BASCPS: How does behavioral decision making impact the security of cyber-physical systems?

by   Mustafa Abdallah, et al.

We study the security of large-scale cyber-physical systems (CPS) consisting of multiple interdependent subsystems, each managed by a different defender. Defenders invest their security budgets with the goal of thwarting the spread of cyber attacks to their critical assets. We model the security investment decisions made by the defenders as a security game. While prior work has used security games to analyze such scenarios, we propose behavioral security games, in which defenders exhibit characteristics of human decision making that have been identified in behavioral economics as representing typical human cognitive biases. This is important as many of the critical security decisions in our target class of systems are made by humans. We provide empirical evidence for our behavioral model through a controlled subject experiment. We then show that behavioral decision making leads to a suboptimal pattern of resource allocation compared to non-behavioral decision making. We illustrate the effects of behavioral decision making using two representative real-world interdependent CPS. In particular, we identify the effects of the defenders' security budget availability and distribution, the degree of interdependency among defenders, and collaborative defense strategies, on the degree of suboptimality of security outcomes due to behavioral decision making. In this context, the adverse effects of behavioral decision making are most severe with moderate defense budgets. Moreover, the impact of behavioral suboptimal decision making is magnified as the degree of the interdependency between subnetworks belonging to different defenders increases. We also observe that selfish defense decisions together with behavioral decisions significantly increase security risk.


page 1

page 2

page 3

page 4


Morshed: Guiding Behavioral Decision-Makers towards Better Security Investment in Interdependent Systems

We model the behavioral biases of human decision-making in securing inte...

Conditions for Normative Decision Making at the Fire Ground

We discuss the changes in an attitude to decision making at the fire gro...

The best laid plans or lack thereof: Security decision-making of different stakeholder groups

Cyber security requirements are influenced by the priorities and decisio...

Entropy, Computing and Rationality

Making decisions freely presupposes that there is some indeterminacy in ...

Behavioral and Game-Theoretic Security Investments in Interdependent Systems Modeled by Attack Graphs

We consider a system consisting of multiple interdependent assets, and a...

Learning to Defend by Attacking (and Vice-Versa): Transfer of Learning in Cybersecurity Games

Designing cyber defense systems to account for cognitive biases in human...

Dancing Pigs or Externalities? Measuring the Rationality of Security Decisions

Accurately modeling human decision-making in security is critical to thi...

Please sign up or login with your details

Forgot password? Click here to reset