Secure or Insure? A Game-Theoretic Analysis of Information Security Games
Despite general awareness of the importance of keeping one’s system secure, and widespread availability of consumer security technologies, actual investment in security remains highly variable across the Internet population, allowing attacks such as distributed denialof-service (DDoS) and spam distribution to continue unabated. By modeling security investment decision-making in established (e.g., weakest-link, best-shot) and novel games (e.g., weakest-target), and allowing expenditures in self-protection versus self-insurance technologies, we can examine how incentives may shift between investment in a public good (protection) and a private good (insurance), subject to factors such as network size, type of attack, loss probability, loss magnitude, and cost of technology. We can also characterize Nash equilibria and social optima for different classes of attacks and defenses. In the weakest-target game, an interesting result is that, for almost all parameter settings, more effort is exerted at Nash equilibrium than at the social optimum. We may attribute this to the “strategic uncertainty of players seeking to self-protect at just slightly above the lowest protection level.
Economics of the Internet Game Theory Public Goods Incentive-Centered Design and Engineering Security Protection Self-Insurance
Jens Grossklags Nicolas Christin John Chuang
UC Berkeley School of Information Berkeley, CA 94720 Carnegie Mellon University INI/CyLab Japan Kobe, 650-0044 Japan
国际会议
第十七届国际万维网大会(the 17th International World Wide Web Conference)(WWW08)
北京
英文
2008-04-21(万方平台首次上网日期,不代表论文的发表时间)