Are Security Experts Useful? Bayesian Nash Equilibria for Network Security Games with Limited Information

  • Benjamin Johnson
  • Jens Grossklags
  • Nicolas Christin
  • John Chuang
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6345)


A common assumption in security research is that more individual expertise unambiguously leads to a more secure overall network. We present a game-theoretic model in which this common assumption does not hold. Our findings indicate that expert users can be not only invaluable contributors, but also free-riders, defectors, and narcissistic opportunists. A direct application is that user education needs to highlight the cooperative nature of security, and foster the community sense, in particular, of higher skilled computer users.

As a technical contribution, this paper represents, to our knowledge, the first formal study to quantitatively assess the impact of different degrees of information security expertise on the overall security of a network.


Security Economics Game Theory Bounded Rationality Limited Information 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Acquisti, A.: Privacy in electronic commerce and the economics of immediate gratification. In: Proceedings of the 5th ACM Conference on Electronic Commerce (EC 2004), New York, NY, May 2004, pp. 21–29 (2004)Google Scholar
  2. 2.
    Acquisti, A., Grossklags, J.: Privacy and rationality in individual decision making. IEEE Security & Privacy 3(1), 26–33 (2005)CrossRefGoogle Scholar
  3. 3.
    Acquisti, A., Varian, H.: Conditioning prices on purchase history. Marketing Science 24(3), 367–381 (Summer 2005)CrossRefGoogle Scholar
  4. 4.
    Bashir, M., Christin, N.: Three case studies in quantitative information risk analysis. In: Proceedings of the CERT/SEI Making the Business Case for Software Assurance Workshop, Pittsburgh, PA, pp. 77–86 (September 2008)Google Scholar
  5. 5.
    Burnett, K.: Introductions of invasive species: Failure of the weaker link. Agricultural and Resource Economics Review 35(1), 21–28 (2006)Google Scholar
  6. 6.
    Campbell, K., Gordon, L., Loeb, M., Zhou, L.: The economic cost of publicly announced information security breaches: Empirical evidence from the stock market. Journal of Computer Security 11(3), 431–448 (2003)Google Scholar
  7. 7.
    Chaum, D.: Untraceable electronic mail, return addresses, and digital pseudonyms. Communications of the ACM 24(2), 84–90 (1981)CrossRefGoogle Scholar
  8. 8.
    Cornes, R.: Dyke maintenance and other stories: Some neglected types of public goods. Quarterly Journal of Economics 108(1), 259–271 (1993)CrossRefGoogle Scholar
  9. 9.
    Ferguson, P., Senie, D.: Network ingress filtering: Defeating denial of service attacks which employ IP source address spoofing, RFC 2267 (January 1998)Google Scholar
  10. 10.
    Freudiger, J., Manshaei, M., Hubaux, J.-P., Parkes, D.: On non-cooperative location privacy: A game-theoretic analysis. In: Proceedings of the 16th ACM Conference on Computer and Communications Security (CCS 2009), Chicago, IL, p. 324–337 (November 2009)Google Scholar
  11. 11.
    Gal-Or, E., Ghose, A.: The economic incentives for sharing security information. Information Systems Research 16(2), 186–208 (2005)CrossRefGoogle Scholar
  12. 12.
    Gordon, L.A., Loeb, M., Lucyshyn, W.: Sharing information on computer systems security: An economic analysis. Journal of Accounting and Public Policy 22(6), 461–485 (2003)CrossRefGoogle Scholar
  13. 13.
    Grossklags, J., Christin, N., Chuang, J.: Predicted and observed behavior in the weakest-link security game. In: Proceedings of the 2008 USENIX Workshop on Usability, Privacy and Security (UPSEC 2008), San Francisco, CA (April 2008)Google Scholar
  14. 14.
    Grossklags, J., Christin, N., Chuang, J.: Secure or insure? A game-theoretic analysis of information security games. In: Proceedings of the 2008 World Wide Web Conference (WWW 2008), Beijing, China, pp. 209–218 (April 2008)Google Scholar
  15. 15.
    Grossklags, J., Christin, N., Chuang, J.: Security and insurance management in networks with heterogeneous agents. In: Proceedings of the 9th ACM Conference on Electronic Commerce (EC 2008), Chicago, IL, pp. 160–169 ( July 2008)Google Scholar
  16. 16.
    Grossklags, J., Johnson, B., Christin, N.: The price of uncertainty in security games. In: Proceedings (online) of the Eighth Workshop on the Economics of Information Security (WEIS), London, UK (June 2009)Google Scholar
  17. 17.
    Grossklags, J., Johnson, B., Christin, N.: When information improves information security. In: Proceedings of the 2010 Financial Cryptography Conference (FC 2010), Canary Islands, Spain (January 2010)Google Scholar
  18. 18.
    Hirshleifer, J.: From weakest-link to best-shot: The voluntary provision of public goods. Public Choice 41(3), 371–386 (1983)CrossRefGoogle Scholar
  19. 19.
    Kahneman, D., Tversky, A.: Prospect theory: An analysis of decision under risk. Econometrica XLVII, 263–291 (1979)CrossRefGoogle Scholar
  20. 20.
    Kandula, S., Katabi, D., Jacob, M., Berger, A.: Botz-4-sale: Surviving organized DDoS attacks that mimic flash crowds. In: Proceedings of the 2nd USENIX Symposium on Networked Systems Design & Implementation (NSDI 2005), Boston, MA, pp. 287–300 (May 2005)Google Scholar
  21. 21.
    Katz, M., Shapiro, C.: Network externalities, competition, and compatibility. American Economic Review 75(3), 424–440 (1985)Google Scholar
  22. 22.
    Lettau, M., Uhlig, H.: Rules of thumb versus dynamic programming. American Economic Review 89(1), 148–174 (1999)CrossRefGoogle Scholar
  23. 23.
    Liu, Y., Comaniciu, C., Man, H.: A Bayesian game approach for intrusion detection in wireless ad hoc networks. In: Proceedings of the Workshop on Game Theory for Communications and Networks, page Article No. 4 (2006)Google Scholar
  24. 24.
    Manzini, P., Mariotti, M.: Alliances and negotiations: An incomplete information example. Review of Economic Design 13(3), 195–203 (2009)MATHCrossRefMathSciNetGoogle Scholar
  25. 25.
    Noy, A., Raban, D., Ravid, G.: Testing social theories in computer-mediated communication through gaming and simulation. Simulation & Gaming 37(2), 174–194 (2006)CrossRefGoogle Scholar
  26. 26.
    O’Donoghue, T., Rabin, M.: Doing it now or later. American Economic Review 89(1), 103–124 (1999)CrossRefGoogle Scholar
  27. 27.
    Paruchuri, P., Pearce, J., Marecki, J., Tambe, M., Ordonez, F., Kraus, S.: Playing games for security: An efficient exact algorithm for solving Bayesian Stackelberg games. In: Proceedings of the 7th International Conference on Autonomous Agents and Multiagent Systems (AAMAS 2008), Estoril, Portugal, pp. 895–902 (May 2008)Google Scholar
  28. 28.
    Rabin, M.: A perspective on psychology and economics. European Economic Review 46(4-5), 657–685 (2002)CrossRefGoogle Scholar
  29. 29.
    Rust, J., Miller, J., Palmer, R.: Characterizing effective trading strategies: Insights from a computerized double auction tournament. Journal of Economic Dynamics and Control 18(1), 61–96 (1994)CrossRefGoogle Scholar
  30. 30.
    Sheng, S., Magnien, B., Kumaraguru, P., Acquisti, A., Cranor, L., Hong, J., Nunge, E.: Anti-Phishing Phil: The design and evaluation of a game that teaches people not to fall for Phish. In: Proceedings of the 3rd Symposium on Usable Privacy and Security (SOUPS 2007), Pittsburgh, PA, pp. 88–99 (2007)Google Scholar
  31. 31.
    Spence, A.: Job market signaling. Quarterly Journal of Economics 3(87), 355–374 (1973)CrossRefGoogle Scholar
  32. 32.
    Stigler, G.: An Introduction to Privacy in Economics and Politics. The Journal of Legal Studies 4(9), 623–644 (1980)CrossRefGoogle Scholar
  33. 33.
    Telang, R., Wattal, S.: An empirical analysis of the impact of software vulnerability announcements on firm stock price. IEEE Transactions on Software Engineering 33(8), 544–557 (2007)CrossRefGoogle Scholar
  34. 34.
    Van Huyck, J., Battallio, R., Beil, R.: Tacit coordination games, strategic uncertainty, and coordination failure. American Economic Review 80(1), 234–248 (1990)Google Scholar
  35. 35.
    Varian, H.R.: System reliability and free riding. In: Camp, L.J., Lewis, S. (eds.) Economics of Information Security. Advances in Information Security, vol. 12, pp. 1–15. Kluwer Academic Publishers, Dordrecht (2004)CrossRefGoogle Scholar
  36. 36.
    von Auer, L.: Revealed preferences in intertemporal decision making. Theory and Decision 56(3), 269–290 (2004)MATHCrossRefMathSciNetGoogle Scholar
  37. 37.
    Wellman, M., Wurman, P., O’Malley, K., Bangera, R., Lin, S., Reeves, D., Walsh, W.: Designing the market game for a trading agent competition. IEEE Internet Computing 5(2), 43–51 (2001)CrossRefGoogle Scholar
  38. 38.
    Xu, X.: Group size and the private supply of a best-shot public good. European Journal of Political Economy 17(4), 897–904 (2001)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  • Benjamin Johnson
    • 1
  • Jens Grossklags
    • 2
  • Nicolas Christin
    • 1
  • John Chuang
    • 3
  1. 1.CyLabCarnegie Mellon University 
  2. 2.Center for Information Technology PolicyPrinceton University 
  3. 3.School of InformationUniversity of CaliforniaBerkeley

Personalised recommendations