Estimating Systematic Risk in Real-World Networks

Abstract. Social, technical and business connections can all give rise to security risks. These risks can be substantial when individual compro-mises occur in combinations, and difficult to predict when some connec-tions are not easily observed. A significant and relevant challenge is to predict these risks using only locally-derivable information. We illustrate by example that this challenge can be met if some general topological features of the connection network are known. By simulat-ing an attack propagation on two large real-world networks, we identify structural regularities in the resulting loss distributions, from which we can relate various measures of a network’s risks to its topology. While de-riving these formulae requires knowing or approximating the connective structure of the network, applying them requires only locally-derivable information. On the theoretical side, we show that our risk-estimating methodology gives good approximations on randomly-generated scale-free networks with parameters approximating those in our study. Since many real-world networks are formed through preferential attachment mechanisms that yield similar scale-free topologies, we expect this methodology to have a wider range of applications to risk management whenever a large number of connections is involved

A Survey of Interdependent Information Security Games

Risks faced by information system operators and users are not only determined by their own security posture, but are also heavily affected by the security-related decisions of others. This interdependence between information system operators and users is a fundamental property that shapes the efficiency of security defense solutions. Game theory is the most appropriate method to model the strategic interactions between these participants. In this survey, we summarize game-theoretic interdependence models, characterize the emerging security inefficiencies, and present mechanisms to improve the security decisions of the participants. We focus our attention on games with interdependent defenders and do not discuss two-player attackerdefender games. Our goal is to distill the main insights from the state-of-the-art and to identify the areas that need more attention from the research community