Results 1 - 10
of
43
Game Theory Meets Network Security and Privacy
"... This survey provides a structured and comprehensive overview of the research contributions that analyze and solve security and privacy problems in computer networks by game-theoretic approaches. A selected set of works are presented to highlight the application of game theory in order to address dif ..."
Abstract
-
Cited by 33 (5 self)
- Add to MetaCart
This survey provides a structured and comprehensive overview of the research contributions that analyze and solve security and privacy problems in computer networks by game-theoretic approaches. A selected set of works are presented to highlight the application of game theory in order to address different forms of security and privacy problems in computer networks and mobile applications. The presented works are classified into six main categories based on their topics: security of the physical and MAC layers, application layer security in mobile networks, intrusion detection systems, anonymity and privacy, economics of network security, and cryptography. In each category, security problems, players, and game models are identified and the main results of selected works, such as equilibrium analysis and security mechanism designs are summarized. In addition, a discussion on advantages, drawbacks, and the future direction of using game theory in this field is provided. In this survey, we aim to provide a better understanding of the different research approaches for applying game theory to network security. This survey can also help researchers from various fields develop game-theoretic solutions to current and emerging security problems in computer networking. Categories and Subject Descriptors: C.2.0 [Computer-Communication Networks]: General—
A Survey of Interdependent Security Games
, 2012
"... Interdependence of information systems is a fundamental property that shapes the problems in information security. The risks faced by system operators and users is not only determined by their own security posture, but is heavily affected by the security-related decisions of other connected systems. ..."
Abstract
-
Cited by 9 (5 self)
- Add to MetaCart
(Show Context)
Interdependence of information systems is a fundamental property that shapes the problems in information security. The risks faced by system operators and users is not only determined by their own security posture, but is heavily affected by the security-related decisions of other connected systems. Therefore, defending networked systems relies on the correlated action of the system operators or users. In this survey, we summarize game-theoretic interdependence models, characterize the emerging security inefficiencies and present solution methods. Our goal is to distill the main insights from the state-of-theart and to identify the areas that need more attention from the research community. 1
Aegis A Novel Cyber-Insurance Model
"... Abstract. Recent works on Internet risk management have proposed the idea of cyber-insurance to eliminate risks due to security threats, which cannot be tackled through traditional means such as by using antivirus and antivirus softwares. In reality, an Internet user faces risks due to security atta ..."
Abstract
-
Cited by 8 (7 self)
- Add to MetaCart
(Show Context)
Abstract. Recent works on Internet risk management have proposed the idea of cyber-insurance to eliminate risks due to security threats, which cannot be tackled through traditional means such as by using antivirus and antivirus softwares. In reality, an Internet user faces risks due to security attacks as well as risks due to non-security related failures (e.g., reliability faults in the form of hardware crash, buffer overflow, etc.). These risk types are often indistinguishable by a naive user. However, a cyber-insurance agency would most likely insure risks only due to security attacks. In this case, it becomes a challenge for an Internet user to choose the right type of cyber-insurance contract as traditional optimal contracts, i.e., contracts for security attacks only, might prove to be sub-optimal for himself. In this paper, we address the problem of analyzing cyber-insurance solutions when a user faces risks due to both, security as well as nonsecurity related failures. We propose Aegis, a simple and novel cyberinsurance model in which the user accepts a fraction (strictly positive) of loss recovery on himself and transfers rest of the loss recovery on the cyber-insurance agency. We mathematically show that only under conditions when buying cyber-insurance is mandatory, given an option, riskaverse Internet users would prefer Aegis contracts to traditional cyberinsurance contracts 1, under all premium types. This result firmly establishes the non-existence of traditional cyber-insurance markets when Aegis contracts are offered to users. We also derive an interesting counterintuitive result related to the Aegis framework: we show that an increase(decrease) in the premium of an Aegis contract may not always lead to decrease(increase) in its user demand. In the process, we also state the conditions under which the latter trend and its converse emerge. Our work proposes a new model of cyber-insurance for Internet security that extends all previous related models by accounting for the extra dimension of non-insurable risks. Aegis also incentivizes Internet users to take up more personal responsibility for protecting their systems.
Security Games with Market Insurance
, 2011
"... Abstract. Security games are characterized by multiple players who strategically adjust their defenses against an abstract attacker, repre-sented by realizations of nature. The defense strategies include both ac-tions where security generates positive externalities and actions that do not. When the ..."
Abstract
-
Cited by 7 (5 self)
- Add to MetaCart
Abstract. Security games are characterized by multiple players who strategically adjust their defenses against an abstract attacker, repre-sented by realizations of nature. The defense strategies include both ac-tions where security generates positive externalities and actions that do not. When the players are assumed to be risk averse, market insurance enters as a third strategic option. We formulate a one-shot security game with market insurance, characterize its pure equilibria, and describe how the equilibria compare to established results. Simplifying assumptions include homogeneous players, fair insurance premiums, and complete in-formation except for realizations of nature. The results add more realism to the interpretation of analytical models of security games and might inform policy makers on adjusting incentives to improve network security and foster the development of a market for cyber-insurance.
Security Adoption in Heterogeneous Networks: the Influence of Cyber-insurance Market
"... Abstract. Hosts (or nodes) in the Internet often face epidemic risks such as virus and worms attack. Despite the awareness of these risks and the availability of anti-virus software, investment in security protection is still scare, hence, epidemic risk is still prevalent. Deciding whether to invest ..."
Abstract
-
Cited by 6 (1 self)
- Add to MetaCart
(Show Context)
Abstract. Hosts (or nodes) in the Internet often face epidemic risks such as virus and worms attack. Despite the awareness of these risks and the availability of anti-virus software, investment in security protection is still scare, hence, epidemic risk is still prevalent. Deciding whether to invest in security protection is an inter-dependent process: security investment decision made by one node can affect the security risk of others, and therefore affect their decisions also. The first contribution of this paper is to provide a fundamental understanding on how “network externality ” and “nodes heterogeneity ” may affect security adoption. Nodes make decisions on security investment by evaluating the epidemic risk and the expected loss. We characterize it as a Bayesian network game in which nodes only have the local information, e.g., number of neighbors, as well as minimum common information, e.g., degree distribution of the network. Our second contribution is in analyzing a new form of risk management called cyber-insurance. We investigate how the presence of competitive insurance market can affect the security adoption and show that if the insurance provider can observe the protection level of nodes, the insurance market is a positive incentive for security adoption provided that the protection quality is not high. We also find that cyberinsurance is more likely to be a good incentive for nodes with higher degree. This work provides the fundamental understanding on the economics aspect of security adoption, and sheds light on a new Internet security service which can be economically viable and sustainable.
Estimating systematic risk in real-world networks
- In FC
, 2014
"... Abstract. Social, technical and business connections can all give rise to security risks. These risks can be substantial when individual compro-mises occur in combinations, and difficult to predict when some connec-tions are not easily observed. A significant and relevant challenge is to predict the ..."
Abstract
-
Cited by 6 (4 self)
- Add to MetaCart
(Show Context)
Abstract. Social, technical and business connections can all give rise to security risks. These risks can be substantial when individual compro-mises occur in combinations, and difficult to predict when some connec-tions are not easily observed. A significant and relevant challenge is to predict these risks using only locally-derivable information. We illustrate by example that this challenge can be met if some general topological features of the connection network are known. By simulat-ing an attack propagation on two large real-world networks, we identify structural regularities in the resulting loss distributions, from which we can relate various measures of a network’s risks to its topology. While de-riving these formulae requires knowing or approximating the connective structure of the network, applying them requires only locally-derivable information. On the theoretical side, we show that our risk-estimating methodology gives good approximations on randomly-generated scale-free networks with parameters approximating those in our study. Since many real-world networks are formed through preferential attachment mechanisms that yield similar scale-free topologies, we expect this methodology to have a wider range of applications to risk management whenever a large number of connections is involved.
On Differentiating Cyber-Insurance Contracts A Topological Perspective
"... Abstract—Recent literature on cyber-insurance has stressed the importance of discriminating network users on insurance contracts for the following reasons: (i) preventing adverse selection, (ii) partly internalizing the negative externalities of interdependent security, (iii) achieving maximum socia ..."
Abstract
-
Cited by 5 (5 self)
- Add to MetaCart
(Show Context)
Abstract—Recent literature on cyber-insurance has stressed the importance of discriminating network users on insurance contracts for the following reasons: (i) preventing adverse selection, (ii) partly internalizing the negative externalities of interdependent security, (iii) achieving maximum social welfare, (iv) helping a risk-averse insurer to distribute costs of holding safety capital among its clients, and (v) insurers sustaining a fixed amount of profit per contract. Thus, an important problem is studying ways to appropriately execute the user discrimination process. In this paper we take a network topological perspective and propose a technique (mechanism) to pertinently contract discriminate insured network users. We mathematically show that the Bonacich/Eigenvector centralities of network users is an appropriate parameter for differentiating insurance clients.
Cyber-Insurance for Cyber-Security A Topological Take On Modulating Insurance Premiums Ranjan Pal
"... A recent conjecture in cyber-insurance research states that for compulsory monopolistic insurance scenarios, charging fines and rebates on fair premiums will incentivize network users to invest in self-defense investments, thereby making cyber-space more robust. Assuming the validity of the conjectu ..."
Abstract
-
Cited by 5 (5 self)
- Add to MetaCart
(Show Context)
A recent conjecture in cyber-insurance research states that for compulsory monopolistic insurance scenarios, charging fines and rebates on fair premiums will incentivize network users to invest in self-defense investments, thereby making cyber-space more robust. Assuming the validity of the conjecture in this paper, we adopt a topological perspective in proposing a mechanism that accounts for (i) the positive externalities posed (through self-defense investments) by network users on their peers, and (ii) network location (based on centrality measures) of users, and provides an appropriate way to proportionally allocate fines/rebates on user premiums. We mathematically justify (via a game-theoretic analysis) that optimal fine/rebates per user should be allocated in proportion to the Bonacich or eigenvector centrality value of the user.
The complexity of estimating systematic risk in networks
- In: Proceedings of the 27th IEEE Computer Security Foundations Symposium (CSF
, 2014
"... Abstract—This risk of catastrophe from an attack is a con-sequence of a network’s structure formed by the connected individuals, businesses and computer systems. Understanding the likelihood of extreme events, or, more generally, the probability distribution of the number of compromised nodes is an ..."
Abstract
-
Cited by 4 (3 self)
- Add to MetaCart
(Show Context)
Abstract—This risk of catastrophe from an attack is a con-sequence of a network’s structure formed by the connected individuals, businesses and computer systems. Understanding the likelihood of extreme events, or, more generally, the probability distribution of the number of compromised nodes is an essen-tial requirement to provide risk-mitigation or cyber-insurance. However, previous network security research has not considered features of these distributions beyond their first central moments, while previous cyber-insurance research has not considered the effect of topologies on the supply side. We provide a mathematical basis for bridging this gap: we study the complexity of computing these loss-number distribu-tions, both generally and for special cases of common real-world networks. In the case of scale-free networks, we demonstrate that expected loss alone cannot determine the riskiness of a network, and that this riskiness cannot be naively estimated from smaller samples, which highlights the lack/importance of topological data in security incident reporting. I.
The Economics of Cybersecurity: Principles and Policy Options
, 2010
"... Economics puts the challenges facing cybersecurity into perspective better than a purely technical approach does. Systems often fail because the organizations that defend them do not bear the full costs of failure. For instance, companies operating critical infrastructures have integrated control s ..."
Abstract
-
Cited by 4 (1 self)
- Add to MetaCart
(Show Context)
Economics puts the challenges facing cybersecurity into perspective better than a purely technical approach does. Systems often fail because the organizations that defend them do not bear the full costs of failure. For instance, companies operating critical infrastructures have integrated control systems with the Internet to reduce near-term, measurable costs while raising the risk of catastrophic failure, whose losses will be primarily borne by society. As long as anti-virus software is left to individuals to purchase and install, there may be a less than optimal level of protection when infected machines cause trouble for other machines rather than their owners. In order to solve the problems of growing vulnerability and increasing crime, policy and legislation must coherently allocate responsibilities and liabilities so that the parties in a position to fix problems have an incentive to do so. In this paper, we outline the various economic challenges plaguing cybersecurity in greater detail: misaligned incentives, information asymmetries and externalities. We then discuss the regulatory options that are available to overcome these barriers in the cybersecurity context: ex ante safety regulation, ex post liability, information disclosure, and indirect intermediary liability. Finally, we make several recommendations for policy changes to improve cybersecurity: mitigating malware infections via ISPs by subsidized cleanup, mandatory disclosure of fraud losses and security incidents, mandatory disclosure of control system incidents and intrusions, and aggregating reports of cyber espionage and reporting to the World Trade Organization (WTO).
