Wei Sun,Xiangwei Kong,Dequan He,Xingang You

DOI: https://doi.org/10.1109/ICICIC.2008.319

2008-01-01

Abstract:The purpose of this paper is to analyze the strategy to promote the information security investment based on game theory. We use game theory to make the analysis and put forward the fruitful strategy suggestions for the defender organization to invest in information security. We set up the information security game model, and make the Nash Equilibrium analysis. The Nash Equilibrium analysis results of pure strategy and mixed strategy are consistent. By Nash Equilibrium analysis, we get the cost demand for information security investment. If this demand condition is not satisfied, we introduce the penalty parameter to the investment game. By regulating the value of the penalty parameter, we solve the hard problem of information security investment when it is difficult to reduce the investment cost. It is the first time to analyze information security investment by game theory. Our results provide fruitful strategy suggestions to promote information security investment.

孙薇,孔祥维,何德全,尤新刚

DOI: https://doi.org/10.3969/j.issn.1007-3221.2008.05.015

2008-01-01

Abstract:Based on Game theory,this paper analyzes the equilibrium of information security investment,and provides a new method to solve the investment quantity of information security.It sets up the information security investment game model of the organizations according to the strategy interdependence,and the relation parameter in the model reflects the game relationship of two organizations,so the equilibrium analysis is made based on reaction function method according to the deferent value of relation parameter.In particular,for the attacker-defender game relationship,it brings forward a proposition of information security investment and makes simulation analysis.The research result not only explains the information security investment in the world,but also provides a good direction of the information security investment quantity for organizations.

Wei Sun,Xiangwei Kong,Dequan He,Xingang You

DOI: https://doi.org/10.1109/ISECS.2008.147

2008-01-01

Abstract:The purpose of this paper is to resolve information security problem in the mobile electronic commerce industry chain. We analyze information security based on evolutionary game theory. In this paper, we set up the information security game model with penalty parameter, calculate replicator dynamics, and analyze the evolutionary stable strategy of the game model. The result reveals that reducing the investment cost is the key factor to promote information security investment. If this condition can not be satisfied, the regulation of penalty parameter will help to promote the investment. The research method in this paper provides a new thought for the solution of information security in the mobile electronic commerce chain.

Wei Sun,Xiangwei Kong,Dequan He,Xingang You

DOI: https://doi.org/10.1109/ISECS.2008.149

2008-01-01

Abstract:This paper analyzes information security in the E-commerce based on game theory, and this game analysis method is applied to information security for the first time. We set up the information security game model of the defender and the attacker, make the equilibrium analysis of this game model, and get the ideal strategy combination. Then we introduce the penalty parameter of the defender and the penalty parameter of the attacker to solve the problem that the restriction condition is not satisfied. The introduction of the penalty parameter of the defender promotes the defender to invest in information security, and the introduction of the penalty parameter of the attacker promotes the attacker to take no attack strategy. This paper provides good reference for information security in the E-commerce.

Xing Gao,Manting Qiu,Ying Wang,Xifan Wang

DOI: https://doi.org/10.1080/01605682.2022.2096506

IF: 3.6

2022-08-04

Journal of the Operational Research Society

Abstract:Nowadays, business connection between firms becomes rather common so that one firm stores not only its information asset but also some of other firms' information asset. The management of information security is vital for these resource-sharing firms. This paper constructs a game-theoretic model between two resource-sharing firms and one hacker to examine their strategic interaction when the firms face budget constraint on security investment. We consider security information sharing between the firms, which can improve their overall security effort but meantime facilitate the hacker's learning to reduce attack costs. We find that although a tight budget constraint can help save investment cost, the firms always suffer from a poorly secure environment. It shows that although security information sharing is usually encouraged, the firms may be hurt when security information sharing is excessive so that fierce cyber-attacks are induced. We finally design an optimal compensation mechanism, in which the compensation fund is shown to increase with the degree of resource sharing.

management,operations research & management science

Xiaofei Qian,Xinbao Liu,Jun Pei,Panos M. Pardalos,Lin Liu

DOI: https://doi.org/10.1057/s41274-016-0134-y

IF: 3.6

2017-10-01

Journal of the Operational Research Society

Abstract:The application of Internet of Things promotes the cooperation among firms, and it also introduces some information security issues. Due to the vulnerability of the communication network, firms need to invest in information security technologies to protect their confidential information. In this paper, considering the multiple-step propagation of a security breach in a fully connected network, an information security investment game among n firms is investigated. We make meticulous theoretic and experimental analyses on both the Nash equilibrium solution and the optimal solution. The results show that a larger network size (n) or a larger one-step propagation probability (q) has a negative effect on the Nash equilibrium investment. The optimal investment does not necessarily increase in n or q, and its variation trend depends on the concrete conditions. A compensation mechanism is proposed to encourage firms to coordinate their strategies and invest a higher amount equal to the optimal investment when they make decisions individually. At last, our model is extended by considering another direct breach probability function and another network structure, respectively. We find that a higher connection density of the network will result in a greater expected cost for each firm.

management,operations research & management science

Dengpan Liu,Yonghua Ji,Vijay Mookerjee

DOI: https://doi.org/10.1016/j.dss.2011.05.007

IF: 6.969

2011-01-01

Decision Support Systems

Abstract:We study the relationship between decisions made by two similar firms pertaining to knowledge sharing and investment in information security. The analysis shows that the nature of information assets possessed by the two firms, either complementary or substitutable, plays a crucial role in influencing these decisions. In the complementary case, we show that the firms have a natural incentive to share security knowledge and no external influence to induce sharing is needed. However, the investment levels chosen in equilibrium are lower than optimal, an aberration that can be corrected using coordination mechanisms that reward the firms for increasing their investment levels. In the substitutable case, the firms fall into a Prisoners' Dilemma trap where they do not share security knowledge in equilibrium, despite the fact that it is beneficial for both of them to do so. Here, the beneficial role of a social planner to encourage the firms to share is indicated. However, even when the firms share in accordance to the recommendations of a social planner, the level of investment chosen by the firms is sub-optimal. The firms either enter into an ''arms race'' where they over-invest or reenact the under-investment behavior found in the complementary case. Once again, this sub-optimal behavior can be corrected using incentive mechanisms that penalize for over-investment and reward for increasing the investment level in regions of under-investment. The proposed coordination schemes, with some modifications, achieve the socially optimal outcome even when the firms are risk-averse. Implications for information security vendors, firms, and social planner are discussed.

Jiajun Shen,Dongqin Feng

DOI: https://doi.org/10.1155/2017/9017039

IF: 1.968

2017-01-01

Security and Communication Networks

Abstract:With the integration of physical plant and network, cyber-physical systems (CPSs) are increasingly vulnerable due to their distributed and hierarchical framework. Stackelberg interdependent security game (SISG) is proposed for characterizing the interdependent security in CPSs, that is, the interactions between individual CPSs, which are selfish but nonmalicious with the payoff function being formulated from a cross-layer perspective. The pure-strategy equilibria for two-player symmetric SISG are firstly analyzed with the strategy gap between individual and social optimum being characterized, which is known as negative externalities. Then, the results are further extended to the asymmetric and m-player SISG. At last, a numerical case of practical experiment platform is analyzed for determining the comprehensively optimal security configuration for administrator.

Guang Zhu,Hu Liu,Mining Feng

DOI: https://doi.org/10.3390/math6100177

IF: 2.4

2018-01-01

Mathematics

Abstract:With the rapid development of information technologies, security violations in online social networks (OSN) have emerged as a critical issue. Traditional technical and organizational approaches do not consider economic factors, which are increasingly important to sustain information security investment. In this paper, we develop an evolutionary game model to study the sustainability of information security investment in OSN, and propose a quantitative approach to analyze and optimize security investment. Additionally, we examine a contract with an incentive mechanism to eliminate free riding, which helps sustain the security investment. Numerical examples are provided for illustration and simulation purposes, leading to several countermeasures and suggestions. Our analytical results show that the optimal strategy of information security investment not only is correlated with profit growth coefficients and investment costs, but is also influenced significantly by the profits from free riding. If the profit growth coefficients are prohibitively small, both OSN service providers and online platforms will not choose to sustain investment based on small profits. As profit growth coefficients increase, there is a higher probability that game players will invest. Another major finding is that the (Invest, Invest) profile is much less sensitive to the change of profit growth coefficients and the convergent speed of this scenario is faster than the other profiles. The government agency can use the proposed model to determine a proper incentive or penalty to help both parties reach the optimal strategies and thus improve OSN security.

Xing Gao,Manting Qiu,Siyu Gong,Ying Wang,Yanfang Zhang

DOI: https://doi.org/10.1016/j.eswa.2023.120129

IF: 8.5

2023-04-19

Expert Systems with Applications

Abstract:While technology similarity in network security aggravates breach interdependence, it can improve the efficiency of security information sharing. This paper examines the effect of technology similarity on information security investment with mandatory standards through constructing a game-theoretic model with two firms whose information assets are complementary and substitutable respectively. We show that for strict mandatory standards, while technology similarity first decreases and then increases the cost functions of complementary firms, it always decreases the cost functions of substitutable firms. We find that security information sharing always decreases the cost functions of both complementary and substitutable firms and thus should be encouraged. We reveal that when mandatory standards become much stricter, the cost functions of complementary firms always increase but the cost functions of substitutable firms increase if and only if the substitution degree remains relatively high. Finally, we demonstrate that hacker learning, as a factor to intensify breach interdependence, benefits substitutable firms and harms complementary firms in the case of strict mandatory standards.

computer science, artificial intelligence,engineering, electrical & electronic,operations research & management science

Dengpan Liu,Yonghua Ji,Vijay M. Mookerjee

2005-01-01

Abstract:We analyze information security investment decisions by two firms that possess imperfectly substitutable information assets. Information assets are imperfectly substitutable if information at each firm is valuable and becomes more valuable when combined. When compared to optimal investment decisions made by a central planner, we find diametrically opposite results in the case where these decisions are made independently: substitutable assets lead to an “arms race” in which both firms over-invest whereas complementary assets lead to under-provision of “public goods” in which both firms under-invest. We also find that firms with highly substitutable information assets may not necessarily increase the amount of security investment in a centralized investment environment as the intensity of the deflected cross traffic increases.

Youcai Xie,Gang Lu,Desheng Lai,Meng Tao

DOI: https://doi.org/10.1016/j.heliyon.2023.e15081

IF: 3.776

2023-04-11

Heliyon

Abstract:This paper aims to explore the influential relationship between the decision-making of investment of enterprise safety and employee safety behavior strategy selection, thus improve the effectiveness of decision-making. Based on traditional game theory, this paper establishes an evolutionary game model of enterprise safety investment and employee safety behavior strategy selection, and conducts numerical simulation analysis. The result shows:when the security investment cost is greater than the security investment benefit, the employee's security behavior strategy choice is significant for the enterprise security investment strategy decision; when the security investment benefit is greater than the security investment cost, the enterprise security investment decision is not affected by the employee safety behavior strategy; the choice of employee safety behavior strategy is not affected by the choice of enterprise safety investment strategy. The conclusion can provide a reference basis for enterprise safety production decision-making, which has certain theoretical and practical significance.

Tridib Bandyopadhyay,Dengpan Liu,Vijay S. Mookerjee,Allen W. Wilhite

DOI: https://doi.org/10.1007/s10796-012-9373-x

2012-01-01

Information Systems Frontiers

Abstract:Hackers evaluate potential targets to identify poorly defended firms to attack, creating competition in IT security between firms that possess similar information assets. We utilize a differential game framework to analyze the continuous time IT security investment decisions of firms in such a target group. We derive the steady state equilibrium of the duopolistic differential game, show how implicit competition induces overspending in IT defense, and then demonstrate how such overinvestment can be combated by innovatively managing the otherwise misaligned incentives for coordination. We show that in order to achieve cooperation, the firm with the higher asset value must take the lead and provide appropriate incentives to elicit participation of the other firm. Our analysis indicates that IT security planning should not remain an internal, firm-level decision, but also incorporate the actions of those firms that hackers consider as alternative targets.

Dimitri Percia David,Alain Mermoud,Sébastien Gillard

DOI: https://doi.org/10.48550/arXiv.2112.04310

2021-12-08

Cryptography and Security

Abstract:Cyber-security breaches inflict significant costs on organizations. Hence, the development of an information-systems defense capability through cyber-security investment is a prerequisite. The question of how to determine the optimal amount to invest in cyber-security has been widely investigated in the literature. In this respect, the Gordon-Loeb model and its extensions received wide-scale acceptance. However, such models predominantly rely on restrictive assumptions that are not adapted for analyzing dynamic aspects of cyber-security investment. Yet, understanding such dynamic aspects is a key feature for studying cyber-security investment in the context of a fast-paced and continuously evolving technological landscape. We propose an extension of the Gordon-Loeb model by considering multi-period and relaxing the assumption of a continuous security-breach probability function. Such theoretical adaptations enable to capture dynamic aspects of cyber-security investment such as the advent of a disruptive technology and its investment consequences. Such a proposed extension of the Gordon-Loeb model gives room for a hypothetical decrease of the optimal level of cyber-security investment, due to a potential technological shift. While we believe our framework should be generalizable across the cyber-security milieu, we illustrate our approach in the context of critical-infrastructure protection, where security-cost reductions related to risk events are of paramount importance as potential losses reach unaffordable proportions. Moreover, despite the fact that some technologies are considered as disruptive and thus promising for critical-infrastructure protection, their effects on cyber-security investment have been discussed little.

Andrew Fielder,Emmanouil Panaousis,Pasquale Malacaria,Chris Hankin,Fabrizio Smeraldi

DOI: https://doi.org/10.48550/arXiv.1502.05532

2015-02-19

Abstract:When investing in cyber security resources, information security managers have to follow effective decision-making strategies. We refer to this as the cyber security investment challenge. In this paper, we consider three possible decision-support methodologies for security managers to tackle this challenge. We consider methods based on game theory, combinatorial optimisation and a hybrid of the two. Our modelling starts by building a framework where we can investigate the effectiveness of a cyber security control regarding the protection of different assets seen as targets in presence of commodity threats. In terms of game theory we consider a 2-person control game between the security manager who has to choose among different implementation levels of a cyber security control, and a commodity attacker who chooses among different targets to attack. The pure game theoretical methodology consists of a large game including all controls and all threats. In the hybrid methodology the game solutions of individual control-games along with their direct costs (e.g. financial) are combined with a knapsack algorithm to derive an optimal investment strategy. The combinatorial optimisation technique consists of a multi-objective multiple choice knapsack based strategy. We compare these approaches on a case study that was built on SANS top critical controls. The main achievements of this work is to highlight the weaknesses and strengths of different investment methodologies for cyber security, the benefit of their interaction, and the impact that indirect costs have on cyber security investment.

Computer Science and Game Theory,Cryptography and Security

Bram de Witte,Paolo Frasca,Bastiaan Overvest,Judith Timmer

DOI: https://doi.org/10.48550/arXiv.1906.09486

2019-06-23

Abstract:A digital security breach, by which confidential information is leaked, does not only affect the agent whose system is infiltrated, but is also detrimental to other agents socially connected to the infiltrated system. Although it has been argued that these externalities create incentives to under-invest in security, this presumption is challenged by the possibility of strategic adversaries that attack the least protected agents. In this paper we study a new model of security games in which agents share tokens of sensitive information in a network of contacts. The agents have the opportunity to invest in security to protect against an attack that can be either strategically or randomly targeted. We show that, in the presence of random attack, under-investments always prevail at the Nash equilibrium in comparison with the social optimum. Instead, when the attack is strategic, either under-investments or over-investments are possible, depending on the network topology and on the characteristics of the process of the spreading of information. Actually, agents invest more in security than socially optimal when dependencies among agents are low (which can happen because the information network is sparsely connected or because the probability that information tokens are shared is small). These over-investments pass on to under-investments when information sharing is more likely (and therefore, when the risk brought by the attack is higher).

Social and Information Networks,Computer Science and Game Theory

Ru Yi Ye,Zhou Jiang,Qi Wang

DOI: https://doi.org/10.4028/www.scientific.net/amm.631-632.928

2014-01-01

Applied Mechanics and Materials

Abstract:ROSI (Return On Security Investment) has attracted a great deal of attention in recent years. By inheriting Gordon and Loeb 2002 security breach probability function, we present an adaptive economics model of investment in information security integrating dynamic characteristics of outside threat probability and detective mechanism, and deduce some guidelines for optimal investment amount.

Joshua Letchford,Yevgeniy Vorobeychik

DOI: https://doi.org/10.48550/arXiv.1210.4873

2012-10-17

Abstract:We introduce a novel framework for computing optimal randomized security policies in networked domains which extends previous approaches in several ways. First, we extend previous linear programming techniques for Stackelberg security games to incorporate benefits and costs of arbitrary security configurations on individual assets. Second, we offer a principled model of failure cascades that allows us to capture both the direct and indirect value of assets, and extend this model to capture uncertainty about the structure of the interdependency network. Third, we extend the linear programming formulation to account for exogenous (random) failures in addition to targeted attacks. The goal of our work is two-fold. First, we aim to develop techniques for computing optimal security strategies in realistic settings involving interdependent security. To this end, we evaluate the value of our technical contributions in comparison with previous approaches, and show that our approach yields much better defense policies and scales to realistic graphs. Second, our computational framework enables us to attain theoretical insights about security on networks. As an example, we study how allowing security to be endogenous impacts the relative resilience of different network topologies.

Computer Science and Game Theory,Cryptography and Security

Gaoxin Qi,Jichao Li,Chi Xu,Gang Chen,Kewei Yang

DOI: https://doi.org/10.3390/e25010057

IF: 2.738

2022-12-29

Entropy

Abstract:Today, people rely heavily on infrastructure networks. Attacks on infrastructure networks can lead to significant property damage and production stagnation. The game theory provides a suitable theoretical framework for solving the problem of infrastructure protection. Existing models consider only the beneficial effects that the defender obtains from information gaps. If the attacker's countermeasures are ignored, the defender will become passive. Herein, we consider that a proficient attacker with a probability in the game can fill information gaps in the network. First, we introduce the link-hiding rule and the information dilemma. Second, based on the Bayesian static game model, we establish an attack–defense game model with multiple types of attackers. In the game model, we consider resource-consistent and different types of distributions of the attacker. Then, we introduce the solution method of our model by combining the Harsanyi transformation and the bi-matrix game. Finally, we conduct experiments using a scale-free network. The result shows that the defender can be benefited by hiding some links when facing a normal attacker or by estimating the distribution of the attacker correctly. The defender will experience a loss if it ignores the proficient attacker or misestimates the distribution.

physics, multidisciplinary

Zhe Li,Jin Liu,Jiaqi Ren,Yibo Dong,Weili Li

DOI: https://doi.org/10.1016/j.chaos.2024.115662

2024-10-24

Abstract:Critical infrastructure networks serve as the backbone of modern society's operations, and the application of game theory to safeguard these networks against deliberate attacks under resource constraints is of paramount importance. Regrettably, the existing body of research on hybrid attack and defense strategies for nodes and edges is notably scarce, despite the ubiquity of such strategies in practical contexts. Current understanding regarding the establishment of a cost constraint model within the framework of hybrid attack and defense strategies, the strategic inclinations of both adversarial and defensive parties under varying cost constraint coefficients, and the influence of resource allocation ratios on equilibrium outcomes remains limited. Consequently, this study constructs a game-theoretic model for the engagement of critical infrastructure networks under non-uniform cost constraints, incorporating hybrid attack and defense strategies for nodes and edges, and conducts an equilibrium analysis across a range of cost constraint coefficients and resource allocation ratios. The findings reveal that when resource availability is limited, both attackers and defenders are inclined towards a strategy of concentrated resource allocation; in contrast, under most circumstances, defenders exhibit a preference for an equitable distribution of resources.

mathematics, interdisciplinary applications,physics, mathematical, multidisciplinary