Optimal Decision Making in Interdependent Network Security

Although people are frequently urged to protect the machines they use and oversee, the fact remains that the decision to invest in protection software is far from universal. To better understand this decision, we formulate two models of interdependent network security. In the first, there is a system administrator responsible for a network of size n against attackers attempting to penetrate the network and infect the machines with viruses or other exploits. Through analysis of this interdependent network security scenario, we conclude that the decision to buy protection is dependent upon a number of factors including external and internal vulnerabilities, the types and likelihoods of different amounts of loss, the degree of autonomy of the attacker, and others.

The second model looks at network security from a game-theoretic point of view. Through the formulation and examination of increasingly complex scenarios, we formulate a model for utility-based security decisions for an individual in a network of individuals. We look at the decision for one person buy security software for herself and to buy security software in the context of two or more people. By modeling security as a public good, we examine externalities that players impose upon each other. We then examine Olson's theory of groups [13] in a network security context to evaluate the effect of network size on optimal decision-making. Network topologies are also discussed to investigate the limitations of the common game-theoretic interdependent security models. We conclude that these models work well for small to medium-sized networks with fairly uniform topologies. Through analysis of these two models, we propose methodologies for decision-making that are simple to understand and applicable to many other interdependent security scenarios.