{\left(1-\omega \left(n-1\right)\right)}+\delta \left(\rho -\delta \right)\right)}\right.+\left(\rho +\frac{\phi \delta}{\beta +1}\frac{\omega \left(n-\eta -1\right)}{\left(1-\omega \left(n-1\right)\right)}\right)\\ {}{\mu}_3=\frac{1}{2}\left(+\sqrt{{\left(\rho +\frac{\phi \delta}{\beta +1}\frac{\omega \left(n-\eta -1\right)}{\left(1-\omega \left(n-1\right)\right)}\right)}^2+4\frac{\phi -\beta -1}{\beta +1}\left(\frac{\delta^2\phi }{\beta}\frac{\left(1-\omega \eta \right)}{\left(1-\omega \left(n-1\right)\right)}+\delta \left(\rho -\delta \right)\right)}\right.+\left(\rho +\frac{\phi \delta}{\beta +1}\frac{\omega \left(n-\eta -1\right)}{\left(1-\omega \left(n-1\right)\right)}\right)\end{array}} $$

(38)

As can be observed, the equilibrium is stable in the saddle point sense where \( \frac{\delta^2\phi }{\beta}\frac{\left(1-\omega \eta \right)}{\left(1-\omega \left(n-1\right)\right)}+\delta \left(\rho -\delta \right)<0 \)i.e. \( \rho <{\alpha}_D\delta, {\alpha}_D=\left(1-\frac{\phi }{\beta}\frac{\left(1-\omega \eta \right)}{\left(1-\omega \left(n-1\right)\right)}\right) \).

Appendix 2: Stability Analysis of Equilibrium-Centralized Decision Case

To evaluate the stability of the steady state, we compute the Jacobian matrix of the system of nonlinear Eqs. (1), (13) and (14) as follows:

$$ \left(\begin{array}{cc}-\frac{\phi }{\beta +1}\Big(1-\omega \left(n-1\right)\frac{z_i^a\left(\infty \right)}{c_i^a\left(\infty \right)}+\delta & \frac{1}{\beta +1}\frac{1-\omega \left(n-1\right)}{\left(1+\left(n-1\right)\eta \right)}\frac{z_i^a\left(\infty \right)}{1+\left(1-\omega \left(n-1\right)\right){\lambda}_i^{\infty}\Big)}\\ {}\frac{\phi -\beta -1}{\beta +1}{\left(1+\left(n-1\right)\eta \right)}^2{\phi \varepsilon}_i{L}_i{c}_i^a{\left(\infty \right)}^{\phi -2}{z}_i^a{\left(\infty \right)}^{-\beta }& \left(1+\left(n-1\right)\eta \right)\left(1-\omega \left(n-1\right)\right)\frac{\beta }{\beta +1}\frac{{\phi \varepsilon}_i{L}_i{c}_i^a{\left(\infty \right)}^{\phi -1}{z}_i^a\left(\infty \right)\Big){}^{-\beta }}{1+\left(1-\omega \left(n-1\right)\right){\lambda}_i^{\infty}\Big)}+\rho -\delta \end{array}\right) $$

(39)

The eigenvalues of the Jacobian matrix is calculated at the equilibrium point as follows:

$$ {\displaystyle \begin{array}{l}{\mu}_1=\frac{1}{2}\left(-\sqrt{\rho^2+4\frac{\phi -\beta -1}{\beta +1}\left(\frac{\delta^2\phi }{\beta +1}\left(1+\frac{1}{\beta \Big(1-\omega \left(n-1\right)}\right)+\delta \left(\rho -\delta \right)\right)}+\rho \right)\\ {}{\mu}_2=\frac{1}{2}\left(\sqrt{\rho^2+4\frac{\phi -\beta -1}{\beta +1}\left(\frac{\delta^2\phi }{\beta +1}\left(1+\frac{1}{\beta \Big(1-\omega \left(n-1\right)}\right)+\delta \left(\rho -\delta \right)\right)}+\rho \right)\end{array}} $$

(40)

It is observed that the equilibrium is stable in the saddle point sense where \( 1+\frac{1}{\beta \left(1-\omega \left(n-1\right)\right)}+\delta \left(\rho -\delta \right)<0 \) i.e. \( \rho <{\alpha}_c\delta, {\alpha}_c=1-\frac{\phi }{\beta \left(\beta +1\right)}\frac{\beta \left(1-\omega \left(n-1\right)+1\right)}{1-\omega \left(n-1\right)} \).

Appendix 3: Proof for Proposition 5

By substituting η = 0 in the eqs. (9) and (15) the followings are obtained:

$$ {\displaystyle \begin{array}{c}{\mathrm{z}}_D=\left[\varepsilon L{\delta}^{-\phi}\right({\left(1-\omega \left(n-1\right)\right)}^{\phi}\left(\beta +\frac{\phi \delta}{\left(\rho -\delta \right)\left(1-\omega \left(n-1\right)\right)}\right)\Big]{}^{1/\left(1-\phi +\beta \right)}\\ {}{\mathrm{z}}_C={\left[\varepsilon L{\delta}^{-\phi }{\left(1-\omega \left(n-1\right)\right)}^{\phi}\left(\beta +\frac{\phi \delta}{\left(\rho -\delta \right)}\right)\right]}^{1/\left(1-\phi +\beta \right)}\end{array}} $$

(41)

Since 0 < (1 − ω(n − 1)) < 1, then z_D > z_c.

By substituting η = 1 in the eqs. (9) and (15), the followings are obtained:

$$ {\displaystyle \begin{array}{c}{\mathrm{z}}_D=\left[\varepsilon L{\delta}^{-\phi }{\left(1+n\right)}^{\phi -\beta -1}\right({\left(1-\omega \left(n-1\right)\right)}^{\phi}\left(\beta +\frac{\phi \delta}{\left(\rho -\delta \right)}\right)\Big]{}^{1/\left(1-\phi +\beta \right)}\\ {}{\mathrm{z}}_C={\left[\varepsilon L{\delta}^{-\phi }{\left(1+n\right)}^{\phi -\beta }{\left(1-\omega \left(n-1\right)\right)}^{\phi}\left(\beta +\frac{\phi \delta}{\left(\rho -\delta \right)}\right)\right]}^{1/\left(1-\phi +\beta \right)}\end{array}} $$

(42)

It is observed in this case that z_D < z_c.

The parameter η^∗ is in fact equal to the point where centralized security investment z_Cand decentralize security investment z_D (Eqs. 9 and 15 respectively) are equal. There is a unique point η^∗ that satisfies z_D = z_c.

By equating (9) and (15), the following is obtained:

$$ \left(1+\left(n-1\right){\eta}^{\ast}\right)\left(\beta +\frac{\phi \delta}{\left(\rho -\delta \right)}\right)=\left(\beta +\frac{\phi \delta \left(1-{\eta}^{\ast}\omega \left(n-1\right)\right)}{\left(\rho -\delta \right)\left(1-\omega \left(n-1\right)\right)}\right) $$

(43)

Solving (43) the unique η^∗ is computed as follows:

$$ {z}_D={z}_c\Rightarrow {\eta}^{\ast }=\frac{\phi \delta \omega}{\beta \left(\rho -\delta \right)\left(1-\omega \left(n-1\right)\right)+\delta \phi \left(1-\omega \left(\mathrm{n}-2\right)\right)} $$

(44)

Since, when η = 0 ⇒ z_D > z_cand when η = 1 ⇒ z_D < z_c and we know that η ∈ [0, 1], due to the uniqueness of η^∗, we can conclude that η^∗ must be within the range of 0 and 1 as a function of ϕ, δ, ω, β, ρ and n.

Also regarding the fact that \( \frac{\partial {z}_D}{\partial \eta }<0 \) and \( \frac{\partial {z}_C}{\partial \eta }<0 \), the following results are obtained:

$$ {\displaystyle \begin{array}{c}0\le \eta <{\eta}^{\ast}\Rightarrow {z}_D<{z}_c\\ {}{\eta}^{\ast }<\eta \le 1\Rightarrow {z}_D>{z}_c\\ {}\eta ={\eta}^{\ast}\Rightarrow {z}_D={z}_c\end{array}} $$