Abstract
In the realm of information security, lack of information about other users' incentives in a network can lead to inefficient security choices and reductions in individuals' payoffs. We propose, contrast and compare three metrics for measuring the price of uncertainty due to the departure from the payoff-optimal security outcomes under complete information. Per the analogy with other efficiency metrics, such as the price of anarchy, we define the price of uncertainty as the maximum discrepancy in expected payoff in a complete information environment versus the payoff in an incomplete information environment. We consider difference, payoffratio, and cost-ratio metrics as canonical nontrivial measurements of the price of uncertainty. We conduct an algebraic, numerical, and graphical analysis of these metrics applied to different well-studied security scenarios proposed in prior work (i.e., best shot, weakest-link, and total effort). In these scenarios, we study how a fully rational expert agent could utilize the metrics to decide whether to gather information about the economic incentives of multiple nearsighted and naïve agents. We find substantial differences between the various metrics and evaluate the appropriateness for security choices in networked systems.
Access provided by Autonomous University of Puebla. Download to read the full chapter text
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Acquisti, A., Grossklags, J.: Privacy and rationality in individual decision making. IEEE Security & Privacy 3(1), 26–33 (2005)
August, T., Tunca, T.: Network software security and user incentives. Management Science 52(11), 1703–1720 (2006)
Balcan, M., Blum, A., Mansour, Y.: The price of uncertainty. In: Proceedings of the ACM Conference on Electronic Commerce (EC), pp. 285–294. ACM Press, New York (2009)
Böhme, R., Nowey, T.: Economic security metrics. In: I. Eusgeld, F. Freiling, R. Reussner (eds.) Dependability Metrics, LNCS, vol. 4909, pp. 176–187. Springer, Berlin Heidelberg (2008)
Campbell, K., Gordon, L., Loeb, M., L. Zhou, L.: The economic cost of publicly announced information security breaches: Empirical evidence from the stock market. Journal of Computer Security 11(3), 431–448 (2003)
Cavusoglu, H., Raghunathan, S., Yue, W.: Decision-theoretic and game-theoretic approaches to IT security investment. Journal of Management Information Systems 25(2), 281–304 (2008)
Choi, J., Fershtman, C., Gandal, N.: Network security: Vulnerabilities and disclosure policy. Journal of Industrial Economics (forthcoming)
Dörner, D.: The Logic Of Failure: Recognizing And Avoiding Error In Complex Situations. Metropolitan Books (1996)
Fetherstonhaugh, D., Slovic, P., Johnson, S., Friedrich, J.: Insensitivity to the value of human life: A study of psychophysical numbing. Journal of Risk & Uncertainty 14(3), 283–300 (1997)
Gal-Or, E., A. Ghose, A.: The economic incentives for sharing security information. Information Systems Research, 16(2), 186–208 (2005)
Gordon, L., Loeb, M.: Managing Cyber-Security Resources: A Cost-Benefit Analysis. McGraw-Hill (2006)
Gordon, L.A., Loeb, M.: The economics of information security investment. ACM Transactions on Information and System Security 5(4), 438–457 (2002)
Gordon, L.A., Loeb, M., Lucyshyn, W.: Sharing information on computer systems security: An economic analysis. Journal of Accounting and Public Policy, 22(6), 461–485 (2003)
Granick, J.: Faking it: Calculating loss in computer crime sentencing. I/S: A Journal of Law and Policy for the Information Society 2(2), 207–228 (2006)
Grossklags, J., Christin, N., Chuang, J.: Secure or insure? A game-theoretic analysis of information security games. In: Proceedings of the 17th International World Wide Web Conference (WWW), pp. 209–218. (2008)
Grossklags, J., Christin, N., Chuang, J.: Security and insurance management in networks with heterogeneous agents. In: Proceedings of the ACM Conference on Electronic Commerce (EC), pp. 160–169. ACM Press, New York (2008)
Grossklags, J., Johnson, B.: Uncertainty in the Weakest-link security game. In: Proceedings of GameNets, pp. 673-682. (2009)
Grossklags, J., Johnson, B., Christin, N.: When information improves information security. Tech. Rep. CMU-CyLab-09-004 (2009)
Grossklags, J., Johnson, B., Christin, N.: The price of uncertainty in security games. In: Proceedings of the 8th Workshop on the Economics of Information Security (WEIS). London, UK (2009)
Hershey, J., Baron, J.: Clinical reasoning and cognitive processes. Medical Decision Making 7(4), 203–211 (1987)
Jaquith, A.: Security Metrics: Replacing Fear, Uncertainty, and Doubt. Pearson Education (2007)
Kabooza: Global backup survey: About backup habits, risk factors, worries and data loss of home PCs (2009). http://www.kabooza.com/globalsurvey.html
Kahneman, D., Tversky, A.: Choices, Values and Frames. Cambridge University Press (2000)
Koutsoupias, E., Papadimitriou, C.: Worst-case equilibria. In: Proceedings of the 16th Annual Symposium on Theoretical Aspects of Computer Science (STOC), pp. 404–413. ACM Press, New York (1999)
Kunreuther, H., Heal, G.: Interdependent security. Journal of Risk & Uncertainty 26(2–3), 231–249 (2003)
Kwong, J., Wong, K.: The role of ratio differences in the framing of numerical information. International Journal of Research in Marketing 23(4), 385–394 (2006)
Laffont, J.: The Economics of Uncertainty and Information. MIT Press (1989)
Liu, Y., Comaniciu, C., Man, H.: A Bayesian game approach for intrusion detection in wireless ad hoc networks. In: Proceedings of the Workshop on Game Theory for Communications and Networks, article no. 4. ACM Press, New York (2006)
Meier, D., Oswald, Y., Schmid, S., Wattenhofer, R.: On the windfall of friendship: Inoculation strategies on social networks. In: Proceedings of the ACM Conference on Electronic Commerce (EC), pp. 294–301. ACM Press, New York (2008)
Moscibroda, T., Schmid, S., Wattenhofer, R.: When selfish meets evil: Byzantine players in a virus inoculation game. In: Proceedings of the ACM Symposium on Principles of Distributed Computing (PODC), pp. 35–44. ACM Press, New York (2006)
NCSA/Symantec: Home user study (2008). http://staysafeonline.org/
Paruchuri, P., Pearce, J., Marecki, J., Tambe, M., Ordonez, F., Kraus, S.: Playing games for security: An efficient exact algorithm for solving Bayesian Stackelberg games. In: Proceedings of AAMAS, pp. 895–902. IFAAMAS, Richland, South Carolina (2008)
Quattrone, G., Tversky, A.: Contrasting rational and psychological analyses of political choice. The American Political Science Review 82(3), 719–736 (1988)
Stanton, J., Stam, K., Mastrangelo, P., Jolton, J.: Analysis of end user security behaviors. Computers & Security 2(24), 124–133 (2005)
Stone, E., Yates, F., Parker, A.: Risk communication: Absolute versus relative expressions of low-probability risks. Organizational Behavior & Human Decision Processes 3(60), 387–408 (1994)
Swire, P.: A model for when disclosure helps security: What is different about computer and network security? Journal on Telecommunications and High Technology Law 3(1), 163–208 (2004)
Swire, P.: No cop on the beat: Underenforcement in e-commerce and cybercrime. Journal on Telecommunications and High Technology Law 7(1), 107–126 (2009)
Telang, R., Wattal, S.: An empirical analysis of the impact of software vulnerability announcements on firm stock price. IEEE Transactions on Software Engineering 33(8), 544– 557 (2007)
Varian, H.R.: System reliability and free riding. In: L.J. Camp and S. Lewis (eds.) Economics of Information Security, pp. 1–15. Kluwer Academic Publishers (2004)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2010 Springer Science+Business Media, LLC
About this paper
Cite this paper
Grossklags, J., Johnson, B., Christin, N. (2010). The Price of Uncertainty in Security Games. In: Moore, T., Pym, D., Ioannidis, C. (eds) Economics of Information Security and Privacy. Springer, Boston, MA. https://doi.org/10.1007/978-1-4419-6967-5_2
Download citation
DOI: https://doi.org/10.1007/978-1-4419-6967-5_2
Published:
Publisher Name: Springer, Boston, MA
Print ISBN: 978-1-4419-6966-8
Online ISBN: 978-1-4419-6967-5
eBook Packages: Computer ScienceComputer Science (R0)