Behavioral and Game-Theoretic Security Investments in Interdependent Systems Modeled by Attack Graphs
share
We consider a system consisting of multiple interdependent assets, and a set of defenders, each responsible for securing a subset of the assets against an attacker. The interdependencies between the assets are captured by an attack graph, where an edge from one asset to another indicates that if the former asset is compromised, an attack can be launched on the latter asset. Each edge has an associated probability of successful attack, which can be reduced via security investments by the defenders. In such scenarios, we investigate the security investments that arise under certain features of human decision-making that have been identified in behavioral economics. In particular, humans have been shown to perceive probabilities in a nonlinear manner, typically overweighting low probabilities and underweighting high probabilities. We show that suboptimal investments can arise under such weighting in certain network topologies. We also show that pure strategy Nash equilibria exist in settings with multiple (behavioral) defenders, and study the inefficiency of the equilibrium investments by behavioral defenders compared to a centralized socially optimal solution.
READ FULL TEXT
