You Only Die Once: Managing Discrete Interdependent Risks

This paper extends our earlier analysis of interdependent security issues to a general class of problems involving discrete interdependent risks with heterogeneous agents. There is a threat of an event that can only happen once, and the risk depends on actions taken by others. Any agent's incentive to invest in managing the risk depends on the actions of others. Security problems at airlines and in computer networks come into this category, as do problems of risk management in organizations facing the possibility of bankruptcy, and individuals' choices about whether to be vaccinated against an infectious disease. Surprisingly the framework also covers certain aspects of investment in R&D. Here we characterize Nash equilibria with heterogeneous agents and give conditions for tipping and cascading of equilibria.

Cybersecurity Games and Investments: A Decision Support Approach

Abstract. In this paper we investigate how to optimally invest in cyber-security controls. We are particularly interested in examining cases where the organization suffers from an underinvestment problem or inefficient spending on cybersecurity. To this end, we first model the cybersecurity environment of an organization. We then model non-cooperative cyber-security control-games between the defender which abstracts all defense mechanisms of the organization and the attacker which can exploit dif-ferent vulnerabilities at different network locations. To implement our methodology we use the SANS Top 20 Critical Security Controls and the 2011 CWE/SANS top 25 most dangerous software errors. Based on the profile of an organization, which forms its preferences in terms of indirect costs, its concerns about different kinds of threats and the im-portance of the assets given their associated risks we derive the Nash Equilibria of a series of control-games. These game solutions are then handled by optimization techniques, in particular multi-objective, multi-ple choice Knapsack to determine the optimal cybersecurity investment. Our methodology provides security effective and cost efficient solutions especially against commodity attacks. We believe our work can be used to advise security managers on how they should spend an available cy-bersecurity budget given their organization profile

Game theory meets information security management

Part 1: Intrusion DetectionInternational audienceThis work addresses the challenge “how do we make better security decisions?” and it develops techniques to support human decision making and algorithms which enable well-founded cyber security decisions to be made. In this paper we propose a game theoretic model which optimally allocates cyber security resources such as administrators’ time across different tasks. We first model the interactions between an omnipresent attacker and a team of system administrators seen as the defender, and we have derived the mixed Nash Equilibria (NE) in such games. We have formulated general-sum games that represent our cyber security environment, and we have proven that the defender’s Nash strategy is also minimax. This result guarantees that independently from the attacker’s strategy the defender’s solution is optimal. We also propose Singular Value Decomposition (SVD) as an efficient technique to compute approximate equilibria in our games. By implementing and evaluating a minimax solver with SVD, we have thoroughly investigated the improvement that Nash defense introduces compared to other strategies chosen by common sense decision algorithms. Our key finding is that a particular NE, which we call weighted NE, provides the most effective defense strategy. In order to validate this model we have used real-life statistics from Hackmageddon, the Verizon 2013 Data Breach Investigation report, and the Ponemon report of 2011. We finally compare the game theoretic defense method with a method which implements a stochastic optimization algorithm

A Framework for Computational Strategic Analysis: Applications to Iterated Interdependent Security Games

Past work on tournaments in iterated prisoner’s dilemma and the evolution of cooperation spawned by Axelrod has contributed insights about achieving cooperation in social dilemmas, as well as a framework for strategic analysis in such settings. We present a broader, more extensive framework for strategic analysis in general games, which we illustrate in the context of a particular social dilemma encountered in interdependent security settings. Our framework is fully quantitative and computational, allowing one to measure the quality of strategic alternatives across a series of measures, and as a function of relevant game parameters. Our special focus on performing analysis over a parametric landscape is motivated by public policy considerations, where possible interventions are modeled as affecting particular parameters of the game. Our findings qualify the touted efficacy of the Tit-for-Tat strategy, demonstrate the importance of monitoring, and exhibit a phase transition in cooperative behavior in response to a manipulation of policy-relevant parameters of the game

Inefficient centralization of imperfect complements

If local public goods exhibit spillovers and regions are sufficiently symmetric, decentralization implies underprovision, whereas cooperative centralization is associated with strict Pareto-improvement. This classic inference rests on two assumptions: local politicians are delegated sincerely and never provide voluntary transfers to the other regions. We abandon these assumptions in a setup of two symmetric regions with imperfect complementarity between local public goods. For this particular aggregation, non-cooperative decentralization can achieve the social optimum, whereas cooperative centralization cannot.centralization; public goods; strategic delegation; weakest-link; voluntary transfers

A Graphical Adversarial Risk Analysis Model for Oil and Gas Drilling Cybersecurity

Oil and gas drilling is based, increasingly, on operational technology, whose cybersecurity is complicated by several challenges. We propose a graphical model for cybersecurity risk assessment based on Adversarial Risk Analysis to face those challenges. We also provide an example of the model in the context of an offshore drilling rig. The proposed model provides a more formal and comprehensive analysis of risks, still using the standard business language based on decisions, risks, and value.Comment: In Proceedings GraMSec 2014, arXiv:1404.163

Essays on the economics of networks

Networks (collections of nodes or vertices and graphs capturing their linkages) are a common object of study across a range of fields includ- ing economics, statistics and computer science. Network analysis is often based around capturing the overall structure of the network by some reduced set of parameters. Canonically, this has focused on the notion of centrality. There are many measures of centrality, mostly based around statistical analysis of the linkages between nodes on the network. However, another common approach has been through the use of eigenfunction analysis of the centrality matrix. My the- sis focuses on eigencentrality as a property, paying particular focus to equilibrium behaviour when the network structure is fixed. This occurs when nodes are either passive, such as for web-searches or queueing models or when they represent active optimizing agents in network games. The major contribution of my thesis is in the applica- tion of relatively recent innovations in matrix derivatives to centrality measurements and equilibria within games that are function of those measurements. I present a series of new results on the stability of eigencentrality measures and provide some examples of applications to a number of real world examples