This is the html version of the file http://weis2006.econinfosec.org/docs/56.pdf.
G o o g l e automatically generates html versions of documents as we crawl the web.
To link to or bookmark this page, use the following url: http://www.google.com/search?q=cache:BS0ZDVDTmWUJ:weis2006.econinfosec.org/docs/56.pdf+gal-or+and+ghose+filetype:pdf&hl=en&ct=clnk&cd=13&gl=us

Google is neither affiliated with the authors of this page nor responsible for its content.
These search terms have been highlighted: gal or ghose 
Framework for Classifying and Comparing Models of Investment in Cyber Security for Policy
Page 1
Framework for Classifying and Comparing Models of
Investment in Cyber Security for Policy
1
Rachel Rue, David Ortiz, Shari Lawrence Pfleeger, Aruna Balakrishnan
RAND Corporation
1200 South Hayes Street
Arlington, Virginia 22202-5050
Rachel_Rue@rand.org, David_Ortiz@rand.org, Pfleeger@rand.org, Aruna@rand.org
Jeffrey Hunker
Carnegie Mellon University
5000 Forbes Avenue
Pittsburgh, PA 1521
jhunker@andrew.cmu.edu
Abstract
The threat to cyber security is real and growing. Organizations of all kinds must take
protective measures, but effective resource allocation is difficult. This situation is due in
part to uncertainty about the nature and severity of threats and vulnerabilities, as well as
the effectiveness of mitigating measures. A variety of models have been proposed to aid
decision makers. We describe a framework to analyze and compare models, and
illustrate our framework with an analysis of game-theoretic models.
Introduction
Continued uncertainty is compounding the difficulty of decision-making regarding cyber
security. Few would argue that the threat to cyber security does not exist. However,
deciding which measures to take to bolster cyber security and how many resources
(including financial and personal ones) to devote to cyber security remains elusive.
Models and model-based tools exist to assist in this decision-making, but it is essential to
understand which models are most appropriate for which kinds of decision support. This
paper explores the attributes of economic models of cyber security, provides a framework
for evaluating whether a model is appropriate for a particular application, and illustrates
the use of the framework by discussing in detail how game theoretic models can be
assessed.
1
This work was supported by the Economics of Cyber Security project of the Institute for
Information Infrastructure Protection (I3P) under award number 2003-TK-TX-0003 from the
Office for Domestic Preparedness/Office of Justice Programs and the Department of
Homeland Security. The presentation is based on RAND Corporation research and authors'
opinions. Parts of the presentation describe work in progress that has not undergone RAND
quality assurance procedures.
Page 1 of 16
Page 2
The sources of uncertainty in making decisions about cyber security range from the
shifting uses of information technology to the evolving nature of the threats. Moreover,
the consequences of not making good decisions about appropriate investment in cyber
security resources becomes more severe, as organizations store more and more types of
information, of increasing sensitivity and value. Methods of accessing the information are
expanding to include a greater number of mobile and remote devices. And the nature and
extent of the costs of a cyber attack are shifting. More methods of access to information
translate into both more modes of attack and an increased probability that an attack will
be successful. To understand the motives and goals of attackers requires cultural and
political expertise that often does not reside within organizations.
Taking measures to effectively allocate resources to enhance cyber security
requires a clear understanding of the nature and cost to the organization both of the
attacks and the benefits of those measures. Decision makers within organizations have
heterogeneous perceptions of threats and risks. Departments specializing in information
technology think in terms of preventing, detecting, and responding to specific types of
attacks. They often omit the challenge of resilience in the face of attacks and information
recovery after successful attacks; it is a difficult management, legal, and customer service
challenge to determine the best strategies for maintaining operations when critical
information is stolen, corrupted, inaccessible, or destroyed.
Given the challenge of ensuring cyber security under conditions of uncertainty,
how can organizations determine appropriate measures to enhance cyber security and
allocate resources most effectively? Many models have been proposed to help decision
makers allocate resources to cyber security, each taking a different approach to the same
fundamental question. Macro-economic input/output models have been proposed to
evaluate the sensitivity of the U.S. economy to cyber-attacks in particular sectors (Santos
and Haimes 2004). More traditional econometric techniques have been used to analyze
the loss of market capitalization after a cyber-security incident (Campbell et al. 2003).
Methods derived from financial markets have been adapted to determine the “return on
security investment” (Geer 2001; Gordon and Loeb 2005). Case studies of firms have
been performed to characterize real-world decision making with respect to cyber security
(Dynes, Brechbuhl, and Johnson 2005). Heuristic models rank costs, benefits, and risks
of strategies for allocating resources to improve cyber security (Gal-Or and Ghose 2005;
Gordon, Loeb, and Sohail 2003). Because investing in cyber security is an exercise in
risk management, many researchers have attempted to characterize behavior through a
risk management and insurance framework (Baer 2003; Conrad 2005; Farahmand et al.
2005; Geer 2004; Gordon, Loeb, and Sohail 2003; Haimes and Chittester 2005; Soo Hoo
2000). Recognizing that potential attackers and firms are natural adversaries, researchers
have also applied methods from game theory, and developed real games, to analyze
resource allocation in cyber security (Gal-Or and Ghose 2005; Horowitz and Garcia
2005; Irvine and Thompson; Irvine, Thompson, and Allen 2005).
Since each model is based on a different set of assumptions regarding the
characteristics of information systems, motivations of organizations to protect
information, the goals of attackers, and the data required for validation, no single model
provides a comprehensive framework to guide investments in cyber security. It is often
unclear how a model for cyber security can be used in practice, applying actual instead of
Page 3
theoretical data. We propose that a decision maker at an organization must understand
how to use several models in concert, either to triangulate and find an acceptable strategy
for investing in cyber security, or to address multiple aspects of a larger problem.
In this paper we develop a framework for assessing and comparing the value of
different models in light of these several needs. We adapt a framework for quantifying
uncertainty in policy-based models from Morgan and Henrion (1990) to characterize and
compare economic models of cyber security. We adapt an accounting framework
previously used to compare policies to address greenhouse gas emissions to derive
characteristics of the economic models of cyber security (The GHG Protocol for Project
Accounting 2005).
The remainder of the paper is organized as follows. The following section
describes the framework for comparing economic models of cyber security. An
application of the framework to game theoretic models of the cyber security illustrates
the framework. We conclude with observations on broader application of the framework.
Approaches to Modeling Cyber Security for Policy
Classifying Models
This section provides a framework for classifying and comparing economic models of
cyber security. A model is an abstraction of real world phenomena. In its simplest form,
a model transforms inputs to outputs via a mathematical or logical relationship. For
example, Hooke’s Law states that the opposing force of a spring (output) is proportional
to the displacement of the spring from equilibrium (input). The mathematical relation
simplifies the complex physical phenomenon relating stress and strain to a single
equation, and is valid within a margin of error for a range of displacements. Because
economic models attempt to characterize human decision-making, such models tend to be
complex and to make assumptions regarding the motivation of human decision makers,
and the values of relevant parameters. Dozens of models have been proposed in the
literature to characterize investments in cyber security, from variations on
macroeconomic input/output models to game theoretic models. Some are aimed at the
firm, which may be contemplating the purchase of cyber-insurance; others are aimed at
policy-makers, who are attempting to deploy limited resources to combat threats to the
information infrastructure.
To classify models that are proposed to support decision-making with respect to
investments in cyber security, we modify the approach of Morgan and Henrion (Morgan
and Henrion 1990). The type and form of a model classifies it among its peers. For
example, Leontieff models characterize economic activity as linear transformations from
economic inputs to economic outputs (Santos and Haimes 2004). Most models are
developed for a particular purpose, which has an effect on the underlying assumptions
regarding model parameters, the types of decisions that the model supports, and under
what conditions the model may be applied to other situations. Stock options and
derivative financial instruments are priced based on the presumed behavior of an
underlying asset, typically a stock or commodity (Hull 1997). “Real” options propose
using the same analytical methods for different assets, typically those not traded on an
exchange. The assumptions regarding the behavior of a stock over time, which hold true
Page 3 of 16
Page 4
only under certain circumstances in financial markets, might not apply to the new asset in
a “real” options framework, a difference that the builder of the model, and the policy
maker taking its advice, need to consider.
A clear understanding of the sources of uncertainty in a model is essential if the model is
to be applied properly. A model makes assumptions to simplify phenomena and to focus
attention on critical behaviors: Leontieff models assume that economic outputs are
related linearly to economic inputs, which allows more detailed study of the relationships
among these factors, but only for small relative changes in their values. Most models
also have a set of parameters that need to be estimated before they can be applied; for
example, to calculate the value of a financial option, one must know the volatility of the
underlying asset and the risk free rate of return. All models have a domain of
applicability ; for instance, linear models of springs are valid for a range of displacements
only. Finally, models of phenomena need to be validated against data that describes the
phenomena in question.
Taken together, the characteristics of models show their purpose, application,
requirements for data, and sources of uncertainty. The table below lists the
characteristics of models we shall use to classify models of the economics of cyber
security.
Table 1: List of characteristics that are used to describe economic models of cyber
security.
Characteristic
Description
Type and form
The class of model and its mathematical structure
History and previous applications When and for what purpose the model was
originally developed and where it has been applied
successfully
Underlying assumptions
Simplifications regarding phenomena that are made
to make application easier
Decisions that the model supports The types of decisions that a decision-maker would
be able to substantiate through proper application of
the model
Inputs and outputs
The quantities that the model manipulates
Parameters and variables
Quantities that affect the way in which the model
transforms inputs to outputs
Applicable domain and range
Temporal and physical ranges of inputs, outputs,
parameters, and variables that the model describes
Supporting data
Evidence that the model accurately describes the
phenomena of interest
Page 4 of 16
Page 5
Comparing Diverse Models of Investment in Cyber Security
We describe a methodology modifying one used to compare different projects for
reducing greenhouse gas (GHG) emissions (The GHG Protocol for Project Accounting
2005). When considering the economics of cyber security, we know that there are
adverse economic effects of cyber attacks, and that specific compelling examples exist,
but the complete nature of the vulnerabilities, threats, and risks is uncertain. Using our
framework, a model, once classified, may be compared to other models in a consistent
and transparent way. Therefore, when comparing economic models of cyber security, we
have the following goals:
• To provide a credible and transparent approach for quantifying and reporting data
and relationships derived from investigations of cyber security incidents and
activities,
• To enhance the credibility of economic models of cyber security by applying
common accounting concepts, procedures, and principles, and
• To provide a platform for harmonizing different project-based modeling
initiatives and data collection programs.
The baseline scenario is the canonical set of inputs, outputs, parameters, and variables
that a model describes. The baseline scenario is commonly referred to as the “business as
usual” case and is that in which one in which no action is taken by decision makers.
Changes to inputs, values, and parameters represent (depending on the model) actions,
investments in cyber security, emerging threats and vulnerabilities, or cyber security
events. The change in the outputs from the baseline scenario illustrates to the decision
maker the value of one course of action over another.
The forms of the outputs may also be compared. All outputs have common temporal and
quantitative characteristics. For example, the outputs of game theoretic models are
strategies,and the outputs of insurance-valuation models are probabilistic returns. By
comparing the change in outputs from the baseline scenario, the performance of
particular policies can be assessed. The fidelity of the output to existing data and the
relevance to actual decisions are essential.
We shall adhere to six principles when comparing economic models of cyber security and
supporting data. These principles are derived from financial accounting standards and
were applied to comparing different GHG projects (The GHG Protocol for Project
Accounting 2005).
Relevance: Use data, methods, criteria, and assumptions that are appropriate for
the intended use of reported information. The quantification of inputs and outputs
should include only information that users (of the models and of the results) need
for their decision-making. Data, methods, criteria, and assumptions that can
mislead or that do not conform to carefully defined model requirements are not
relevant and should not be included.
Completeness: Consider all relevant information that may affect the accounting
and quantification of model inputs and outputs, and complete all requirements.
All possible effects should be considered and assessed, all relevant technologies
Page 5 of 16
Page 6
or practices should be considered as baseline candidates, and all relevant baseline
candidates should be considered when building and exercising models. The
model’s documentation should also specify how all data relevant to quantifying
model inputs should be collected.
Consistency: Use data, methods, criteria, and assumptions that allow meaningful
and valid comparisons. The development and use of credible models requires that
methods and procedures are always applied to a model and its components in the
same manner, that the same criteria and assumptions are used to evaluate
significance and relevance, and that any data collected and reported will be
compatible enough to allow meaningful comparisons over time.
Transparency: Provide clear and sufficient information for reviewers to assess
the credibility and reliability of a model and the claims derived from it.
Transparency is critical, particularly given the flexibility and policy-relevance of
many decisions based on the models’ outputs. Information about the model and its
usage should be compiled, analyzed and documented clearly and coherently so
that reviewers may evaluate its credibility. Specific exclusions or inclusions
should be clearly identified, assumptions should be explained, and appropriate
references should be provided for both data and assumptions. Information relating
to the model’s “system boundary” (i.e. the part of the problem addressed by the
model)
2
, the identification of baseline candidates, and the estimation of baseline
data values should be sufficient to enable reviewers to understand how all
conclusions were reached. A transparent report will provide a clear understanding
of all assessments supporting quantification and conclusions. This analysis should
be supported by comprehensive documentation of any underlying evidence to
confirm and substantiate the data, methods, criteria, and assumptions used.
Accuracy: Reduce uncertainties as much as is practical. Uncertainties with
respect to measurements, estimates, or calculations should be reduced as much as
is practical, and measurement and estimation methods should avoid bias.
Acceptable levels of uncertainty will depend on the objectives of the model and
the intended use of the results. Greater accuracy will generally ensure greater
credibility for any model-based claim. Where accuracy is sacrificed, data and
estimates used to quantify a model’s inputs should be conservative.
Conservativeness: Use conservative assumptions, values, and procedures when
uncertainty is high. The impact of a model should not be overestimated. Where
data and assumptions are uncertain and where the cost of measures to reduce
uncertainty is not worth the increase in accuracy, conservative values and
assumptions should be used. Conservative values and assumptions are those that
are more likely to underestimate than overestimate changes from the baseline or
initial situation.
2
The system boundary allows the reader to understand each activity
included in the model, and the inputs and outputs associated with each
activity. That is, it defines the scope of the model, enabling the
reader to determine what is included in the model and what is excluded
from the model’s consideration.
Page 6 of 16
Page 7
We might add an additional criterion:
o Providing Insight: State clearly the nature of the insights that are provided by
the model. Models may in some cases not serve to generate a specific result, but
rather to provide a means for decision makers to better understand and gain
additional useful insights into complex problems they face. Thus, the fact the
answer is ‘2’ is far less important in some cases than that the model offers
additional understanding of complex interactions.
Game Theoretic Models
In this section, we illustrate our model analysis framework with game-theoretic models.
The table below summarizes the model characteristics described in the previous section.
Table 2. List of Characteristics of Game-theoretic Models of Cyber Security
Characteristic
Description
Type and form
Game theory
History and previous applications Modern theory of cooperative and non-cooperative
games developed in the first half of the 20
th
century;
applied originally to economics; now applied to a
wide variety of cooperative and competitive
scenarios
Underlying assumptions
Real-world decisions can be formally represented as
strategies; causal relations between strategies and
outcomes can be adequately approximated.
Decisions that the model supports Strategy choices for all players
Inputs and outputs
Inputs: strategies; payoff functions for players
Outputs: payoffs; optimal and equilibrium strategies
Parameters and variables
Game inputs; rules mapping strategies to outcomes
Applicable domain and range
Cooperative and competitive scenarios where
strategy choices affect outcomes
Supporting data
Many successful applications in economics
Page 7 of 16
Page 8
Discussion
The game-theoretic approach to modeling cyber-security is intuitively appealing because
a cyber-security decision-maker feels very much like player in a game with two player
types: attackers and defenders. Attackers make an evolving set of moves against
information systems; defenders make an evolving set of preventive and reactive moves.
The defender’s objective is to minimize the costs incurred both from reacting to
successful attacks and from implementing defensive measures.
Game theory is a particular—and effective—way of formalizing the structure of games.
The advantage of representing a game as a formal structure is that as a mathematical
object the game has provable properties—for example, it is possible in principle to
compute provably optimal strategies, as well as to vary parameters and see the resulting
effects. Such investigation can be tremendously helpful to decision-makers. On the other
hand, not all game-like interactions can profitably be represented as formal games.
Depending on how the conclusions drawn from manipulating the formal representation
are to be used, the games may be illuminating and directly applicable, they could lead to
misleading and counter-productive recommendations, or the analysis could discourage
decision makers from using these methods again.
In the following section, we enumerate some of the choices that must be made in
designing a game to represent cyber-security interactions. We describe some of the ways
the formal results of game theory may be applied, and some potential pitfalls in their
application.
Modeling Choices
Formally, a game consists of a set of rules, a collection of players, a set of strategies
available to each player, and payoff functions that map game outcomes to payoffs for
each individual player. The designer of a cyber-security game must make choices about
each of these elements. We discuss some of the issues that arise in making each choice.
What counts as a good choice in each case depends in large part on how the game results
are expected to be used, by whom, and how the payoffs are valued by each player.
1. Who are the players?
a. Companies and other organizations with information systems (defenders)
b. Attackers
c. Third party regulators and policy-makers
Issues:
Page 8 of 16
Page 9
Can the defending side be represented by a single player? Suppose the purpose of the
game is to help a single company decide on a resource allocation strategy. If the
payoff function for that company is a function only of how many successful attacks it
suffers, it may be unnecessary to include multiple defenders in the game. On the
other hand, if the costs and benefits to a company are partly a function of how well
other companies have fared, then they need to be included in the game model. For
example, if part of what I care about is my relative standing vis à vis the earnings,
stock prices, and reputations of other companies, then I cannot derive a real-world
strategy from the game without there being multiple players.
Attackers in the real world are of different types, with different motives and different
payoff functions. They also have different opportunities for attack (e.g., from inside
and outside) and different resource limitations. Thought must be given to how
attackers may be grouped into types so that the game outcomes are a good enough
approximation to the real world to provide valuable insight to decision makers.
Rules and regulations imposed by third party policy makers constrain the set of strategies
available to each player in the real world, and (it is to be hoped) also affect game
outcomes. If the purpose of the game is to try to understand what kinds of public
policy or industry regulations will be effective, it may be useful or even necessary to
include third parties with possibly very different reward structures as players in the
game. Alternatively, the structure of the game itself can be varied to represent world
states with different sets of regulatory constraints on players. Games with these
structures can become very complex, if not unwieldy, if the goal is to model complex
(and real-world) organizational interactions.
2. Rules of the game
a. Number of rounds
b. Permissible strategies
c. Information available to players
d. Determining outcomes
Issues:
Games can be structured as simultaneous or sequential. In a simultaneous game,
every player makes a single move, without any information about the result of
other players’ choices. So, for example, a player may know that a denial of
service attack will succeed with probability p, but not whether or not a given
denial of service attack actually succeeds. In a sequential game, players may see
some or all of the outcomes of each round of play before making subsequent
moves; or players may have a ‘fuzzy’ or uncertain perception of each round’s
outcomes. The choice of sequential or simultaneous play may result in different
optimal strategies. For example, attackers may sequence their moves in order to
lay the groundwork for successful attacks later in the game. It may be illuminating
to see how the optimal strategies change as the number of rounds in a game
Page 9 of 16
Page 10
varies. If the purpose of the game is to decide on a real-world resource allocation
strategy, then the choice of simultaneous or sequential play should reflect the
actual situation of the players.
How many types of attacks—both existing and anticipated—are to be included as
possible moves? Inevitably, attacks have to be grouped according to type and
severity. The question to be decided is how to group them without excessive loss
of accuracy in the game model. Similarly, defensive and regulatory moves must
be characterized by type and effectiveness.
Are collusion and cooperation among players to be allowed?
If the game has multiple rounds, how much information is available to players about
the outcome of each round? Do they detect attempted attacks? Do they know who
has been successfully attacked? Do they know the payoff functions of the other
players?
What is the likelihood that a given array or sequence of attacks is successful? What is
the effect on defenders of successful attacks? From the point of view of defenders
in the real world, the outcomes are drawn from some probability distribution that
is at best only approximately known. The game maker needs some way to
estimate the correct distributions. The probability distributions on outcomes may
also be treated as parameters to answer questions such as: how much does the
success probability of an attack of type a have to be lowered for a defending
company to survive the game without unacceptable losses?
3. Payoff functions
a. inputs to payoff functions
b. weights assigned to inputs
Issues:
It is non-trivial to determine the elements that should figure into payoff functions.
For attackers, is it monetary gain for themselves? Monetary loss for the
defenders? Pleasure at bringing down the powerful? For defenders, is it the
number of successful attacks of each type? Is it earnings or reputation relative to
other defenders? Is it how thoroughly the company security infrastructure is
prepared to sustain good security practices in the long run?
It is often more important to make sure that all the real-world inputs to payoff
functions have been captured in the game than to get the weights for inputs
exactly right. Nonetheless, some choice must be made about the relative weight of
inputs for different players. Varying the weights may help us understand the
sensitivity of the optimal strategy to different choices of weights. In other words,
we want to know how accurate the payoff function weights must be in order to get
a useful result.
Page 10 of 16
Page 11
4. Other issues
Policy makers or researchers studying outcomes will want the game states to
include enough information to enable them to calculate the outcomes of
interest, or alternatively, to gain insight into key situations. . This evaluation
may well include elements that are irrelevant to the players’ payoff functions.
For example, suppose the game models the cyber-security of hospitals.
Individual hospitals represented as players in the game may be concerned only
about protecting their own functionality. However, someone using the game to
examine the public health consequences of attacks on hospital information
systems may need to be able to calculate external ripple effects from damage
to subsets of hospitals; or to better understand which hospitals are most at risk
in an uncertain future.
Uncertainty. Cyber-security is a domain fraught with uncertainty as to types,
success probabilities, and degree of damage resulting from attacks on
information systems. The observations made in the section on uncertainty
above are particularly applicable here.
Game Theory Applied
The use of game theory in understanding terrorist attacks is relevant to cyber-security. In
this section, we mention some related results but do not provide an exhaustive survey.
None of our examples involve specific guidance for resource allocation decisions, so they
do not depend on the numerical accuracy of inputs.
Vicki Bier (Bier 2005) examined a model in which an attacker must choose targets and a
defender must decide which targets to defend. In the cyber-security domain, this model
can be interpreted as having an attacker who chooses which type of attack to make (e.g.,
phishing, virus in an email attachment, denial of service), and a defender who chooses
which types of defensive mechanism to put into place (e.g., spam filtering, virus
scanning, firewall). She observes that in this game, increasing the resources allocated to
one target results in the attacker’s shifting to another target. Depending on the relative
value of the set of potential targets, these choices result in different consequences. In
some cases the defender benefits by using target-shifting to manipulate the attacker’s
strategy. On the other hand, if there is a large number of targets of approximately equal
value, then defending some at the expense of others leaves the cumulative threat constant.
Bier also shows that in this model the defender does better with a centralized allocation
of resources, rather than each locality’s making independent decisions. For policy
makers, this situation might suggest industry or government coordination of cyber-
security defenses. An additional result, counterintuitive in some contexts, is that the
defender is better off making her resource allocation public rather than secret.
Page 11 of 16
Page 12
Kunreuther and Heal (Kunreuther and Heal 2003) examine games in which there are
interdependencies among the vulnerabilities of defending players. Every player has an
increased risk when the vulnerability of other players increases. As a consequence, there
is little benefit to any player in expending resources to reduce vulnerability unless a
critical mass of players does the same. Their original example is that of airlines installing
baggage screening equipment: an explosion in the baggage handling area affects all
airlines equally, no matter which airline checked the luggage originally. In information
networks, similar issues may arise. A virus that infects one desktop in an internal
network has a high probability of infecting other desktops in the same network.
Information corruption or loss at one point in a supply chain may affect every other point
in the chain as well.
It can be instructive to use games to model low probability catastrophic events,
particularly since there are very few data points on which to base a model. Paul Kovacs
and Kunreuther (Kovacs and Kunreuther 2001) have studied the way the incentive
structure (i.e., payoff functions) can be altered by the regulatory requirements of
insurance companies and government assistance programs. Some Canadian provincial
governments, for example, tie potential future disaster relief to current investment in
protection against natural disasters. Kovacs and Kunreuther also note that much could be
learned by studying cases where the vulnerabilities are similar but the defensive practices
of individuals vary widely. For example, Seattle and Vancouver have roughly the same
vulnerability to earthquake damage. In 2001 (?) 12% of homeowners in Seattle had
earthquake insurance. By contrast, 63% of homeowners in Vancouver and Victoria had
earthquake insurance. Understanding how the incentive structure differs would provide,
potentially, two types of insight. If the percentage of people purchasing insurance
reflects genuinely different incentives in the structuring and pricing of insurance options
and other disaster relief (rather than simply different perceptions of the same incentives),
something may be learned about how to change the incentive structure to produce
desirable behavior. If the incentive structures turn out to be roughly the same, insurance
purchasing behavior may be significantly affected by cultural characteristics that are
unlikely to be captured in a game model.
Using Simplified Models
Ehud Kalai (Kalai 2005) has shown that under certain conditions the Nash equilibria in a
game with a small number of players and strategy choices are robust when the game is
generalized to a metagame with more players and strategies. The conditions that must be
met are:
(1) All players in the original game must be players in the metagame.
(2) All strategies available to the original players in the small game must still
be available to them in the metagame.
(3) The metagame must preserve the original payoffs, in the sense that for any
set of strategies the original players choose in the metagame, their payoffs
Page 12 of 16
Page 13
are the same as they would have been if the same set of strategies were
chosen in the original game.
(4) In addition, the payoff function of every player depends only on an
aggregate description of other players: what proportion of players are of
each type, and what proportion of each type chooses each strategy.
If all these conditions are met, Kalai shows that the original game is robust in the sense
that as the number of players in the metagame increases, the optimal strategies in the
original game are (exponentially) closer and closer to optimal in the metagame.
In the real world of cyber-security, it is unlikely that Kalai’s conditions can be met, nor
be easily represented in a simplified game model. Thus, it is important to consider just
how the results of a simplified game model relate to optima in the real world situation.
Structuring a game in such a way that it is computationally feasible to calculate optima is
likely to involve simplifying assumptions that render it far less accurate in modeling real-
world outcomes. There is a balance to be struck between modelling accuracy and
tractibility. It can be tempting to those wishing to aid decision-makers to provide a
practical (computationally feasible) tool—so tempting that the loss of real-world fidelity
slips by unnoticed.
Games Without Game Theory
A “game” may not require game theory to find optimal strategies. For example, suppose
there are given probability distributions on the number and severity of successful attacks
given specific security investments, and these distributions are not modeled as sensitive
to the strategy choices of attackers. In that case, the optimal strategy for a defender can be
found by maximizing expected return, without any use of game theory. Nonetheless, it
may be useful to represent decision-makers’ choices in a game format. For example,
having a number of real players in the room discussing the game may elicit insights about
significant elements that are missing from the game model. In addition, the game can
make visible the assumptions that must be made in order to calculate an optimal strategy.
This process serves to make explicit the confidence or lack thereof that decision-makers
have (or should have) in their underlying assumptions. It also serves to highlight the
nature and kind of data that are required to give solid grounding to gaming assumptions.
Conclusion
As industry and government seek ways to balance investment in cyber security with other
demands on resources, decision support tools and techniques are needed to frame the
problem and convey important information and relationships. Many of the tools and
Page 13 of 16
Page 14
techniques rely on underlying models. Since any model is suitable for some purposes but
not others, we have presented principles and a framework with which each model can be
evaluated. Using game-theoretic models as an example, we have shown how the
principles and framework can be employed. Such an evaluation can not only suggest the
appropriateness of each model but also highlight where new or modified models are
needed for addressing gaps or additional uncertainties. This work is preliminary; we plan
to extend the use of the principles and frameworks to a large set of cyber security
economics models, to help depict the landscape of models available to decision-makers.
References
Bier, Vicki. 2005. "Game-Theoretic and Reliability Methods in Counter-Terrorism and
Security," in S. McNulty, A. Wilson, N. Limnios, & Y. Armijo (Eds.),
Mathematical and Statistical Methods in Reliability, Singapore: World Scientific.
Baer, Walter S. 2003. Rewarding IT security in the marketplace. Santa Monica,
California: RAND Corporation.
Campbell, Katherine, Lawrence A. Gordon, Martin P. Loeb, and Lei Zhou. 2003. The
economic cost of publicly announced information security breaches: empirical
evidence from the stock market. Journal of Computer Security 11:431-448.
Conrad, James R. 2005. Analyzing the risks of information security investments with
monte-carlo simulations. Paper read at IEEE Workshop on the Economics of
Information Security.
Dynes, Scott, Hans Brechbuhl, and M. Eric Johnson. 2005. Information security in the
extended enterprise: some initial results from a field study of an industrial firm.
Hanover, New Hampshire: Tuck School of Business, Dartmouth College.
Farahmand, Fariborz, Shamkant B. Navathe, Gunter P. Sharp, and Philip H. Enslow.
2005. A Management Perspective on Risk of Security Threats to Information
Systems. Information Technology and Management 6 (2-3):203-225.
Gal-Or, Esther, and Anindya Ghose. 2005. The economic incentives for sharing security
information. Information Systems Research 16 (2):186-208.
Geer, Daniel E. 2001. Return on security investment: calculating the security investment
equation. Secure Business Quarterly 1 (2).
———. 2004. Security of information when performance matters. Waltham,
Massachusetts: Verdasys, Inc.
The GHG Protocol for Project Accounting. 2005. Washington, District of Columbia:
World Business Council for Sustainable Development; World Resources Institute.
Gordon, Lawrence A., and Martin P. Loeb. 2005. Economic aspects of information
security. College Park, Maryland: The Robert H. Smith School of Business,
University of Maryland.
Page 14 of 16
Page 15
Gordon, Lawrence A., Martin P. Loeb, and Tashfeen Sohail. 2003. A framework for
using insurance for cyber-risk management. Communications of the ACM 46
(3):81-85.
Haimes, Yacov Y., and Clyde G. Chittester. 2005. A roadmap for quantifying the
efficacy of risk management of information security and interdependent SCADA
systems. Journal of Homeland Security and Emergency Management 2 (2).
Horowitz, Barry, and Alfredo Garcia. 2005. A growing trend towards underinvestment in
internet security. Charlottesville, Virginia: University of Virginia, Department of
Systems and Information Engineering.
Hull, John C. 1997. Options, Futures, and Other Derivatives. Third ed. Upper Saddle
River, New Jersey: Prentice-Hall.
Irvine, Cynthia E., and Michael F. Thompson. Expressing an information security policy
within a security simulation game. Monterey, California: Naval Postgraduate
School.
Irvine, Cynthia E., Michael F. Thompson, and Ken Allen. 2005. CyberCIEGE: Gaming
for information assurance. IEEE Security and Privacy Magazine (May/June):61-
64.
Kalai, Ehud. 2005. "Partially Specified Large Games" in X. Deng and Y. Ye (Eds.):
WINE 2005, LNCS 3828; Berlin Heidelberg: Springer-Verlag.
Kovacs, Paul, and Kunreuther, Howard. 2001. Managing Catastrophic Risk: Lessons
from Canada. Presented at the ICLR/IBC Earthquake Conference, March 23,
2001, Simon Fraser University, Vancouver.
Kunreuther, Howard and Heal, Geoffrey. 2003. "Interdependent security," Journal of
Risk and Uncertainty (Special Issue on Terrorist Risks).
Morgan, M. Granger, and Max Henrion. 1990. Uncertainty: a guide to dealing with
uncertainty in quantitative risk and policy analysis. Cambridge, United Kingdom:
Cambridge University Press.
Santos, Joost R., and Yacov Y. Haimes. 2004. Modeling the demand reduction input-
output (I-O) inoperability due to terrorism of interconnected infrastructures.
Charlottesville, Virginia: University of Virginia, Department of Systems and
Information Engineering.
Soo Hoo, Kevin J. 2000. How much is enough? A risk-management approach to
computer security. Palo Alto, California: Stanford University, Consortium for
Research on Information Security and Policy.
Page 15 of 16
Page 16
Page 16 of 16