Nash Equilibria for Weakest Target Security Games with Heterogeneous Agents

  • Benjamin Johnson
  • Jens Grossklags
  • Nicolas Christin
  • John Chuang
Conference paper
Part of the Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering book series (LNICST, volume 75)


Motivated attackers cannot always be blocked or deterred. In the physical-world security context, examples include suicide bombers and sexual predators. In computer networks, zero-day exploits unpredictably threaten the information economy and end users. In this paper, we study the conflicting incentives of individuals to act in the light of such threats.

More specifically, in the weakest target game an attacker will always be able to compromise the agent (or agents) with the lowest protection level, but will leave all others unscathed. We find the game to exhibit a number of complex phenomena. It does not admit pure Nash equilibria, and when players are heterogeneous in some cases the game does not even admit mixed-strategy equilibria.

Most outcomes from the weakest-target game are far from ideal. In fact, payoffs for most players in any Nash equilibrium are far worse than in the game’s social optimum. However, under the rule of a social planner, average security investments are extremely low. The game thus leads to a conflict between pure economic interests, and common social norms that imply that higher levels of security are always desirable.


Security Economics Game Theory Heterogeneity 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Anderson, R., Moore, T.: The economics of information security. Science 314(5799), 610–613 (2006)CrossRefGoogle Scholar
  2. 2.
    Böhme, R., Schwartz, G.: Modeling cyber-insurance: Towards a unifying framework. In: Proceedings of the Ninth Workshop on the Economics of Information Security (WEIS 2010), Cambridge, MA (June 2010)Google Scholar
  3. 3.
    Christin, N., Grossklags, J., Chuang, J.: Near rationality and competitive equilibria in networked systems. In: Proceedings of ACM SIGCOMM 2004 Workshop on Practice and Theory of Incentives in Networked Systems (PINS), Portland, OR, pp. 213–219 (August 2004)Google Scholar
  4. 4.
    Cornes, R., Sandler, T.: The theory of externalities, public goods, and club goods. Cambridge University Press, Cambridge (1986)zbMATHGoogle Scholar
  5. 5.
    Dixit, A., Skeath, S.: Games of Strategy. Norton & Company, New York (1999)Google Scholar
  6. 6.
    Fultz, N., Grossklags, J.: Blue versus Red: Towards a Model of Distributed Security Attacks. In: Dingledine, R., Golle, P. (eds.) FC 2009. LNCS, vol. 5628, pp. 167–183. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  7. 7.
    Grossklags, J., Christin, N., Chuang, J.: Secure or insure? A game-theoretic analysis of information security games. In: Proceedings of the 2008 World Wide Web Conference (WWW 2008), Beijing, China, pp. 209–218 (April 2008)Google Scholar
  8. 8.
    Grossklags, J., Christin, N., Chuang, J.: Security and insurance management in networks with heterogeneous agents. In: Proceedings of the 9th ACM Conference on Electronic Commerce (EC 2008), Chicago, IL, pp. 160–169 (July 2008)Google Scholar
  9. 9.
    Kanich, C., Kreibich, C., Levchenko, K., Enright, B., Voelker, G., Paxson, V., Savage, S.: Spamalytics: An empirical analysis of spam marketing conversion. In: Proceedings of the Conference on Computer and Communications Security (CCS), Alexandria, VA, pp. 3–14 (October 2008)Google Scholar
  10. 10.
    Kearns, M., Ortiz, L.: Algorithms for interdependent security games. In: Thrun, S., Saul, L., Schölkopf, B. (eds.) Advances in Neural Information Processing Systems 16, pp. 561–568. MIT Press, Cambridge (2004)Google Scholar
  11. 11.
    Kunreuther, H., Heal, G.: Interdependent security. Journal of Risk and Uncertainty 26(2-3), 231–249 (2003)CrossRefzbMATHGoogle Scholar
  12. 12.
    Lelarge, M., Bolot, J.: Network externalities and the deployment of security features and protocols in the Internet. In: Proceedings of the ACM International Conference on Measurement and Modeling of Computer Systems (SIGMETRICS 2008), Annapolis, MA, pp. 37–48 (June 2008)Google Scholar
  13. 13.
    Miura-Ko, A., Yolken, B., Mitchell, J., Bambos, N.: Security decision-making among interdependent organizations. In: Proceedings of the 21st IEEE Computer Security Foundations Symposium (CSF 2008), Pittsburgh, PA, pp. 66–80 (June 2008)Google Scholar
  14. 14.
    Nguyen, K., Alpcan, T., Basar, T.: Stochastic games for security in networks with interdependent nodes. In: Proceedings of the International Conference on Game Theory for Networks (GameNets 2009), Istanbul, Turkey, pp. 697–703 (May 2009)Google Scholar
  15. 15.
    Rapoport, A., Chammah, A.: Prisoner’s Dilemma: A Study in Conflict and Cooperation. Ann Arbor Paperbacks, University of Michigan Press (1965)Google Scholar
  16. 16.
    Rapoport, A., Chammah, A.: The game of chicken. American Behavioral Scientist 10(3), 10–28 (1966)CrossRefGoogle Scholar
  17. 17.
    Roy, S., Ellis, C., Shiva, S., Dasgupta, D., Shandilya, V., Wu, Q.: A survey of game theory as applied to network security. In: Proceedings of the 43rd Hawaii International Conference on System Sciences (HICSS 2010), Koloa, HI, pp. 1–10 (January 2010)Google Scholar
  18. 18.
    Skoudis, E.: Malware: Fighting malicious code. Prentice Hall, Upper Saddle River (2004)Google Scholar
  19. 19.
    Varian, H.: System reliability and free riding. In: Camp, J., Lewis, S. (eds.) Economics of Information Security. Advances in Information Security, vol. 12, pp. 1–15. Kluwer Academic Publishers, Dordrecht (2004)CrossRefGoogle Scholar

Copyright information

© ICST Institute for Computer Science, Social Informatics and Telecommunications Engineering 2012

Authors and Affiliations

  • Benjamin Johnson
    • 1
    • 4
  • Jens Grossklags
    • 2
  • Nicolas Christin
    • 1
    • 3
  • John Chuang
    • 4
  1. 1.CyLabCarnegie Mellon UniversityUSA
  2. 2.College of Information Sciences and TechnologyPennsylvania State UniversityUSA
  3. 3.Information Networking InstituteCarnegie Mellon UniversityUSA
  4. 4.School of InformationUniversity of CaliforniaBerkeleyUSA

Personalised recommendations