Abstract
Information security investment is of high importance in management of IT infrastructure. There are many researches focused on game theoretical modeling and analysis of security investment of interdependent firms against potential security attacks. However, these studies usually are not concerned with dynamic and strategic nature of attacks which are increasingly important features of today’s cyber systems. Strategic attackers are those who are able to substitute their investments among targets over time by shifting investments towards poorly protected targets in order to obtain more potential financial gains. In this paper we try to analyze the effects of interdependency in security investment of firms against strategic attackers. Note that although there are a limited number of works that consider the strategic nature of attack, they model the defenders as a set of isolated nodes. Hence the positive externality caused by interconnection of the firms is not considered in these models. We consider both the attackers’ actual strategic behaviors (that causes negative externality via the possibility of substituting the target) as well as structural effects of the networked firms (that leads to positive externality via attack propagation). We propose a differential game among the networked firms in which attackers act strategically. In the proposed game, by employing a linear substitution model for characterizing the process of target selection by the attacker, the open-loop Nash solutions are highlighted in an analytical form. The analytical results show how interconnectivity between firms and the strategic behavior of the attacker determines the firms’ incentives for security investment. It is shown that overinvestment or underinvestment could occur depending on the degree of interdependency among the given firms. Accordingly we designed mechanisms to encourage the firms to invest at a socially optimal level. The achieved results in this paper helps security designers to better formulate their policies in tackling strategic attackers.
Similar content being viewed by others
References
Amin, S., Schwartz, G. A., & Sastry, S. S. (2013). Security of interdependent and identical networked control systems. Automatica, 49, 186–192.
Bagchi, K., & Udo, G. (2003). An analysis of the growth of computer and internet security breaches. Communications of the Association for Information Systems, 12, 46.
Bhatt, S. C., & Pant, D. (2011). Cyber crime in India. International Journal of Advanced Research in Computer Science, 2.
Böhme, R. (2012). Security audits revisited. In Financial cryptography and data security (pp. 129–147). Springer.
Camp, L. J., & Wolfram, C. (2000). Pricing security. In Proceedings of the CERT information survivability workshop (pp. 31–39).
Cavusoglu, H., Raghunathan, S., & Yue, W. T. (2008). Decision-theoretic and game-theoretic approaches to IT security investment. Journal of Management Information Systems, 25, 281–304.
Ezhei, M., & Tork Ladani, B. (2017). Information sharing vs. privacy: A game theoretic analysis. Expert Systems with Applications, 88, 327–337.
Fang, F., Parameswaran, M., Zhao, X., & Whinston, A. B. (2014). An economic mechanism to manage operational security risks for inter-organizational information systems. Information Systems Frontiers, 16, 399–416.
Gao, X., Zhong, W., & Mei, S. (2013). Information security investment when hackers disseminate knowledge. Decision Analysis, 10, 352–368.
Geer, D., Bace, R., Gutmann, P., Metzger, P., Pfleeger, C., Querterman, J., et al. (2003). Cyberinsecurity: The cost of monopoly how the dominance of microsoft’s products poses a risk to security. In Computer & Communications Industry Association Report.
Gordon, L. A., & Loeb, M. P. (2004). The economics of information security investment. In Economics of information security (pp. 105–125). Springer.
Gordon, L. A., Loeb, M. P., & Lucyshyn, W. (2003). Sharing information on computer systems security: An economic analysis. Journal of Accounting and Public Policy, 22, 461–485.
Guan, P., He, M., Zhuang, J., & Hora, S. C. (2017). Modeling a Multitarget attacker–defender game with budget constraints. Decision Analysis, 14, 87–107.
Hasheminasab, S.A., & Tork Ladani,B. (2018). Security Investment in Contagious Networks. Risk Analysis.
Hausken, K. (2006). Returns to information security investment: The effect of alternative information security breach functions on optimal investment and sensitivity to vulnerability. Information Systems Frontiers, 8, 338–349.
Jang-Jaccard, J., & Nepal, S. (2014). A survey of emerging threats in cybersecurity. Journal of Computer and System Sciences, 80, 973–993.
Jiang, L., Anantharam, V., & Walrand, J. (2011). "How bad are selfish investments in network security?," Networking. IEEE/ACM Transactions on, 19, 549–560.
Krebs, B. (2014). Email attack on vendor set up breach at target. Krebs on Security, February, vol., 12.
Kumar, V. A., Rajaraman, R., Sun, Z., & Sundaram, R. (2010). Existence theorems and approximation algorithms for generalized network security games. In Distributed computing systems (ICDCS), 2010 I.E. 30th international conference on (pp. 348–357).
Laszka, A., Felegyhazi, M., & Buttyan, L. (2014). A survey of interdependent information security games. ACM Computing Surveys (CSUR), 47, 23.
Lelarge, M. (2012). Coordination in network security games: A monotone comparative statics approach. Selected Areas in Communications, IEEE Journal on, 30, 2210–2219.
W. Saad, T. Alpcan, T. Basar, and A. Hjorungnes, "Coalitional game theory for security risk management," in Internet monitoring and protection (ICIMP), 2010 fifth international conference on, 2010, pp. 35–40.
Schaefer, I., Rabiser, R., Clarke, D., Bettini, L., Benavides, D., Botterweck, G., Pathak, A., Trujillo, S., & Villela, K. (2012). Software diversity: State of the art and perspectives. International Journal on Software Tools for Technology Transfer, 14, 477–495.
Theodorakopoulos, G., Le Boudec, J.-Y., & Baras, J. S. (2013). "Selfish response to epidemic propagation," Automatic Control. IEEE Transactions on, 58, 363–376.
Wu, Y., Feng, G., & Fung, R. Y. (2017). Comparison of information security decisions under different security and business environments. Journal of the Operational Research Society, 1–15.
Zhao, X., Xue, L., & Whinston, A. B. (2013). Managing interdependent information security risks: Cyberinsurance, managed security services, and risk pooling arrangements. Journal of Management Information Systems, 30, 123–152.
Author information
Authors and Affiliations
Corresponding author
Appendices
Appendix 1: Stability Analysis of Equilibrium-Decentralized Decision Case
An equilibrium \( \left({c}_i^{\infty },{\lambda}_{ii}^{\infty },{\lambda}_{ij}^{\infty}\right) \) is a solution of \( \frac{\partial {\lambda}_{ii}(t)}{\partial t}=0,\frac{\partial {\lambda}_{ij}(t)}{\partial t}=0,\frac{d{c}_i(t)}{dt}=0 \), where, the optimality condition \( \frac{\partial {H}_i(t)}{\partial {z}_i(t)}=0 \) must hold, or equivalently, where, \( {z}_i^a\left(\mathrm{t}\right) \) is expressed explicitly in terms of state and co-state through Eq. (33).
An interior steady state \( \left({c}_i^{\infty },{\lambda}_{ii}^{\infty },{\lambda}_{ij}^{\infty}\right) \), defined based on optimal control zi∞, is the result of the following system of nonlinear equations:
To evaluate the stability of the above steady state, we compute the Jacobian matrix of the system of above nonlinear equations as follows:
The eigenvalues of the Jacobian matrix at an equilibrium point is calculated next. To calculate the eigenvalues, the roots of the characteristic of polynomial det(J − μI) = 0 are found. The resulted three eigenvalues are as follows:
As can be observed, the equilibrium is stable in the saddle point sense where \( \frac{\delta^2\phi }{\beta}\frac{\left(1-\omega \eta \right)}{\left(1-\omega \left(n-1\right)\right)}+\delta \left(\rho -\delta \right)<0 \)i.e. \( \rho <{\alpha}_D\delta, {\alpha}_D=\left(1-\frac{\phi }{\beta}\frac{\left(1-\omega \eta \right)}{\left(1-\omega \left(n-1\right)\right)}\right) \).
Appendix 2: Stability Analysis of Equilibrium-Centralized Decision Case
To evaluate the stability of the steady state, we compute the Jacobian matrix of the system of nonlinear Eqs. (1), (13) and (14) as follows:
The eigenvalues of the Jacobian matrix is calculated at the equilibrium point as follows:
It is observed that the equilibrium is stable in the saddle point sense where \( 1+\frac{1}{\beta \left(1-\omega \left(n-1\right)\right)}+\delta \left(\rho -\delta \right)<0 \) i.e. \( \rho <{\alpha}_c\delta, {\alpha}_c=1-\frac{\phi }{\beta \left(\beta +1\right)}\frac{\beta \left(1-\omega \left(n-1\right)+1\right)}{1-\omega \left(n-1\right)} \).
Appendix 3: Proof for Proposition 5
By substituting η = 0 in the eqs. (9) and (15) the followings are obtained:
Since 0 < (1 − ω(n − 1)) < 1, then zD > zc.
By substituting η = 1 in the eqs. (9) and (15), the followings are obtained:
It is observed in this case that zD < zc.
The parameter η∗ is in fact equal to the point where centralized security investment zCand decentralize security investment zD (Eqs. 9 and 15 respectively) are equal. There is a unique point η∗ that satisfies zD = zc.
By equating (9) and (15), the following is obtained:
Solving (43) the unique η∗ is computed as follows:
Since, when η = 0 ⇒ zD > zcand when η = 1 ⇒ zD < zc and we know that η ∈ [0, 1], due to the uniqueness of η∗, we can conclude that η∗ must be within the range of 0 and 1 as a function of ϕ, δ, ω, β, ρ and n.
Also regarding the fact that \( \frac{\partial {z}_D}{\partial \eta }<0 \) and \( \frac{\partial {z}_C}{\partial \eta }<0 \), the following results are obtained:
Rights and permissions
About this article
Cite this article
Ezhei, M., Tork Ladani, B. Interdependency Analysis in Security Investment against Strategic Attacks. Inf Syst Front 22, 187–201 (2020). https://doi.org/10.1007/s10796-018-9845-8
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10796-018-9845-8