Abstract
A common assumption in security research is that more individual expertise unambiguously leads to a more secure overall network. We present a game-theoretic model in which this common assumption does not hold. Our findings indicate that expert users can be not only invaluable contributors, but also free-riders, defectors, and narcissistic opportunists. A direct application is that user education needs to highlight the cooperative nature of security, and foster the community sense, in particular, of higher skilled computer users.
As a technical contribution, this paper represents, to our knowledge, the first formal study to quantitatively assess the impact of different degrees of information security expertise on the overall security of a network.
Chapter PDF
Similar content being viewed by others
References
Acquisti, A.: Privacy in electronic commerce and the economics of immediate gratification. In: Proceedings of the 5th ACM Conference on Electronic Commerce (EC 2004), New York, NY, May 2004, pp. 21–29 (2004)
Acquisti, A., Grossklags, J.: Privacy and rationality in individual decision making. IEEE Security & Privacy 3(1), 26–33 (2005)
Acquisti, A., Varian, H.: Conditioning prices on purchase history. Marketing Science 24(3), 367–381 (Summer 2005)
Bashir, M., Christin, N.: Three case studies in quantitative information risk analysis. In: Proceedings of the CERT/SEI Making the Business Case for Software Assurance Workshop, Pittsburgh, PA, pp. 77–86 (September 2008)
Burnett, K.: Introductions of invasive species: Failure of the weaker link. Agricultural and Resource Economics Review 35(1), 21–28 (2006)
Campbell, K., Gordon, L., Loeb, M., Zhou, L.: The economic cost of publicly announced information security breaches: Empirical evidence from the stock market. Journal of Computer Security 11(3), 431–448 (2003)
Chaum, D.: Untraceable electronic mail, return addresses, and digital pseudonyms. Communications of the ACM 24(2), 84–90 (1981)
Cornes, R.: Dyke maintenance and other stories: Some neglected types of public goods. Quarterly Journal of Economics 108(1), 259–271 (1993)
Ferguson, P., Senie, D.: Network ingress filtering: Defeating denial of service attacks which employ IP source address spoofing, RFC 2267 (January 1998)
Freudiger, J., Manshaei, M., Hubaux, J.-P., Parkes, D.: On non-cooperative location privacy: A game-theoretic analysis. In: Proceedings of the 16th ACM Conference on Computer and Communications Security (CCS 2009), Chicago, IL, p. 324–337 (November 2009)
Gal-Or, E., Ghose, A.: The economic incentives for sharing security information. Information Systems Research 16(2), 186–208 (2005)
Gordon, L.A., Loeb, M., Lucyshyn, W.: Sharing information on computer systems security: An economic analysis. Journal of Accounting and Public Policy 22(6), 461–485 (2003)
Grossklags, J., Christin, N., Chuang, J.: Predicted and observed behavior in the weakest-link security game. In: Proceedings of the 2008 USENIX Workshop on Usability, Privacy and Security (UPSEC 2008), San Francisco, CA (April 2008)
Grossklags, J., Christin, N., Chuang, J.: Secure or insure? A game-theoretic analysis of information security games. In: Proceedings of the 2008 World Wide Web Conference (WWW 2008), Beijing, China, pp. 209–218 (April 2008)
Grossklags, J., Christin, N., Chuang, J.: Security and insurance management in networks with heterogeneous agents. In: Proceedings of the 9th ACM Conference on Electronic Commerce (EC 2008), Chicago, IL, pp. 160–169 ( July 2008)
Grossklags, J., Johnson, B., Christin, N.: The price of uncertainty in security games. In: Proceedings (online) of the Eighth Workshop on the Economics of Information Security (WEIS), London, UK (June 2009)
Grossklags, J., Johnson, B., Christin, N.: When information improves information security. In: Proceedings of the 2010 Financial Cryptography Conference (FC 2010), Canary Islands, Spain (January 2010)
Hirshleifer, J.: From weakest-link to best-shot: The voluntary provision of public goods. Public Choice 41(3), 371–386 (1983)
Kahneman, D., Tversky, A.: Prospect theory: An analysis of decision under risk. Econometrica XLVII, 263–291 (1979)
Kandula, S., Katabi, D., Jacob, M., Berger, A.: Botz-4-sale: Surviving organized DDoS attacks that mimic flash crowds. In: Proceedings of the 2nd USENIX Symposium on Networked Systems Design & Implementation (NSDI 2005), Boston, MA, pp. 287–300 (May 2005)
Katz, M., Shapiro, C.: Network externalities, competition, and compatibility. American Economic Review 75(3), 424–440 (1985)
Lettau, M., Uhlig, H.: Rules of thumb versus dynamic programming. American Economic Review 89(1), 148–174 (1999)
Liu, Y., Comaniciu, C., Man, H.: A Bayesian game approach for intrusion detection in wireless ad hoc networks. In: Proceedings of the Workshop on Game Theory for Communications and Networks, page Article No. 4 (2006)
Manzini, P., Mariotti, M.: Alliances and negotiations: An incomplete information example. Review of Economic Design 13(3), 195–203 (2009)
Noy, A., Raban, D., Ravid, G.: Testing social theories in computer-mediated communication through gaming and simulation. Simulation & Gaming 37(2), 174–194 (2006)
O’Donoghue, T., Rabin, M.: Doing it now or later. American Economic Review 89(1), 103–124 (1999)
Paruchuri, P., Pearce, J., Marecki, J., Tambe, M., Ordonez, F., Kraus, S.: Playing games for security: An efficient exact algorithm for solving Bayesian Stackelberg games. In: Proceedings of the 7th International Conference on Autonomous Agents and Multiagent Systems (AAMAS 2008), Estoril, Portugal, pp. 895–902 (May 2008)
Rabin, M.: A perspective on psychology and economics. European Economic Review 46(4-5), 657–685 (2002)
Rust, J., Miller, J., Palmer, R.: Characterizing effective trading strategies: Insights from a computerized double auction tournament. Journal of Economic Dynamics and Control 18(1), 61–96 (1994)
Sheng, S., Magnien, B., Kumaraguru, P., Acquisti, A., Cranor, L., Hong, J., Nunge, E.: Anti-Phishing Phil: The design and evaluation of a game that teaches people not to fall for Phish. In: Proceedings of the 3rd Symposium on Usable Privacy and Security (SOUPS 2007), Pittsburgh, PA, pp. 88–99 (2007)
Spence, A.: Job market signaling. Quarterly Journal of Economics 3(87), 355–374 (1973)
Stigler, G.: An Introduction to Privacy in Economics and Politics. The Journal of Legal Studies 4(9), 623–644 (1980)
Telang, R., Wattal, S.: An empirical analysis of the impact of software vulnerability announcements on firm stock price. IEEE Transactions on Software Engineering 33(8), 544–557 (2007)
Van Huyck, J., Battallio, R., Beil, R.: Tacit coordination games, strategic uncertainty, and coordination failure. American Economic Review 80(1), 234–248 (1990)
Varian, H.R.: System reliability and free riding. In: Camp, L.J., Lewis, S. (eds.) Economics of Information Security. Advances in Information Security, vol. 12, pp. 1–15. Kluwer Academic Publishers, Dordrecht (2004)
von Auer, L.: Revealed preferences in intertemporal decision making. Theory and Decision 56(3), 269–290 (2004)
Wellman, M., Wurman, P., O’Malley, K., Bangera, R., Lin, S., Reeves, D., Walsh, W.: Designing the market game for a trading agent competition. IEEE Internet Computing 5(2), 43–51 (2001)
Xu, X.: Group size and the private supply of a best-shot public good. European Journal of Political Economy 17(4), 897–904 (2001)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2010 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Johnson, B., Grossklags, J., Christin, N., Chuang, J. (2010). Are Security Experts Useful? Bayesian Nash Equilibria for Network Security Games with Limited Information. In: Gritzalis, D., Preneel, B., Theoharidou, M. (eds) Computer Security – ESORICS 2010. ESORICS 2010. Lecture Notes in Computer Science, vol 6345. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-15497-3_36
Download citation
DOI: https://doi.org/10.1007/978-3-642-15497-3_36
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-15496-6
Online ISBN: 978-3-642-15497-3
eBook Packages: Computer ScienceComputer Science (R0)