research-article

A Survey of Interdependent Information Security Games

Authors:

Mark Felegyhazi,

Levente ButtyanAuthors Info & Claims

ACM Computing Surveys (CSUR), Volume 47, Issue 2

Article No.: 23, Pages 1 - 38

https://doi.org/10.1145/2635673

Published: 29 August 2014 Publication History

Abstract

Risks faced by information system operators and users are not only determined by their own security posture, but are also heavily affected by the security-related decisions of others. This interdependence between information system operators and users is a fundamental property that shapes the efficiency of security defense solutions. Game theory is the most appropriate method to model the strategic interactions between these participants. In this survey, we summarize game-theoretic interdependence models, characterize the emerging security inefficiencies, and present mechanisms to improve the security decisions of the participants. We focus our attention on games with interdependent defenders and do not discuss two-player attacker-defender games. Our goal is to distill the main insights from the state of the art and to identify the areas that need more attention from the research community.

References

[1]

G. A. Akerlof. 1970. The market for “lemons”: Quality uncertainty and the market mechanism. The Quarterly Journal of Economics 84, 3 (Aug. 1970), 488--500.

[2]

S. Amin, G. A. Schwartz, and S. S. Sastry. 2011. On the interdependence of reliability and security in networked control systems. In Proceedings of the 50th IEEE Conference on Decision and Control and European Control Conference (CDC-ECC'11). 4078--4083.

[3]

S. Amin, G. A. Schwartz, and S. S. Sastry. 2012. Security of interdependent and identical Networked Control Systems. Automatica 42, 1 (2012), 186--192.

Digital Library

[4]

R. Anderson. 2001. Why information security is hard—an economic perspective. In Proceedings of the 17th Annual Computer Security Applications Conference (ACSAC'01). IEEE, 358--365.

Digital Library

[5]

R. Anderson and T. Moore. 2006. The economics of information security. Science 314, 5799 (Oct. 2006), 610--613.

[6]

J. Aspnes, K. Chang, and A. Yampolskiy. 2004. Inoculation Strategies for Victims of Viruses and the Sum-of-Squares Partition Problem. Technical Report YALEU/DCS/TR-1295. Yale University.

[7]

J. Aspnes, K. Chang, and A. Yampolskiy. 2006. Inoculation strategies for victims of viruses and the sum-of-squares partition problem. Journal of Computing System Science 72, 6 (Sept. 2006), 1077--1093.

Digital Library

[8]

M. Babaioff, R. Kleinberg, and C. H. Papadimitriou. 2007. Congestion games with malicious players. In Proceedings of the 8th ACM Conference on Electronic Commerce (EC'07). 103--112.

Digital Library

[9]

B. Bencsáth, G. Pék, L. Buttyán, and M. Felegyhazi. 2012. Duqu: Analysis, detection, and lessons learned. In Proceedings of the 5th European Workshop on System Security (EuroSec'12). ACM. 1--6.

[10]

R. Böhme. 2012. Security audits revisited. In Proceedings of the 16th International Conference on Financial Cryptography and Data Security (FC'12). Springer, 129--147.

[11]

R. Böhme and G' Kataria. 2006. Models and measures for correlation in cyber-insurance. In Proceedings of the 5th Workshop on the Economics of Information Security (WEIS'06). 1--26.

[12]

R. Böhme and G. Schwartz. 2010. Modeling cyber-insurance: Towards a unifying framework. In Proceedings of the 9th Workshop on the Economics of Information Security (WEIS'10). 1--36.

[13]

M. Ceyko, H. Chan, and L. E. Ortiz. 2011. Interdependent defense games: Modeling interdependent security under deliberate attacks (extended abstract). In Proceedings of the International Conference on Game Theory, 22nd Stony Brook Game Theory Festival of the Game Theory Society. 1--11.

[14]

H. Chan, M. Ceyko, and L. E. Ortiz. 2012. Interdependent defense games: Modeling interdependent security under deliberate attacks. In Proceedings of the 28th Conference on Uncertainty in Artificial Intelligence (UAI'12).

[15]

Defence Signals Directorate. 2012. Top 35 Mitigation Strategies. Retrieved from http://www.dsd.gov.au/infosec/top35mitigationstrategies.htm.

[16]

J Díaz, D. Mitsche, N. Rustagi, and J. Saia. 2009. On the power of mediators. In Proceedings of the 5th International Workshop on Internet and Network Economics (WINE'09). Springer, 455--462.

Digital Library

[17]

T. Dumitras and D. Shou. 2011. Toward a standard benchmark for computer security research: The worldwide intelligence network environment (WINE). In Proceedings of the 1st Workshop on Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS'11). 89--96.

Digital Library

[18]

D. Fudenberg and J. Tirole. 1991. Game Theory. MIT Press, Cambridge, MA.

[19]

J. Gans, S. King, and G. Mankiw. 2011. Principles of Microeconomics. Cengage Learning, Australia.

[20]

L. A. Gordon and M. P. Loeb. 2002. The economics of information security investment. ACM Transactions on Information and System Security 5, 4 (Nov. 2002), 438--457.

Digital Library

[21]

L. A. Gordon, M. P. Loeb, and W. Lucyshyn. 2003. Sharing information on computer systems security: An economic analysis. Journal of Accounting and Public Policy 22, 6 (2003), 461--485.

[22]

J. Grossklags, N. Christin, and J. Chuang. 2008. Secure or insure&quest; A game-theoretic analysis of information security games. In Proceedings of the 17th International Conference on World Wide Web (WWW'08). ACM, 209--218.

Digital Library

[23]

J. Grossklags, B. Johnson, and N. Christin. 2010a. The price of uncertainty in security games. In Economics of Information Security and Privacy, T. Moore, D. Pym, and C. Ioannidis (Eds.). Springer, 9--32.

[24]

J. Grossklags, S. Radosavac, A. Cárdenas, and J. Chuang. 2010b. Nudge: Intermediaries' role in interdependent network security. In Proceedings of the 3rd International Conference on Trust and Trustworthy Computing (TRUST'10). 323--336.

Digital Library

[25]

K. Hausken. 2006. Income, interdependence, and substitution effects affecting incentives for security investment. Journal of Accounting and Public Policy 25, 6 (2006), 629--665.

[26]

G. Heal and H. Kunreuther. 2004. Interdependent Security: A General Model. Technical Report NBER Working Paper No. 10706. National Bureau of Economic Research.

[27]

G. Heal and H. Kunreuther. 2005. IDS models of airline security. Journal of Conflict Resolution 49, 2 (2005), 201--217.

[28]

C. Herley. 2010. The plight of the targeted attacker in a world of scale. In Proceedings of the 9th Workshop on the Economics of Information Security (WEIS'10).

[29]

C. Herley and D. Florêncio. 2009. A profitless endeavor: Phishing as tragedy of the commons. In Proceedings of the 2008 Workshop on New Security Paradigms (NSPW'08). ACM, 59--70.

Digital Library

[30]

C. Herley and D. Florêncio. 2010. Nobody Sells Gold for the Price of Silver: Dishonesty, Uncertainty and the Underground Economy. Springer, 33--53.

[31]

T. Holz, M. Engelberth, and F. Freiling. 2009. Learning more about the underground economy: A case-study of keyloggers and dropzones. Proceedings of the 14th European Symposium on Research in Computer Security (ESORICS'09). 1--18.

Digital Library

[32]

L. Jiang, V. Anantharam, and J. Walrand. 2011. How bad are selfish investments in network security&quest; IEEE/ACM Transactions on Networking 19, 2 (Apr. 2011), 549--560.

Digital Library

[33]

B. Johnson, A. Laszka, and J. Grossklags. 2014. How many down&quest; Toward understanding systematic risk in networks. In Proceedings of the 9th ACM Symposium on Information, Computer and Communications Security (ASIACCS'14).

Digital Library

[34]

M. J. Kearns and L. E. Ortiz. 2003. Algorithms for interdependent security games. In Advances in Neural Information Processing Systems, S. Thrun, L. K. Saul, and B. Schölkopf (Eds.). MIT Press.

[35]

E. Koutsoupias and C. Papadimitriou. 1999. Worst-case equilibria. In Proceedings of the 16th Annual Symposium on Theoretical Aspects of Computer Science (STACS'99). Springer, 404--413.

Digital Library

[36]

P. Krugman, R. Wells, and E. Kelly. 2008. Study Guide for Microeconomics. Worth Publishers.

[37]

V. S. Kumar, R. Rajaraman, Z. Sun, and R. Sundaram. 2010. Existence theorems and approximation algorithms for generalized network security games. In Proceedings of the 30th International Conference on Distributed Computing Systems (ICDCS'10). IEEE, 348--357.

Digital Library

[38]

H. Kunreuther and G. Heal. 2003. Interdependent security. Journal of Risk and Uncertainty 26, 2 (2003), 231--249.

[39]

A. Laszka, B. Johnson, and J. Grossklags. 2013. Mitigating covert compromises: A game-theoretic model of targeted and non-targeted covert attacks. In Proceedings of the 9th Conference on Web and Internet Economics (WINE'13). Springer, 319--332.

[40]

A. Laszka, B. Johnson, J. Grossklags, and M. Felegyhazi. 2014. Estimating systematic risk in real-world networks. In Proceedings of the 18th International Conference on Financial Cryptography and Data Security (FC'14).

[41]

M. Lelarge. 2009. Economics of malware: Epidemic risks model, network externalities and incentives. In Proceedings of the 47th Annual Allerton Conference on Communication, Control, and Computing (Allerton'09). IEEE, 1353--1360.

Digital Library

[42]

M. Lelarge and J. Bolot. 2008. A local mean field analysis of security investments in networks. In Proceedings of the 3rd International Workshop on Economics of Networked Systems (NetEcon'08). ACM, 25--30.

Digital Library

[43]

K. Levchenko, N. Chachra, B. Enright, C. Felegyhazi, M. Grier, T. Halvorson, C. Kanich, C. Kreibich, H. Liu, A. McCoy, D. Pitsillidis, N. Weaver, V. Paxson, G. M. Voelker, and S. Savage. 2011. Click trajectories: End-to-end analysis of the spam value chain. In Proceedings of the 32nd IEEE Symposium on Security and Privacy (Oakland'11). 431--446.

Digital Library

[44]

M. Manshaei, Q. Zhu, T. Alpcan, T. Basar, and J. P. Hubaux. 2013. Game theory meets network security and privacy. Computing Surveys 45, 3 (2013).

Digital Library

[45]

A. Mas-Colell, M. D. Whinston, and J. R. Green. 1995. Microeconomic Theory. Oxford University Press.

[46]

D. Meier, Y. A. Oswald, S. Schmid, and R. Wattenhofer. 2008. On the windfall of friendship: Inoculation strategies on social networks. In Proceedings of the 9th ACM Conference on Electronic Commerce (EC'08). ACM, 294--301.

Digital Library

[47]

Microsoft. 2011. Microsoft Security Intelligence Report. Technical Report, Vol. 12.

[48]

Piet Van Mieghem, Jasmina Omic, and Robert E. Kooij. 2009. Virus spread in networks. IEEE/ACM Transactions on Networking 17, 1 (2009), 1--14.

Digital Library

[49]

R. A. Miura-Ko, B. Yolken, N. Bambos, and J. Mitchell. 2008a. Security investment games of interdependent organizations. In Proceedings of the 46th Annual Allerton Conference on Communication, Control, and Computing (Allerton'08). IEEE, 252--260.

[50]

R. Miura-Ko, B. Yolken, J. Mitchell, and N. Bambos. 2008b. Security decision-making among interdependent organizations. In Proceedings of the 21st IEEE Computer Security Foundations Symposium (CSF'08). 66--80.

Digital Library

[51]

T. Moore and R. Clayton. 2008. The consequence of non-cooperation in the fight against phishing. In Proceedings of the eCrime Researchers Summit. IEEE, 1--14.

[52]

T. Moscibroda, S. Schmid, and R. Wattenhofer. 2006. When selfish meets evil: Byzantine players in a virus inoculation game. In Proceedings of the 25th ACM Symposium on Principles of Distributed Computing (PODC'06). ACM, 35--44.

Digital Library

[53]

H. Ogut, N. Menon, and S. Raghunathan. 2005. Cyber insurance and IT security investment: Impact of interdependent risk. In Proceedings of the 4th Workshop on the Economics of Information Security (WEIS'05).

[54]

J. Omic, A. Orda, and P. Van Mieghem. 2009. Protecting against network infections: A game theoretic perspective. In Proceedings of the 28th IEEE Conference on Computer Communications (INFOCOM 2009). IEEE, 1485--1493.

[55]

A. Ozment and S. E. Schechter. 2006. Bootstrapping the adoption of internet security protocols. In 5th Workshop on Economic of Information Security (WEIS'06).

[56]

R. Pal and P. Hui. 2011. Modeling internet security investments: Tackling topological information uncertainty. Proceedings of the 2nd Conference on Decision and Game Theory for Security (GameSec'11). 239--257.

Digital Library

[57]

S. Radosavac, J. Kempf, and U. C. Kozat. 2008. Using insurance to increase internet security. In Proceedings of the 3rd International Workshop on Economics of Networked Systems (NetEcon'08). ACM, 43--48.

Digital Library

[58]

W. Saad, T. Alpcan, T. Basar, and A. Hjorungnes. 2010. Coalitional game theory for security risk management. In Proceedings of the 5th International Conference on Internet Monitoring and Protection (ICIMP'10). IEEE, 35--40.

Digital Library

[59]

S. Sinha, M. Bailey, and F. Jahanian. 2008. Shades of grey: On the effectiveness of reputation-based “blacklists.” In Proceedings of the 3rd International Conference on Malicious and Unwanted Software (MALWARE'08). IEEE, 57--64.

[60]

G. Stoltz and G. Lugosi. 2007. Learning correlated equilibria in games with compact sets of strategies. Games and Economic Behavior 59, 1 (2007), 187--208.

[61]

G. Theodorakopoulos, J. Y. L. Boudec, and J. S. Baras. 2013. Selfish response to epidemic propagation. IEEE Trans. Automat. Control 58, 2 (Feb. 2013), 363--376.

[62]

H. Varian. 2004. System reliability and free riding. In Economics of Information Security, L. Jean Camp and Stephen Lewis (Eds.). Advances in Information Security, Vol. 12. Springer, 1--15.

Cited By

Azim MAbdallah M(2024)A Quantal Response Analysis of Simultaneous Multi-Target Attacker-Defender Security GamesNOMS 2024-2024 IEEE Network Operations and Management Symposium10.1109/NOMS59830.2024.10575252(1-6)Online publication date: 6-May-2024
https://doi.org/10.1109/NOMS59830.2024.10575252
Al-Eiadeh MAbdallah M(2024)AARA-PR: Asset-Aware PageRank-Based Security Resource Allocation Method for Attack Graphs2024 4th Interdisciplinary Conference on Electrics and Computer (INTCEC)10.1109/INTCEC61833.2024.10603228(1-6)Online publication date: 11-Jun-2024
https://doi.org/10.1109/INTCEC61833.2024.10603228
Azim MCason TAbdallah M(2024)A Quantal Response Analysis of Human Decision-Making in Interdependent Security Games Modeled by Attack GraphsIEEE Access10.1109/ACCESS.2024.339130512(56159-56178)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3391305
Show More Cited By

Index Terms

A Survey of Interdependent Information Security Games
1. Security and privacy
2. Social and professional topics
  1. Computing / technology policy
    1. Computer crime

Recommendations

Patrolling security games: Definition and algorithms for solving large instances with single patroller and single intruder

Security games are gaining significant interest in artificial intelligence. They are characterized by two players (a defender and an attacker) and by a set of targets the defender tries to protect from the attacker@?s intrusions by committing to a ...
Becoming Cybercriminals: Incentives in Networks with Interdependent Security
GameSec 2016: 7th International Conference on Decision and Game Theory for Security - Volume 9996

We study users' incentives to become cybercriminals when network security is interdependent. We present a game-theoretic model in which each player i.e., network user decides his type, honest or malicious. Honest users represent law-abiding network ...
Security of interdependent and identical networked control systems

This article studies security decisions of identical plant-controller systems, when their security is interdependent due to network induced risks. Each plant is modeled by a discrete-time stochastic linear system, with the systems controlled over a ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Computing Surveys

ACM Computing Surveys Volume 47, Issue 2

January 2015

827 pages

ISSN:0360-0300

EISSN:1557-7341

DOI:10.1145/2658850

Editor:
Sartaj Sahni
Department of Computer and Information Science and Engineering/University of Florida/Gainesville

Issue’s Table of Contents

Copyright © 2014 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 29 August 2014

Accepted: 01 June 2014

Revised: 01 April 2014

Received: 01 November 2012

Published in CSUR Volume 47, Issue 2

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed

Funding Sources

Bolyai Janos Research Fellowship Nr: BO/00273/12

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

90
Total Citations
View Citations
1,720
Total Downloads

Downloads (Last 12 months)66
Downloads (Last 6 weeks)7

Reflects downloads up to 02 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

Azim MAbdallah M(2024)A Quantal Response Analysis of Simultaneous Multi-Target Attacker-Defender Security GamesNOMS 2024-2024 IEEE Network Operations and Management Symposium10.1109/NOMS59830.2024.10575252(1-6)Online publication date: 6-May-2024
https://doi.org/10.1109/NOMS59830.2024.10575252
Al-Eiadeh MAbdallah M(2024)AARA-PR: Asset-Aware PageRank-Based Security Resource Allocation Method for Attack Graphs2024 4th Interdisciplinary Conference on Electrics and Computer (INTCEC)10.1109/INTCEC61833.2024.10603228(1-6)Online publication date: 11-Jun-2024
https://doi.org/10.1109/INTCEC61833.2024.10603228
Azim MCason TAbdallah M(2024)A Quantal Response Analysis of Human Decision-Making in Interdependent Security Games Modeled by Attack GraphsIEEE Access10.1109/ACCESS.2024.339130512(56159-56178)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3391305
Al-Eiadeh MAbdallah M(2024)GeniGraph: A genetic-based novel security defense resource allocation method for interdependent systems modeled by attack graphsComputers & Security10.1016/j.cose.2024.103927144(103927)Online publication date: Sep-2024
https://doi.org/10.1016/j.cose.2024.103927
Dash ASarmah STiwari MJena SGlock C(2024)Cybersecurity investments in supply chains with two-stage risk propagationComputers & Industrial Engineering10.1016/j.cie.2024.110519197(110519)Online publication date: Nov-2024
https://doi.org/10.1016/j.cie.2024.110519
Merlevede JJohnson BGrossklags JHolvoet T(2023)Generalized Hyperbolic Discounting in Security Games of TimingGames10.3390/g1406007414:6(74)Online publication date: 30-Nov-2023
https://doi.org/10.3390/g14060074
Abdallah MHu Q(2023)Should I Regret More? A Regret-based Multi-round Learning with Behavioral Human Players in a Multi-Target Security Game2023 European Control Conference (ECC)10.23919/ECC57647.2023.10178277(1-6)Online publication date: 13-Jun-2023
https://doi.org/10.23919/ECC57647.2023.10178277
Pal RSequeira RZhu YMarotta ASiegel MHua E(2023)How Suboptimal is Work-From-Home Security in IT/ICS Enterprises? A Strategic Organizational Theory for ManagersACM Transactions on Management Information Systems10.1145/3579645Online publication date: 15-Feb-2023
https://dl.acm.org/doi/10.1145/3579645
Gopalakrishnan SSankaranarayanan S(2023)Cooperative security against interdependent risksProduction and Operations Management10.1111/poms.1404732:11(3504-3520)Online publication date: 1-Nov-2023
https://doi.org/10.1111/poms.14047
Benhabbour IBromberg YDacier MDietrich SRodrigues REsteves-Verissimo P(2023)Attacks on tomorrow’s virtual world2023 53rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks - Supplemental Volume (DSN-S)10.1109/DSN-S58398.2023.00033(105-110)Online publication date: Jun-2023
https://doi.org/10.1109/DSN-S58398.2023.00033
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Issue’s Table of Contents