Skip to main content

Network defense and behavioral biases: an experimental study


How do people distribute defenses over a directed network attack graph, where they must defend a critical node? This question is of interest to computer scientists, information technology and security professionals. Decision-makers are often subject to behavioral biases that cause them to make sub-optimal defense decisions, which can prove especially costly if the critical node is an essential infrastructure. We posit that non-linear probability weighting is one bias that may lead to sub-optimal decision-making in this environment, and provide an experimental test. We find support for this conjecture, and also identify other empirically important forms of biases such as naive diversification and preferences over the spatial timing of the revelation of an overall successful defense. The latter preference is related to the concept of anticipatory feelings induced by the timing of the resolution of uncertainty.

This is a preview of subscription content, access via your institution.

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9


  1. 1.

    A non-exhaustive list of research considering the attack graph model from the Computer Security literature includes Sheyner and Wing (2003), Nguyen et al. (2010), Xie et al. (2010), Homer et al. (2013), and Hota et al. (2018). The length of this list and the ease in which it could be extended is indicative of the prominence that this literature places on the attack graph model.

  2. 2.

    A non-exhaustive list of related theory papers include Clark and Konrad (2007), Acemoglu et al. (2016), Dziubiński and Goyal (2013), Goyal and Vigier (2014), Dziubiński and Goyal (2017), Kovenock and Roberson (2018), and Bloch et al. (2020).

  3. 3.

    Sheremeta (2019) posits that things such as inequality aversion, spite, regret aversion, guilt aversion, loss aversion (see also Chowdhury, 2019), overconfidence and other emotional responses could all be important factors in (non-networked) attack and defense games. Preferences and biases have not received substantial attention in the experimental or theoretical literature in these games, although it should be noted that Chowdhury et al. (2013) and Kovenock et al. (2019) both find that utility curvature does not appear to be an important factor in multi-target attack and defense games.

  4. 4.

    See Kosfeld (2004) for a survey of network experiments more generally.

  5. 5.

    For example, Bier et al. (2007), Modelo-Howard et al. (2008), Dighe et al. (2009), An et al. (2013), Hota et al. (2016), Nithyanand et al. (2016), Guan et al. (2017), Wu et al. (2018), and Leibowitz et al. (2019).

  6. 6.

    The events are independent as each edge represents a unique layer of security that is unaffected by the events in other edges/layers of security. Breaches of other layers of security can affect whether a specific layer is encountered, but they do not change the probability that layer is compromised.

  7. 7.

    This approach is similar to the concept of ‘folding back’ sequential prospects, as described in Epper and Fehr-Duda (2018) with regards to ‘process dependence’. The alternative (i.e., \(f_j(x;\alpha )=w(p(x_1) +\left[ 1-p(x_1)\right] \left[ p(x_2) + (1-p(x_2))p(x_3) \right] )\)) does not yield interesting comparative statics in \(\alpha\) due to the monotonicity of the probability weighting function, so we do not consider it further.

  8. 8.

    Weighting the probability of a successful attack along an edge instead is analytically tractable as terms conveniently cancel, as shown in Abdallah et al. (2019b). However, this would be inconsistent with how events are ranked and weights are applied in RDU and CPT. Despite the lack of symmetry in the one parameter Prelec weighting function, the qualitative comparative statics presented in Abdallah et al. (2019b) have been numerically confirmed to hold in the current environment.

  9. 9.

    Concavity and diminishing marginal returns is a common assumption in the computer security literature (e.g., Pal and Golubchik 2010; Boche et al. 2011; Sun et al. 2018; Feng et al. forthcoming)

  10. 10.

    Any \(\alpha \in (0,1]\) defender is making a similar trade-off of \(\frac{\partial F(v,y)}{\partial v}\) against \(\frac{\partial F(v,y)}{\partial y}\), either equating them if the solution is interior, or allocating to whichever is greater at the boundary. We do not present these first order conditions here as they are not as succinct due to the presence of \(w(p;\alpha )\), although we do report the first order condition in Appendix A. Where exactly the trade-off is resolved depends on \(\alpha\) as well as the specific functional form of \(p(x_i)\). This is why the optimal allocation differs over \(\alpha\) for a given \(p(x_i)\), as well as over different \(p(x_i)\) for a given \(\alpha\). Both patterns are displayed in Figs. 2 and 3.

  11. 11.

    The normalization factor \(z=18.2\) was chosen such that 1 unit allocated to an edge would yield a commonly overweighted probability (\(p=0.05\)), while 24 units allocated to an edge would yield a commonly underweighted probability (\(p=0.73\)).

  12. 12.

    These numerical solutions are continuous, although subjects were restricted to discrete (integer-valued) allocations.

  13. 13.

    Further details are presented in Appendix A.

  14. 14.

    Another potential issue for both tasks is that subjects may not understand this point at all, instead of finding it simple. The number of such subjects should be limited due to our subject pool being drawn from a university student population.

  15. 15.

    In only 5 of the 4550 total decisions did subjects allocate less than all 24 units.

  16. 16.

    Due to an error with the software, decision times were not recorded for 4 subjects. For consistency, we present our results only considering the remaining 87 subjects. Where the inclusion of decision times is not necessary, our results do not substantially change if the dropped observations are included.

  17. 17.

    These instructions are available in Appendix G.

  18. 18.

    We consider the same analysis including the Binary Lottery Task in Appendix D. The elicited \(\alpha\)’s of these tasks are not correlated (\(\rho =0.166\), \(p=0.117\)), suggesting the procedural differences are important, or that cognitive ability may play a role.

  19. 19.

    Unless otherwise stated, all p-values and statistical tests are two-sided.

  20. 20.

    \(Prob(Top)=\frac{1}{1+e^{-\lambda (U(Top)-U(Bottom))}}\) if \(U(Top)\ge U(Bottom)\), \(Prob(Top)=\frac{1}{1+e^{-\lambda (U(Bottom)-U(Top))}}\) otherwise, where U(Top) is the weighted then compounded probability of successful attack multiplied by the payoff from a successful attack.

  21. 21.

    The lack of a significant correlation in Network Yellow is not necessarily surprising, due to the deliberate reduction of the separation of \(\alpha\) types in this network to evaluate Hypothesis 2.

  22. 22.

    We also cluster at the individual network task level in an alternative estimation presented in Appendix E. That analysis identifies similar patterns of behavior.

  23. 23.

    It is of course possible that subjects are playing out the attack process in their imagination, while reading the outcomes sequentially.

  24. 24.

    Choi et al. (2018) reports evidence suggesting a correlation between cognitive ability and probability weighting.


  1. Abdallah, M., Naghizadeh, P., Hota, A. R., Cason, T., Bagchi, S., & Sundaram, S. (2019). Protecting assets with heterogeneous valuations under behavioral probability weighting. In 2019 IEEE conference on decision and control (CDC) (pp. 5374–5379).

  2. Abdallah, M., Naghizadeh, P., Hota, A. R., Cason, T., Bagchi, S., & Sundaram, S. (2019). The impacts of behavioral probability weighting on security investments in interdependent systems. In 2019 American control conference (ACC), Philadelphia (pp. 5260–5265).

  3. Acemoglu, D., Malekian, A., & Ozdaglar, A. (2016). Network security and contagion. Journal of Economic Theory, 166, 536–585. ISSN 10957235.

    Article  Google Scholar 

  4. Acquisti, A., & Grossklags, J. (2007). What can behavioral economics teach us about privacy. In A. Acquisti, S. Gritzalis, C. Lambrinoudakis, & S. di Vimercati (Eds.), Digital privacy: Theory, technologies and practices, Chapter 18 (pp. 363–377). Auerbach Publications.

  5. Alaba, F. A., Othman, M., Targio, H., Ibrahim, A., & Alotaibi, F. (2017). Internet of things security: A survey. Journal of Network and Computer Applications, 88, 10–28. ISSN 1084-8045.

    Article  Google Scholar 

  6. An, B., Brown, M., Vorobeychik, Y., & Tambe, M. (2013). Security games with surveillance cost and optimal timing of attack execution. In Proceedings of the 12th international conference on autonomous agents and multiagent systems (AAMAS) (pp. 223–230).

  7. Benartzi, S., & Thaler, R. H. (2001). Naive diversification strategies in defined contribution savings plans. The American Economic Review, 91(1), 79–98.

  8. Bier, V., Oliveros, S., & Samuelson, L. (2007). Choosing what to protect: Strategic defensive allocation against an unknown attacker. Journal of Public Economic Theory, 9(4), 563–587.

    Article  Google Scholar 

  9. Bleichrodt, H., & Pinto, J. L. (2000). A parameter-free elicitation of the probability weighting function in medical decision analysis. Management Science, 46(11), 1485–1496. ISSN 0025-1909.

    Article  Google Scholar 

  10. Bloch, F., Dutta, B., & Dziubinski, M. (2020). A game of hide and seek in networks. arXiv:abs/2001.03132.

  11. Boche, H., Naik, S., & Alpcan, T. (2011). Characterization of convex and concave resource allocation problems in interference coupled wireless systems. IEEE Transactions on Signal Processing, 59(5), 2382–2394.

    Article  Google Scholar 

  12. Bruhin, A., Fehr-Duda, H., & Epper, T. (2010). Risk and rationality: Uncovering heterogeneity in probability distortion. Econometrica, 78(4), 1375–1412. ISSN 0012-9682.

    Article  Google Scholar 

  13. Caplin, A., & Leahy, J. (2001). Psychological expected utility theory and anticipatory feelings. The Quarterly Journal of Economics, 116(1), 55–79.

    Article  Google Scholar 

  14. Caplin, A., & Leahy, J. (2004). The supply of information by a concerned expert. The Economic Journal, 114(497), 487–505.

    Article  Google Scholar 

  15. Chapman, J., Snowberg, E., Wang, S., & Camerer, C. (2018). Loss attitudes in the U.S. population: Evidence from dynamically optimized sequential experimentation (DOSE). Technical report, National Bureau of Economic Research.

  16. Chen, D. L., Schonger, M., & Wickens, C. (2016). oTree—An open-source platform for laboratory, online, and field experiments. Journal of Behavioral and Experimental Finance, 9, 88–97. ISSN 2214-6350.

    Article  Google Scholar 

  17. Choi, S., Kim, J., Lee, E., & Lee, J. (2018). Probability weighting and cognitive ability. SIER Working Paper Series 121, Institute of Economic Research, Seoul National University.

  18. Chowdhury, S. M. (2019). The attack and defense mechanisms-Perspectives from behavioral economics and game theory. Behavioral and Brain Sciences, 42, e121.

    Article  Google Scholar 

  19. Chowdhury, S. M., Kovenock, D., Rojo Arjona, D., & Wilcox, N. T. (2016). Focality and asymmetry in multi-battle contests.

  20. Chowdhury, S. M., Kovenock, D., & Sheremeta, R. M. (2013). An experimental investigation of Colonel Blotto games. Economic Theory, 52(3), 833–861. ISSN 09382259.

    Article  Google Scholar 

  21. Clark, D. J., & Konrad, K. A. (2007). Asymmetric conflict: Weakest link against best shot. Journal of Conflict Resolution, 51(3), 457–469.

    Article  Google Scholar 

  22. Curley, S. P., Yates, J. F., & Abrams, R. A. (1986). Psychological sources of ambiguity avoidance. Organizational Behavior and Human Decision Processes, 38(2), 230–256.

    Article  Google Scholar 

  23. Deck, C., & Sheremeta, R. M. (2012). Fight or flight?: Defending against sequential attacks in the game of siege. Journal of Conflict Resolution, 56(6), 1069–1088.

    Article  Google Scholar 

  24. Dighe, N. S., Zhuang, J., & Bier, V. M. (2009). Secrecy in defensive allocations as a strategy for achieving more cost-effective attacker detterrence. International Journal of Performability Engineering, 5(1), 31–43.

    Google Scholar 

  25. Djawadi, B. M., Endres, A., Hoyer, B., & Recker, S. (2019). Network formation and disruption–An experiment are equilibrium networks too complex? Journal of Economic Behavior and Organization, 157, 708–734. ISSN 01672681.

    Article  Google Scholar 

  26. Dziubiński, M., & Goyal, S. (2013). Network design and defence. Games and Economic Behavior, 79(1), 30–43.

    Article  Google Scholar 

  27. Dziubiński, M., & Goyal, S. (2017). How do you defend a network? Theoretical Economics, 12(1), 331–376. ISSN 1555-7561.

    Article  Google Scholar 

  28. Epper, T., & Fehr-Duda, H. (2018). Unifying risk taking and time discounting: The missing link. Economics Working Paper Series 1812, University of St. Gallen, School of Economics and Political Science.

  29. Fehr-Duda, H., Epper, T., Bruhin, A., & Schubert, R. (2011). Risk and rationality: The effects of mood and decision rules on probability weighting. Journal of Economic Behavior & Organization, 78(1–2), 14–24. ISSN 0167-2681.

    Article  Google Scholar 

  30. Fehr-Duda, H., de Gennaro, M., & Schubert, R. (2006). Gender, financial risk, and probability weights. Theory and Decision, 60(2–3), 283–313.

    Article  Google Scholar 

  31. Feng, S., Xiong, Z., Niyato, D., Wang, P., Wang, S. S., & Shen, X. S. (forthcoming). Joint pricing and security investment in cloud security service market with user interdependency. IEEE Transactions on Services Computing.

  32. Fielder, A., Panaousis, E., Malacaria, P., Hankin, C., & Smeraldi, F. (2014). Game theory meets information security management. In International information security conference (IFIP) (pp. 15–29).

  33. Fréchette, G. R. (2015). Experiments: professionals versus students. In G. Frechette & A. Schotter (Eds.), Handbook of experimental economic methodology, Chapter 17 (pp. 360–390). Oxford University Press.

  34. Frey, B. J. & Dueck, D. (2007). Clustering by passing messages between data points. Science, 315, 972–976.

  35. Gartner. (2018). Gartner forecasts worldwide information security spending to exceed $124 Billion in 2019.

  36. Goyal, S., & Vigier, A. (2014). Attack, defence, and contagion in networks. The Review of Economic Studies, 81(4), 1518–1542.

    Article  Google Scholar 

  37. Greiner, B. (2015). Subject pool recruitment procedures: Organizing experiments with ORSEE. Journal of the Economic Science Association, 1(1), 114–125. ISSN 2199-6776.

    Article  Google Scholar 

  38. Guan, P., He, M., Zhuang, J., & Hora, S. C. (2017). Modeling a multitarget attacker-defender game with budget constraints. Decision Analysis, 14(2), 87–107.

    Article  Google Scholar 

  39. Homer, J., Zhang, S., Ou, X., Schmidt, D., Du, Y., Rajagopalan, S. R., et al. (2013). Aggregating vulnerability metrics in enterprise networks using attack graphs. Journal of Computer Security, 21(4), 561–597.

    Article  Google Scholar 

  40. Hota, A. R., Clements, A. A., Sundaram, S., & Bagchi, S. (2016). Optimal and game-theoretic deployment of security investments in interdependent assets (pp. 101–113). Springer.

  41. Hota, A. R., Clements, A. A., Bagchi, S., & Sundaram, S. (2018). A game-theoretic framework for securing interdependent assets in networks. In S. Rass & S. Schauer (Eds.), Game theory for security and risk management: From theory to practice (pp. 157–184). Springer.

  42. Hoyer, B., & Rosenkranz, S. (2018). Determinants of equilibrium selection in network formation: An experiment. Games, 9(4), 89. ISSN 2073-4336.

    Article  Google Scholar 

  43. Humayed, A., Lin, J., Li, F., & Luo, B. (2017). Cyber-physical systems security–A survey. IEEE Internet of Things Journal, 4(6), 1802–1831. ISSN 2327-4662.

    Article  Google Scholar 

  44. Jauhar, S., Chen, B., Temple, W. G., Dong, X., Kalbarczyk, Z., Sanders, W. H., & Nicol, D. M. (2015). Model-based cybersecurity assessment with NESCOR smart grid failure scenarios. In 2015 IEEE 21st Pacific Rim international symposium on dependable computing (PRDC). IEEE. ISBN 978-1-4673-9376-8.

  45. Kosfeld, M. (2004). Economic networks in the laboratory: A survey. Review of Network Economics, 3(1), 20–42.

  46. Kovenock, D., & Roberson, B. (2018). The optimal defense of networks of targets. Economic Inquiry, 56(4), 2195–2211.

    Article  Google Scholar 

  47. Kovenock, D., Roberson, B., & Sheremeta, R. M. (2019). The attack and defense of weakest-link networks. Public Choice, 179(3–4), 175–194. ISSN 15737101.

    Article  Google Scholar 

  48. Lee, E. (2015). The past, present and future of cyber-physical systems: A focus on models. Sensors, 15(3), 4837–4869. ISSN 1424-8220.

    Article  Google Scholar 

  49. Leibowitz, H., Piotrowska, A. M., Danezis, G., & Herzberg A. (2019). No right to remain silent: Isolating malicious mixes. In 28th USENIX security symposium (USENIX security 19) (pp. 1841–1858). USENIX Association. ISBN 978-1-939133-06-9.

  50. George, L. (1987). Anticipation and the valuation of delayed consumption. The Economic Journal, 97(387), 666.

    Article  Google Scholar 

  51. Logg, J. M., Minson, J. A., & Moore, D. A. (2019). Algorithm appreciation: People prefer algorithmic to human judgment. Organizational Behavior and Human Decision Processes, 151, 90–103. ISSN 07495978.

    Article  Google Scholar 

  52. McBride, M., & Hewitt, D. (2013). The enemy you can’t see: An investigation of the disruption of dark networks. Journal of Economic Behavior & Organization, 93, 32–50. ISSN 01672681.

    Article  Google Scholar 

  53. McKelvey, R. D., & Palfrey, T. R. (1995). Quantal response equilibria for normal form games. Games and Economic Behavior, 10(1), 6–38.

    Article  Google Scholar 

  54. Mersinas, K., Hartig, B., Martin, K. M., & Seltzer, A. (2016). Are information security professionals expected value maximizers?: An experiment and survey based test. Journal of Cybersecurity, 2(1), 57–70.

    Article  Google Scholar 

  55. Modelo-Howard, G., Bagchi, S., & Lebanon, G. (2008). Determining placement of intrusion detectors for a distributed application through Bayesian network modeling. In 11th international symposium on research in attacks, intrusions and defenses (RAID) (pp. 271–290).

  56. Nguyen, K. C., Alpcan, T., & Basar, T. (2010). Stochastic games for security in networks with interdependent nodes. arXiv:abs/1003.2440.

  57. Nikoofal, M. E., & Zhuang, J. (2012). Robust allocation of a defensive budget considering an attacker’s private information. Risk Analysis: An International Journal, 32(5), 930–943.

    Article  Google Scholar 

  58. Nithyanand, R., Starov, O., Zair, A., Gill, P., & Schapira, M. (2016). Measuring and mitigating AS-level adversaries against Tor. In Network & Distributed System Security Symposium (NDSS).

  59. Pal, R., & Golubchik, L. (2010). Analyzing self-defense investments in internet security under cyber-insurance coverage. In 2010 IEEE 30th international conference on distributed computing systems (pp. 339–347). IEEE.

  60. Paté-Cornell, M. E., Kuypers, M., Smith, M., & Keller, P. (2018). Cyber risk management for critical infrastructure: A risk analysis model and three case studies. Risk Analysis, 38(2), 226–241. ISSN 15396924.

    Article  Google Scholar 

  61. Prelec, D. (1998). The probability weighting function. Econometrica, 66(3), 497. ISSN 00129682.

    Article  Google Scholar 

  62. Quiggin, J. (1982). A theory of anticipated utility. Journal of Economic Behavior & Organization, 3(4), 323–343. ISSN 0167-2681.

    Article  Google Scholar 

  63. Sheremeta, R. M. (2019). The attack and defense games. Behavioral and Brain Sciences, 42, e140. ISSN 0140-525X.

    Article  Google Scholar 

  64. Sheyner, O., & Wing, J. (2003). Tools for generating and analyzing attack graphs. In International symposium on formal methods for components and objects (FMCO) (pp. 344–371). Springer.

  65. Sun, X., Shen, C., Chang, T.-H., & Zhong, Z. (2018). Joint resource allocation and trajectory design for UAV-aided wireless physical layer security. In 2018 IEEE Globecom workshops (GC Wkshps) (pp. 1–6). IEEE.

  66. Tanaka, T., Camerer, C. F., & Nguyen, Q. (2010). Risk and time preferences: Linking experimental and household survey data from Vietnam. American Economic Review, 100(1), 557–571. ISSN 0002-8282.

    Article  Google Scholar 

  67. Tversky, A., & Kahneman, D. (1992). Advances in prospect theory: Cumulative representation of uncertainty. Journal of Risk and Uncertainty, 5(4), 297–323. ISSN 0895-5646.

    Article  Google Scholar 

  68. Wu, D., Xiao, H., & Peng, R. (2018). Object defense with preventive strike and false targets. Reliability Engineering & System Safety, 169, 76–80.

    Article  Google Scholar 

  69. Xie, P., Li, J. H., Xinming, O., Liu, P., & Levy, R. (2010). Using Bayesian networks for cyber security analysis. In Proceedings of the international conference on dependable systems and networks (DNS) (pp. 211–220). ISBN 9781424475018.

  70. Yang, R., Kiekintveld, C., Ordonez, F., Tambe, M., & John, R. (2011). Improving resource allocation strategy against human adversaries in security games. In 22nd international joint conference on artificial intelligence (IJCAI).

Download references

Author information



Corresponding author

Correspondence to Timothy Cason.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

This research was supported by grant CNS-1718637 from the National Science Foundation. We thank the editor, two anonymous referees, and participants at the Economic Science Association and Jordan-Wabash conferences for valuable comments.

Supplementary Information

Below is the link to the electronic supplementary material.

Supplementary material 1 (PDF 1124 KB)

Supplementary material 2 (ZIP 7397 KB)

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Woods, D., Abdallah, M., Bagchi, S. et al. Network defense and behavioral biases: an experimental study. Exp Econ (2021).

Download citation


  • Laboratory experiment
  • Probability weighting
  • Naive diversification
  • Network security