The Price of Uncertainty in Security Games

  • Jens Grossklags
  • Benjamin Johnson
  • Nicolas Christin
Conference paper


In the realm of information security, lack of information about other users' incentives in a network can lead to inefficient security choices and reductions in individuals' payoffs. We propose, contrast and compare three metrics for measuring the price of uncertainty due to the departure from the payoff-optimal security outcomes under complete information. Per the analogy with other efficiency metrics, such as the price of anarchy, we define the price of uncertainty as the maximum discrepancy in expected payoff in a complete information environment versus the payoff in an incomplete information environment. We consider difference, payoffratio, and cost-ratio metrics as canonical nontrivial measurements of the price of uncertainty. We conduct an algebraic, numerical, and graphical analysis of these metrics applied to different well-studied security scenarios proposed in prior work (i.e., best shot, weakest-link, and total effort). In these scenarios, we study how a fully rational expert agent could utilize the metrics to decide whether to gather information about the economic incentives of multiple nearsighted and naïve agents. We find substantial differences between the various metrics and evaluate the appropriateness for security choices in networked systems.


Information Security Potential Loss Expert User Total Effort Security Investment 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Acquisti, A., Grossklags, J.: Privacy and rationality in individual decision making. IEEE Security & Privacy 3(1), 26–33 (2005) Google Scholar
  2. 2.
    August, T., Tunca, T.: Network software security and user incentives. Management Science 52(11), 1703–1720 (2006) Google Scholar
  3. 3.
    Balcan, M., Blum, A., Mansour, Y.: The price of uncertainty. In: Proceedings of the ACM Conference on Electronic Commerce (EC), pp. 285–294. ACM Press, New York (2009) Google Scholar
  4. 4.
    Böhme, R., Nowey, T.: Economic security metrics. In: I. Eusgeld, F. Freiling, R. Reussner (eds.) Dependability Metrics, LNCS, vol. 4909, pp. 176–187. Springer, Berlin Heidelberg (2008) Google Scholar
  5. 5.
    Campbell, K., Gordon, L., Loeb, M., L. Zhou, L.: The economic cost of publicly announced information security breaches: Empirical evidence from the stock market. Journal of Computer Security 11(3), 431–448 (2003) Google Scholar
  6. 6.
    Cavusoglu, H., Raghunathan, S., Yue, W.: Decision-theoretic and game-theoretic approaches to IT security investment. Journal of Management Information Systems 25(2), 281–304 (2008) Google Scholar
  7. 7.
    Choi, J., Fershtman, C., Gandal, N.: Network security: Vulnerabilities and disclosure policy. Journal of Industrial Economics (forthcoming) Google Scholar
  8. 8.
    Dörner, D.: The Logic Of Failure: Recognizing And Avoiding Error In Complex Situations. Metropolitan Books (1996) Google Scholar
  9. 9.
    Fetherstonhaugh, D., Slovic, P., Johnson, S., Friedrich, J.: Insensitivity to the value of human life: A study of psychophysical numbing. Journal of Risk & Uncertainty 14(3), 283–300 (1997) Google Scholar
  10. 10.
    Gal-Or, E., A. Ghose, A.: The economic incentives for sharing security information. Information Systems Research, 16(2), 186–208 (2005) Google Scholar
  11. 11.
    Gordon, L., Loeb, M.: Managing Cyber-Security Resources: A Cost-Benefit Analysis. McGraw-Hill (2006) Google Scholar
  12. 12.
    Gordon, L.A., Loeb, M.: The economics of information security investment. ACM Transactions on Information and System Security 5(4), 438–457 (2002) Google Scholar
  13. 13.
    Gordon, L.A., Loeb, M., Lucyshyn, W.: Sharing information on computer systems security: An economic analysis. Journal of Accounting and Public Policy, 22(6), 461–485 (2003) Google Scholar
  14. 14.
    Granick, J.: Faking it: Calculating loss in computer crime sentencing. I/S: A Journal of Law and Policy for the Information Society 2(2), 207–228 (2006) Google Scholar
  15. 15.
    Grossklags, J., Christin, N., Chuang, J.: Secure or insure? A game-theoretic analysis of information security games. In: Proceedings of the 17th International World Wide Web Conference (WWW), pp. 209–218. (2008) Google Scholar
  16. 16.
    Grossklags, J., Christin, N., Chuang, J.: Security and insurance management in networks with heterogeneous agents. In: Proceedings of the ACM Conference on Electronic Commerce (EC), pp. 160–169. ACM Press, New York (2008) Google Scholar
  17. 17.
    Grossklags, J., Johnson, B.: Uncertainty in the Weakest-link security game. In: Proceedings of GameNets, pp. 673-682. (2009) Google Scholar
  18. 18.
    Grossklags, J., Johnson, B., Christin, N.: When information improves information security. Tech. Rep. CMU-CyLab-09-004 (2009) Google Scholar
  19. 19.
    Grossklags, J., Johnson, B., Christin, N.: The price of uncertainty in security games. In: Proceedings of the 8th Workshop on the Economics of Information Security (WEIS). London, UK (2009) Google Scholar
  20. 20.
    Hershey, J., Baron, J.: Clinical reasoning and cognitive processes. Medical Decision Making 7(4), 203–211 (1987) Google Scholar
  21. 21.
    Jaquith, A.: Security Metrics: Replacing Fear, Uncertainty, and Doubt. Pearson Education (2007) Google Scholar
  22. 22.
    Kabooza: Global backup survey: About backup habits, risk factors, worries and data loss of home PCs (2009). Google Scholar
  23. 23.
    Kahneman, D., Tversky, A.: Choices, Values and Frames. Cambridge University Press (2000) Google Scholar
  24. 24.
    Koutsoupias, E., Papadimitriou, C.: Worst-case equilibria. In: Proceedings of the 16th Annual Symposium on Theoretical Aspects of Computer Science (STOC), pp. 404–413. ACM Press, New York (1999) Google Scholar
  25. 25.
    Kunreuther, H., Heal, G.: Interdependent security. Journal of Risk & Uncertainty 26(2–3), 231–249 (2003) Google Scholar
  26. 26.
    Kwong, J., Wong, K.: The role of ratio differences in the framing of numerical information. International Journal of Research in Marketing 23(4), 385–394 (2006) Google Scholar
  27. 27.
    Laffont, J.: The Economics of Uncertainty and Information. MIT Press (1989) Google Scholar
  28. 28.
    Liu, Y., Comaniciu, C., Man, H.: A Bayesian game approach for intrusion detection in wireless ad hoc networks. In: Proceedings of the Workshop on Game Theory for Communications and Networks, article no. 4. ACM Press, New York (2006) Google Scholar
  29. 29.
    Meier, D., Oswald, Y., Schmid, S., Wattenhofer, R.: On the windfall of friendship: Inoculation strategies on social networks. In: Proceedings of the ACM Conference on Electronic Commerce (EC), pp. 294–301. ACM Press, New York (2008) Google Scholar
  30. 30.
    Moscibroda, T., Schmid, S., Wattenhofer, R.: When selfish meets evil: Byzantine players in a virus inoculation game. In: Proceedings of the ACM Symposium on Principles of Distributed Computing (PODC), pp. 35–44. ACM Press, New York (2006) Google Scholar
  31. 31.
    NCSA/Symantec: Home user study (2008). Google Scholar
  32. 32.
    Paruchuri, P., Pearce, J., Marecki, J., Tambe, M., Ordonez, F., Kraus, S.: Playing games for security: An efficient exact algorithm for solving Bayesian Stackelberg games. In: Proceedings of AAMAS, pp. 895–902. IFAAMAS, Richland, South Carolina (2008) Google Scholar
  33. 33.
    Quattrone, G., Tversky, A.: Contrasting rational and psychological analyses of political choice. The American Political Science Review 82(3), 719–736 (1988) Google Scholar
  34. 34.
    Stanton, J., Stam, K., Mastrangelo, P., Jolton, J.: Analysis of end user security behaviors. Computers & Security 2(24), 124–133 (2005) Google Scholar
  35. 35.
    Stone, E., Yates, F., Parker, A.: Risk communication: Absolute versus relative expressions of low-probability risks. Organizational Behavior & Human Decision Processes 3(60), 387–408 (1994) Google Scholar
  36. 36.
    Swire, P.: A model for when disclosure helps security: What is different about computer and network security? Journal on Telecommunications and High Technology Law 3(1), 163–208 (2004) Google Scholar
  37. 37.
    Swire, P.: No cop on the beat: Underenforcement in e-commerce and cybercrime. Journal on Telecommunications and High Technology Law 7(1), 107–126 (2009) Google Scholar
  38. 38.
    Telang, R., Wattal, S.: An empirical analysis of the impact of software vulnerability announcements on firm stock price. IEEE Transactions on Software Engineering 33(8), 544– 557 (2007) Google Scholar
  39. 39.
    Varian, H.R.: System reliability and free riding. In: L.J. Camp and S. Lewis (eds.) Economics of Information Security, pp. 1–15. Kluwer Academic Publishers (2004) Google Scholar

Copyright information

© Springer Science+Business Media, LLC 2010

Authors and Affiliations

  • Jens Grossklags
    • 1
  • Benjamin Johnson
    • 2
  • Nicolas Christin
    • 2
  1. 1.Center for Information Technology Policy, Sherrerd HallPrinceton UniversityPrincetonUSA
  2. 2.CyLabCarnegie Mellon UniversityPittsburghUSA

Personalised recommendations