Network Security Games: Combining Game Theory, Behavioral Economics, and Network Measurements

Computer and information networks are a prime example of an environment where negative externalities abound, particularly when it comes to implementing security defenses. A typical example is that of denial-of-service prevention: ingress filtering, where attack traffic gets discarded by routers close to the perpetrators, is in principle an excellent remedy, as it prevents harmful traffic not only from reaching the victims, but also from burdening the network situated between attacker and target. However, with ingress filtering, the entities (at the ingress) that have to invest in additional filtering are not the ones (at the egress) who mostly benefit from the investment, and, may not have any incentive to participate in the scheme. As this example illustrates, it is important to understand the incentives of the different participants to a network, so that we can design schemes or intervention mechanisms to realign them with a desirable outcome. Game theory offers a solid bedrock for formally assessing the incentives of non-cooperative participants. In this talk, I will start by discussing a framework for network security games [4, 5] that we devised to help model how rational, individual, end-users would respond to security threats in large-scale networks. We decouple security decisions between self-insurance (which does not present any externalities) and self-protection (which does present externalities). Assuming fully rational players, acting with perfect information, and with the ability to perfectly execute their security decisions , we can derive results showing how much of a negative impact externalities can have on security decision-making. I will also introduce extensions of this work which deal with more limited information cases [6]. However, humans are not acting perfectly rationally when it comes to security decision-making. Prospect theory tells us that humans tend to be risk-averse when it comes to gains; and risk-seeking when it comes to losses [7]. In other words, people tend to " gamble " more than they should when it comes to security risks. I will further show, through an experiment related to our framework [3] that in addition to these biases , users have very limited " computational " ability; in particular, they seem unable to strategize over more than one decision variable at a time. I will present complementary experimental results [1] that suggest that Peltzman effects [11] also apply in computer security. Much like drivers wearing seat belts or helmets tend to drive faster, people tend to behave more insecurely online when …