Securing Infrastructure Facilities: When Does Proactive Defense Help?

Infrastructure systems are increasingly facing new security threats due to the vulnerabilities of cyber-physical components that support their operation. In this article, we investigate how the infrastructure operator (defender) should prioritize the investment in securing a set of facilities in order to reduce the impact of a strategic adversary (attacker) who can target a facility to increase the overall usage cost of the system. We adopt a game-theoretic approach to model the defender-attacker interaction and study two models: normal form game—where both players move simultaneously—and sequential game—where attacker moves after observing the defender’s strategy. For each model, we provide a complete characterization of how the set of facilities that are secured by the defender in equilibrium vary with the costs of attack and defense. Importantly, our analysis provides a sharp condition relating the cost parameters for which the defender has the first-mover advantage. Specifically, we show that to fully deter the attacker from targeting any facility, the defender needs to proactively secure all “vulnerable facilities” at an appropriate level of effort. We illustrate the outcome of the attacker–defender interaction on a simple transportation network. We also suggest a dynamic learning setup to understand how this outcome can affect the ability of imperfectly informed users to make their decisions about using the system in the post-attack stage.


Introduction
In this article, we consider the problem of strategic allocation of defense effort to secure one or more facilities of an infrastructure system that is prone to a targeted attack by a malicious adversary.The setup is motivated by the recent incidents and projected threats to critical infrastructures such as transportation, electricity, and urban water networks ( [39], [42], [44], and [35]).Two of the well-recognized security concerns faced by infrastructure operators are: (i) How to prioritize investments among facilities that are heterogeneous in terms of the impact that their compromise can have on the overall efficiency (or usage cost) of the system; and (ii) Whether or not an attacker can be fully deterred from launching an attack by proactively securing some of the facilities.Our work addresses these questions by focusing on the most basic form of strategic interaction between the system operator (defender) and an attacker, modeled as a normal form (simultaneous) or a sequential (Stackelberg) game.The normal form game is relevant to situations in which the attacker cannot directly observe the chosen security plan, whereas the sequential game applies to situations where the defender proactively secures some facilities, and the attacker can observe the defense strategy.
Our model is relevant for assessing strategic defense decisions for an infrastructure system viewed as a collection of facilities.In our model, each facility is considered as a distinct entity for the purpose of investment in defense, and multiple facilities can be covered by a single investment strategy.The attacker can target a single facility and compromise its operation, thereby affecting the overall operating efficiency of the system.Both players choose randomized strategies.The performance of the system is evaluated by a usage cost, whose value depends on the actions of both players.In particular, if an undefended facility is targeted by the attacker, it is assumed to be compromised, and this outcome is reflected as a change in the usage cost.Naturally, the defender aims to maintain a low usage cost, while the attacker wishes to increase the usage cost.The attacker (resp.defender) incurs a positive cost in targeting (resp.securing) a unit facility.Thus, both players face a trade-off between the usage cost and the attack/defense costs, which results in qualitatively different equilibrium regimes.
We analyze both normal form and sequential games in the above-mentioned setting.First, we provide a complete characterization of the equilibrium structure in terms of the relative vulnerability of different facilities and the costs of defense/attack for both games.Secondly, we identify ranges of attack and defense costs for which the defender gets the first mover advantage by investing in proactive defense.Furthermore, we relate the outcome of this game (post-attack stage) to a dynamic learning problem in which the users of the infrastructure system are not fully informed about the realized security state (i.e. the identity of compromised facility).
We now outline our main results.To begin our analysis, we make the following observations.Analogous to [24], we can represent the defender's mixed strategy by a vector with elements corresponding to the probabilities for each facility being secured.The defender's mixed strategy can also be viewed as her effort on each facility.Moreover, the attacker/defender only targets/secures facilities whose disruption will result in an increase in the usage cost (Proposition 1).If the increase in the usage cost of a facility is larger than the cost of attack, then we say that it is a vulnerable facility.
Our approach to characterizing Nash equilibrium (NE) of the normal form game is based on the fact that it is strategically equivalent to a zero-sum game.Hence, the set of attacker's equilibrium strategies can be obtained as the optimal solution set of a linear optimization program (Proposition 2).For any given attack cost, we show that there exists a threshold cost of defense, which distinguishes two equilibrium regime types, named as type I and type II regimes.Theorem 1 shows that when the defense cost is lower than the cost threshold (type I regimes), the total attack probability is positive but less than 1, and all vulnerable facilities are secured by the defender with positive probability.On the other hand, when the defense cost is higher than the threshold (type II regimes), the total attack probability is 1, and some vulnerable facilities are not secured at all.We develop a new approach to characterize the subgame perfect equilibrium (SPE) of the sequential game, noting that the strategic equivalence to zero-sum game no longer holds in this case.In this game, the defender, as the first mover, either proactively secures all vulnerable facilities with a threshold security effort so that the attacker does not target any facility, or leaves at least one vulnerable facility secured with an effort less than the threshold while the total attack probability is 1.For any attack cost, we establish another threshold cost of the defense, which is strictly higher than the corresponding threshold in the normal form game.This new threshold again distinguishes the equilibrium strategies into two regime types, named as type I and type II regimes.Theorem 2 shows that when the defense cost is lower than the cost threshold (type I regimes), the defender can fully deter the attacker by proactively securing all vulnerable facilities with the threshold security effort.On the other hand, when the defense cost is higher than the threshold (type II regimes), the defender maintains the same level of security effort as that in NE, while the total attack probability is 1.
Our characterization shows that both NE and SPE satisfy the following intuitive properties: (i) Both the defender and attack prioritize the facilities that results in a high usage cost when compromised; (ii) The attack and defense costs jointly determine the set of facilities that are targeted or secured in equilibrium.On one hand, as the attack cost decreases, more facilities are vulnerable to attack.On the other hand, as the defense cost decreases, the defender secures more facilities with positive effort, and eventually when the defense cost is below a certain threshold (defined differently in each game), all vulnerable facilities are secured with a positive effort; (iii) Each player's equilibrium payoff is non-decreasing in the opponent's cost, and non-increasing in her own cost.
It is well-known in the literature on two player games that so long as both players can choose mixed strategies, the equilibrium utility of the first mover in a sequential game is no less than that in a normal form game ( [8] (pp.126), [49]).However, cases can be found where the first mover advantage changes from positive to zero when the attacker's observed signal of the defender's strategy is associated with a noise ( [7]).In the security game setting, the paper [12] analyzed a game where there are two facilities, and the attacker's valuation of each facility is private information.They identify a condition under which the defender's equilibrium utility is strictly higher when his strategy can be observed by the attacker.In contrast, our model considers multiple facilities, and assumes that both players have complete information of the usage cost of each facility.
In fact, for our model, we are able to provide sharp conditions under which proactive defense strictly increases the defender's utility.Given any attack cost, unless the defense cost is "relatively high" (higher than the threshold cost in the sequential game), proactive defense is advantageous in terms of strictly improving the defender's utility and fully deterring the attack.However, if the defense cost is "relatively medium" (lower than the threshold cost in sequential game, but higher than that in the normal form game), a higher security effort on each vulnerable facility is required to gain the first mover advantage.Finally, if the defense cost is "relatively low" (lower than the threshold cost in the normal form game), then the defender can gain advantage by simply making the first move with the same level of security effort as that in the normal form game.
Note that our approach to characterizing NE and SPE can be readily extended to models with facility-dependent cost parameters and less than perfect defense.We conjecture that a different set of techniques will be required to tackle the more general situation in which the attacker can target multiple facilities at the same time; see [22] for related work in this direction.However, even when the attacker targets multiple facilities, one can find game parameters for which the defender is always strictly better off in the sequential game.
Finally, we provide a brief discussion on rational learning dynamics, aimed at understanding how the outcome of the attacker-defender interaction -which may or may not result in compromise of a facility (state) -effects the ability of system users to learn about the realized state through a repeated use of the system.A key issue is that the uncertainty about the realized state can significantly impact the ability of users to make decisions to ensure that their long-term cost corresponds to the true usage cost of the system.We explain this issue using a simple transportation network as an example, in which rational travelers (users) need to learn about the identity of the facility that is likely to be compromised using imperfect information about the attack and noisy realizations of travel time in each stage of a repeated routing game played over the network.
The results reported in this article contribute to the study on the allocation of defense resources on facilities against strategic adversaries, as discussed in [41] and [12].The underlying assumption that drives our analysis is that an attack on each facility can be treated independently for the purpose of evaluating its impact on the overall usage cost.Other papers that also make this assumption include [11], [13], [2], and [16].Indeed, when the impact of facility compromises are related to the network structure, facilities can no longer be treated independently, and the network structure becomes a crucial factor in analyzing the defense strategy ( [26]).Additionally, network connections can also introduce the possibility of cascading failure among facilities, which is addressed in [1], and [30].These settings are not covered by our model.
The paper is structured as follows: In Sec. 2, we introduce the model of both games, and discuss the modeling assumptions.We provide preliminary results to facilitate our analysis in Sec. 3. Sec. 4 characterizes NE, and Sec. 5 characterizes SPE.Sec. 6 compares both games.We discuss some extensions of our model and briefly introduce dynamic aspects in Sec. 7.
All proofs are included in the appendix.
2 The Model

Attacker-Defender Interaction: Normal Form versus Sequential Games
Consider an infrastructure system modeled as a set of components (facilities) E. To defend the system against an external malicious attack, the system operator (defender) can secure one or more facilities in E by investing in appropriate security technology.The set of facilities in question can include cyber or physical elements that are crucial to the functioning of the system.These facilities are potential targets for a malicious adversary whose goal is to compromise the overall functionality of the system by gaining unauthorized access to certain cyber-physical elements.The security technology can be a combination of proactive mechanisms (authentication and access control) or reactive ones (attack detection and response).Since our focus is on modeling the strategic interaction between the attacker and defender at a system level, we do not consider the specific functionalities of individual facilities or the protection mechanisms offered by various technologies.
We now introduce our game theoretic model.Let us denote a pure strategy of the defender as s d ⊆ E, with s d ∈ S d = 2 E .The cost of securing any facility is given by the parameter p d ∈ R >0 .Thus, the total defense cost incurred in choosing a pure strategy where |s d | is the cardinality of s d (i.e., the number of secured facilities).The attacker chooses to target a single facility e ∈ E or not to attack.We denote a pure strategy of the attacker as s a ∈ S a = E ∪ {∅}.The cost of an attack is given by the parameter p a ∈ R >0 , and it reflects the effort that attacker needs to spend in order to successfully targets a single facility and compromise its operation.
We assume that prior to the attack, the usage cost of the system is C ∅ .This cost represents the level of efficiency with which the defender is able to operate the system for its users.A higher usage cost reflects lower efficiency.If a facility e is targeted by the attacker but not secured by the defender, we consider that e is compromised and the usage cost of the system changes to C e .Therefore, given any pure strategy profile (s d , s a ), the usage cost after the attacker-defender interaction, denoted C(s d , s a ), can be expressed as follows: To study the effect of timing of the attacker-defender interaction, prior literature on security games has studied both normal form game and sequential games ( [5]).We study both models in our setting.In the normal form game, denoted Γ, the defender and the attacker move simultaneously.On the other hand, in the sequential game, denoted Γ, the defender moves in the first stage and the attacker moves in the second stage after observing the defender's strategy.We allow both players to use mixed strategies.In Γ, we denote the defender's mixed strategy as , where σ d (s d ) is the probability that the set of secured facilities is s d .Similarly, a mixed strategy of the attacker is σ a ∆ = (σ a (s a )) sa∈Sa ∈ ∆(S a ), where σ a (s a ) is the probability that the realized action is s a .Let σ = (σ d , σ a ) denote a mixed strategy profile.In Γ, the defender's mixed strategy where σ a (s a , σ d ) is the probability that the realized action is s a when the defender's strategy is σ d .A strategy profile in this case is denoted as σ = ( σ d , σ a ( σ d )).
The defender's utility is comprised of two parts: the negative of the usage cost as given in (1) and the defense cost incurred in securing the system.Similarly, the attacker's utility is the usage cost net the attack cost.For a pure strategy profile (s d , s a ), the utilities of defender and attacker can be respectively expressed as follows: For a mixed strategy profile (σ d , σ a ), the expected utilities can be written as: where E σ [C] is the expected usage cost, and is the expected number of defended (resp.targeted) facilities, i.e.: An equilibrium outcome of the game Γ is defined in the sense of Nash Equilibrium (NE).A strategy profile σ In the sequential game Γ, the solution concept is that of a Subgame Perfect Equilibrium (SPE), which is also known as Stackelberg equilibrium.A strategy profile Since both S d and S a are finite sets, and we consider mixed strategies, both NE and SPE exist.

Model Discussion
One of our main assumptions is that the attacker's capability is limited to targeting at most one facility, while the defender can invest in securing multiple facilities.Although this assumption appears to be somewhat restrictive, it enables us to derive analytical results on the equilibrium structure for a system with multiple facilities.The assumption can be justified in situations where the attacker can only target system components in a localized manner.Thus, a facility can be viewed as a set of collocated components that can be simultaneously targeted by the attacker.For example, in a transportation system, a facility can be a vulnerable link (edge), or a set of links that are connected by a vulnerable node (an intersection or a hub).In Sec.7.1, we briefly discuss the issues in solving a more general game where multiple facilities can be simultaneously targeted by the attacker.Secondly, our model assumes that the costs of attack and defense are identical across all facilities.We make this assumption largely to avoid the notational burden of analyzing the effect of facility-dependent attack/defense cost parameters on the equilibrium structures.In fact, as argued in Sec.7.1, the qualitative properties of equilibria still hold when cost parameters are facility-dependent.However, characterizing the equilibrium regimes in this case can be quite tedious, and may not necessarily provide new insights on strategic defense investments.
Thirdly, we allow both players to choose mixed strategies.Indeed, mixed strategies are commonly considered in security games as a pure NE may not always exists.A mixed strategy entails a player's decision to introduce randomness in her behavior, i.e. the manner in which a facility is targeted (resp.secured) by the attacker (resp.defender).Consider for example, the problem of inspecting a transportation network facing risk of a malicious attack.In this problem, a mixed strategy can be viewed as randomized allocation of inspection effort on subsets of facilities.Mixed strategy of the attacker can be similarly interpreted.
Fourthly, we assume that the defender has the technological means to perfectly secure a facility.In other words, an attack on a secured facility cannot impact its operation.As we will see in Sec. 3, the defender's mixed strategy can be viewed as the level of security effort on each facility, where the effort level 1 (maximum) means perfect security, and 0 (minumum) means no security.Under this interpretation, the defense cost p d is the cost of perfectly securing a unit facility (i.e., with maximum level of effort), and the expected defense cost is p d scaled by the security effort defined by the defender's mixed strategy.
Fifthly, we do not consider a specific functional form for modeling the usage cost.In our model, for any facility e ∈ E, the difference between the post-attack usage cost C e and the pre-attack cost C ∅ represents the change of the usage cost of the system when e is compromised.This change can be evaluated based on the type of attacker-defender interaction one is interested in studying.For example, in situations when attack on a facility results in its complete disruption, one can use a connectivity-based metric such as the number of active source-destination paths or the number of connected components to evaluate the usage cost ( [25] and [26]).On the other hand, in situations when facilities are congestible resources and an attack on a facility increases the users' cost of accessing it, the system's usage cost can be defined as the average cost for accessing (or routing through) the system.This cost can be naturally evaluated as the user cost in a Wardrop equilibrium ( [13]), although socially optimal cost has also been considered in the literature ( [3]).
Finally, we note that for the purpose of our analysis, the usage cost as given in (1) fully captures the impact of player' actions on the system.For any two facilities e, e ∈ E, the ordering of C e and C e determines the relative scale of impact of the two facilities.As we show in Sec.4-5, the order of cost functions in the set {C e } e∈E plays a key role in our analysis approach.Indeed the usage cost is intimately linked with the network structure and way of operation (for example, how individual users are routed through the network and how their costs are affected by a compromised facility).Barring a simple (yet illustrative) example, we do not elaborate further on how the network structure and/or the functional form of usage cost changes the interpretations of equilibrium outcome.We also do not discuss the computational aspects of arriving at the ordering of usage costs.

Rationalizable Strategies and Aggregate Defense Effort
We introduce two preliminary results that are useful in our subsequent analysis.Firstly, we show that the defender's strategy can be equivalently represented by a vector of facilityspecific security effort levels.Secondly, we identify the set of rationalizable strategies of both players.
For any defender's mixed strategy σ d ∈ ∆(S d ), the corresponding security effort vector is ρ(σ d ) = (ρ e (σ d )) e∈E , where ρ e (σ d ) is the probability that facility e is secured: In The following defender's strategy is feasible and induces ρ: For any remaining We now re-express the player utilities in (2) in terms of (ρ(σ d ), σ a ) as follows: Thus, for any given attack strategy and any two defense strategies, if the induced security effort vectors are identical, then the corresponding utility for each player is also identical.Henceforth, we denote the player utilities as U d (ρ, σ a ) and U a (ρ, σ a ), and use σ d and ρ e (σ d ) interchangeably in representing the defender's strategy.For the sequential game Γ, we analogously denote the security effort vector given the strategy σ d as ρ( σ d ), and the defender's utility (resp.attacker's utility) as U d (ρ, σ a ) (resp.U a (ρ, σ a )).We next characterize the set of rationalizable strategies.Note that the post-attack usage cost C e can increase or remain the same or even decrease, in comparison to the pre-attack cost C ∅ .Let the facilities whose damage result in an increased usage cost be grouped in the set Ē. Similarly, let E denote the set of facilities such that a damage to any one of them has no effect on the usage cost.Finally, the set of remaining facilities is denoted as E. Thus: Clearly, Ē ∪ E ∪ E = E.The following proposition shows that in a rationalizable strategy profile, the defender does not secure facilities that are not in Ē, and the attacker only considers targeting the facilities that are in Ē.
Proposition 1.The rationalizable action sets for the defender and attacker are given by 2 Ē and Ē ∪ {∅}, respectively.Hence, any equilibrium strategy profile (ρ * , σ * a ) in Γ (resp. (ρ * , σ * a ) in Γ) satisfies: If Ē = ∅, then the attacker/defender does not attack/secure any facility in equilibrium.Henceforth, to avoid triviality, we assume Ē = ∅.Additionally, we define a partition of facilities in Ē such that all facilities with identical C e are grouped in the same set.Let the number of distinct values in {C e } e∈ Ē be K, and C (k) denote the k-th highest distinct value in the set {C e } e∈ Ē .Then, we can order the usage costs as follows: We denote Ē(k) as the set of facilities such that if any e ∈ Ē(k) is damaged, the usage Facilities in the same group have identical impact on the infrastructure system when compromised.

Normal Form Game Γ
In this section, we provide complete characterization of the set of NE for any given attack and defense cost parameters in game Γ.In Sec.4.1, we show that Γ is strategically equivalent to a zero-sum game, and hence the set of attacker's equilibrium strategies can be solved by a linear program.In Sec.4.2, we show that the space of cost parameters (p a , p d ) ∈ R 2 >0 can be partitioned into qualitatively distinct equilibrium regimes.

Strategic Equivalence to Zero-Sum Game
Our notion of strategic equivalence is the same as the best-response equivalence defined in [43].If Γ and another game Γ 0 are strategically equivalent, then given any strategy of the defender (resp.attacker), the set of attacker's (resp.defender's) best responses is identical in the two games.This result forms the basis of characterizing the set of NE.We define the utility functions of the game Γ 0 as follows: Thus, Γ 0 is a zero-sum game.We denote the set of defender's (resp.attacker's) equilibrium strategies in Γ 0 as Σ 0 d (resp.Σ 0 a ).
Lemma 2. The normal form game Γ is strategically equivalent to the zero sum game Γ 0 .The set of defender's (resp.attacker's) equilibrium strategies in Based on Lemma 2, the set of attacker's equilibrium strategies Σ * a can be expressed as the optimal solution set of a linear program.Proposition 2. The set Σ * a is the optimal solution set of the following optimization problem: Furthermore, (10) is equivalent to the following linear optimization program: In Proposition 2, the objective function V (σ a ) is a piecewise linear function in σ a .Furthermore, given any σ a and any e ∈ Ē, we can write: Thus, we can observe that if σ a (e) equals to • C e , i.e. if a facility e is targeted with the threshold attack probability p d /(C e − C ∅ ), the defender is indifferent between securing e versus not.The following lemma analyzes the defender's best response to the attacker's strategy, and shows that no facility is targeted with probability higher than the threshold probability in equilibrium.
Lemma 3. Given any strategy of the attacker σ a ∈ ∆(S a ), for any defender's security effort ρ that is a best response to σ a , denoted ρ ∈ BR(σ a ), the security effort ρ e on each facility e ∈ E satisfies: Furthermore, in equilibrium, the attacker's strategy σ * a satisfies: Lemma 3 highlights a key property of NE: The attacker does not target at any facility e ∈ Ē with probability higher than the threshold p d /(C e − C ∅ ), and the defender allocates a non-zero security effort only on the facilities that are targeted with the threshold probability.
Intuitively, if a facility e were to be targeted with a probability higher than the threshold p d /(C e − C ∅ ), then the defender's best response would be to secure that facility with probability 1, and the attacker's expected utility will be −C ∅ − p a σ a (e), which is smaller than −C ∅ (utility of no attack).Hence, the attacker would be better off by choosing the no attack action.Now, we can re-write V (σ a ) as defined in (10) as follows: and the set of attacker's equilibrium strategies maximizes this function.

Characterization of NE in Γ
We are now in the position to introduce the equilibrium regimes.Each regime corresponds to a range of cost parameters such that the qualitative properties of equilibrium (i.e. the set of facilities that are targeted and secured) do not change in the interior of each regime.We say that a facility e is vulnerable if C e − p a > C ∅ .Therefore, given any attack cost p a , the set of vulnerable facilities is given by { Ē|C e − p a > C ∅ }.Clearly, only vulnerable facilities are likely targets of the attacker.If p a > C (1) − C ∅ , then there are no vulnerable facilities.In contrast, if p a < C (1) −C ∅ , we define the following threshold for the per-facility defense cost: We can check that for any Recall from Lemma 3 that σ * a (e) is upper bounded by the threshold attack probability which implies that even when the attacker targets each vulnerable facility with the threshold attack probability, the total probability of attack is still smaller than 1.Thus, the attacker must necessarily choose not to attack with a positive probability.On the other hand, if p d > pd (p a ), then the no attack action is not chosen by the attacker in equilibrium.
Following the above discussion, we introduce two types of regimes depending on whether or not p d is higher than the threshold pd (p a ).In type I regimes, denoted as {Λ i |i = 0, . . ., K}, the defense cost p d < pd (p a ), whereas in type II regimes, denoted as {Λ j |j = 1, . . ., K}, the defense cost p d > pd (p a ).Hence, we say that p d is "relatively low" (resp."relatively high") in comparison to p a in type I regimes (resp.type II regimes).We formally define these 2K + 1 regimes as follows: (a) Type I regimes Λ i , i = 0, . . ., K: (b) Type II regimes, Λ j , j = 1, . . ., K: We now characterize equilibrium strategy sets Σ * d and Σ * a in the interior of each regime. 1heorem 1.The set of NE in each regime is as follows: (a) Type I regimes Λ i : (b) Type II regimes Λ j : • j = 1: σ * a (e) = 1.(25c) • j = 2, . . ., K: Let us discuss the intuition behind the proof of Theorem 1.
Recall from Proposition 2 and Lemma 3 that the set of attacker's equilibrium strategies Σ * a is the set of feasible mixed strategies that maximizes V (σ a ) in (15), and the attacker never targets at any facility e ∈ E with probability higher than the threshold p d /(C e −C ∅ ).Also recall that the costs {C (k) } K k=1 are ordered according to (8).Thus, in equilibrium, the attacker targets the facilities in Ē(k) with the threshold attack probability starting from k = 1 and proceeding to k = 2, 3, . . .K until either all the vulnerable facilities are targeted with the threshold attack probability (and no attack is chosen with remaining probability), or the total attack probability reaches 1.
Again, from Lemma 3, we know that the defender secures the set of facilities that are targeted with the threshold attack probability with positive effort.The equilibrium level of security effort ensures that the attacker gets an identical utility in choosing any pure strategy in the support of σ * a , and this utility is higher or equal to that of choosing any other pure strategy.
The distinctions between the two regime types are summarized as follows: (1) In type I regimes, the defense cost p d < pd (p a ).The defender secures all vulnerable facilities with a positive level of effort.The attacker targets at each vulnerable facility with the threshold attack probability, and the total probability of attack is less than 1.
(2) In type II regimes, the defense cost p d > pd (p a ).The defender only secures a subset of targeted facilities with positive level of security effort.The attacker chooses the facilities in decreasing order of C e − C ∅ , and targets each of them with the threshold probability until the attack resource is exhausted, i.e. the total probability of attack is 1.

Sequential game Γ
In this section, we characterize the set of SPE in the game Γ for any given attack and defense cost parameters.The sequential game Γ is no longer strategically equivalent to a zero-sum game.Hence, the proof technique we used for equilibrium characterization in game Γ does not work for the game Γ.In Sec.5.1, we analyze the attacker's best response to the defender's security effort vector.We also identify a threshold level of security effort which determines whether or not the defender achieves full attack deterrence in equilibrium.In Sec.5.2, we present the equilibrium regimes which govern the qualitative properties of SPE.

Properties of SPE
By definition of SPE, for any security effort vector ρ ∈ [0, 1] |E| chosen by the defender in the first stage, the attacker's equilibrium strategy in the second stage is a best response to ρ, i.e. σ * a (ρ) satisfies (3b).As we describe next, the properties of SPE crucially depend on a threshold security effort level defined as follows: The following lemma presents the best response correspondence BR(ρ) of the attacker: , where: Otherwise, BR(ρ) = ∆( Ē ), where: In words, if each vulnerable facility e is secured with an effort higher or equal to the threshold effort ρ e in (27), then the attacker's best response is to choose a mixed strategy with support comprised of all vulnerable facilities that are secured with the threshold level of effort (i.e., Ē * as defined in (28)) and the no attack action.Otherwise, the support of attacker's strategy is comprised of all vulnerable facilities (pure actions) that maximize the expected usage cost (see ( 29)).In particular, no attack action is not chosen in attacker's best response.Now recall that any SPE (ρ * , σ * a (ρ * )) must satisfy both (3a) and (3b).Thus, for an equilibrium security effort ρ * , an attacker's best response σ a (ρ * ) ∈ BR(ρ * ) is an equilibrium strategy only if both these constraints are satisfied.The next lemma shows that depending on whether the defender secures each vulnerable facility e with the threshold effort ρ e or not, the total attack probability in equilibrium is either 0 or 1.Thus, the defender being the first mover determines whether the attacker is fully deterred from conducting an attack or not.Additionally, in SPE, the security effort on each vulnerable facility e is no higher than the threshold effort ρ e , and the security effort on any other edge is 0. Lemma 5. Any SPE (ρ * , σ * a (ρ * )) of the game Γ satisfies the following property: The proof of this result is based on the analysis of following three cases: Case 1: There exists at least one facility e ∈ { Ē|C e − p a > C ∅ } such that ρ * e < ρ e .In this case, by applying Lemma 4, we know that σ * a (ρ * ) ∈ BR(ρ * ) = ∆( Ē ), where Ē is defined in (29).Hence, the total attack probability is 1.Case 2: For any e ∈ { Ē|C e − p a > C ∅ }, ρ * e > ρ e .In this case, the set Ē * defined in (28) is empty.Hence, Lemma 4 shows that the total attack probability is 0. Case 3: For any e ∈ { Ē|C e − p a > C ∅ }, ρ * e ≥ ρ e , and the set Ē * in ( 28) is non-empty.Again from Lemma 4, we know that σ * a (ρ * ) ∈ BR(ρ * ) = ∆( Ē * ∪ {∅}).Now assume that the attacker chooses to target at least one facility e ∈ Ē * with a positive probability in equilibrium.Then, the defender can deviate by slightly increasing the security effort on each facility in Ē * .By introducing such a deviation, the defender's security effort satisfies the condition of Case 2, where the total attack probability is 0. Hence, this results in a higher utility for the defender.Therefore, in any SPE (ρ * , σ * a (ρ * )), one cannot have a second stage outcome in which the attacker targets facilities in Ē * .We can thus conclude that the total attack probability must be 0 in this case.
In both Cases 2 and 3, we say that the attacker is fully deterred.
Clearly, these three cases are exhaustive in that they cover all feasible security effort vectors, and hence we can conclude that the total attack probability in equilibrium is either 0 or 1.Additionally, since the attacker is fully deterred when each vulnerable facility is secured with the threshold effort, the defender will not further increase the security effort beyond the threshold effort on any vulnerable facility.That is, only Cases 1 and 3 are possible in equilibrium.

Characterization of SPE
Recall that in Sec. 4, type I and type II regimes for the game Γ can be distinguished based on a threshold defense cost pd (p a ).It turns out that in Γ, there are still 2K + 1 regimes.Again, each regime denotes distinct ranges of cost parameters, and can be categorized either as type I or type II.However, in contrast to Γ, the regime boundaries in this case are more complicated; in particular, they are non-linear in the cost parameters p a and p d .
To introduce the boundary p d (p a ), we need to define the function p ij d (p a ) for each i = 1, . . ., K and j = 1, . . ., i as follows: For any i = 1, . . ., K, and any attack cost ) is defined as follows: , and j = 1, . . ., i − 1, (1) Type I regimes Λ i , i = 0, . . ., K: • If i = 1, . . ., K − 1: • If i = K: (2) Type II regimes Λ j , j = 1, . . ., K: ), and Analogous to the discussion in Section 4.2, we say p d is "relatively low" in type I regimes, and "relatively high" in type II regimes.We now provide full characterization of SPE in each regime.
Theorem 2. The defender's equilibrium security effort vector ρ * = (ρ * e ) e∈E is unique in each regime.Specifically, SPE in each regime is as follows: (1) Type I regimes Λ i : (2) Type II regimes Λ j : ρ * e = 0, In our proof of Theorem 2 (see Appendix C), we take the approach by first constructing a partition of the space (p a , p d ) ∈ R 2 >0 defined in (52), and then characterizing the SPE for cost parameters in each set in the partition (Lemmas 7-8).Theorem 2 follows directly by regrouping/combining the elements of this partition such that each of the new partition has qualitatively identical equilibrium strategies.
From the discussion of Lemma 5, we know that only Cases 1 and 3 are possible in equilibrium, and that in any SPE, the security effort on each vulnerable facility e is no higher than the threshold effort ρ e .It turns out that for any attack cost, depending on whether the defense cost is lower or higher than the threshold cost p d (p a ), the defender either secures each vulnerable facility with the threshold effort given by (31) (type I regime), or there is at least one vulnerable facility that is secured with effort strictly less than the threshold (type II regimes): • In type I regimes, the defense cost p d < p d (p a ).The defender secures each vulnerable facility with the threshold effort ρ e .The attacker is fully deterred.
• In type II regimes, the defense cost p d > p d (p a ).The defender's equilibrium security effort is identical to that in NE of the normal form game Γ.The total attack probability is 1.
6 Comparison of Γ and Γ Sec.6.1 deals with the comparison of players' equilibrium utilities in the two games.In Sec.6.2, we compare the equilibrium regimes and discuss the distinctions in equilibrium properties of the two games.This leads us to an understanding of the effect of timing of play, i.e. we can identify situations in which the defender gains by proactively investing in securing all of the vulnerable facilities at an appropriate level of effort.

Comparison of Equilibrium Utilities
The equilibrium utilities in both games are unique, and can be directly derived using Theorems 1 and 2. We denote the equilibrium utilities of the defender and attacker in regime Λ i (resp.Λ j ) as U Λ i d and U Λ i a (resp.U (b) Type II ( II) regimes Λ j ( Λ j ): • If j = 1: • If j = 2, . . ., K: From our results so far, we can summarize the similarities between the equilibrium outcomes in Γ and Γ.While most of these conclusions are fairly intuitive, the fact that they are common to both game-theoretic models suggests that the timing of defense investments do not play a role as far as these insights are concerned.Firstly, the support of both players equilibrium strategies tends to contain the facilities, whose compromise results in a high usage cost.The defender secures these facilities with a high level of effort in order to reduce the probability with which they are targeted by the attacker.Secondly, the attack and defense costs jointly determine the set of facilities that are targeted or secured in equilibrium.On one hand, the set of vulnerable facilities increases as the cost of attack decreases.On the other hand, when the cost of defense is sufficiently high, the attacker tends to conduct an attack with probability 1.However, as the defense cost decreases, the attacker randomizes the attack on a larger set of facilities.Consequently, the defender secures a larger set of facilities with positive effort, and when the cost of defense is sufficiently small, all vulnerable facilities are secured by the defender.Thirdly, each player's equilibrium payoff is non-decreasing in the opponent's cost, and non-increasing in her own cost.Therefore, to increase her equilibrium payoff, each player is better off as her own cost decreases and the opponent's cost increases.

First Mover Advantage
We now focus on identifying parameter ranges in which the defender has the first mover advantage, i.e., the defender in SPE has a strictly higher payoff than in NE.To identify the first mover advantage, let us recall the expressions of type I regimes for Γ in ( 18)-( 20) and type I regimes for Γ in ( 32)- (34).Also recall that, for any given cost parameters p a and p d , the threshold pd (p a ) (resp.p d (p a )) determines whether the equilibrium outcome is of type I or type II regime (resp.type I or II regime) in the game Γ (resp.Γ).Furthermore, from Lemma 6, we know that the cost threshold pd (p a ) in Γ is smaller than the threshold p d (p a ) in Γ.Thus, for all i = 1, . . ., K, the type I regime Λ i in Γ is a proper subset of the type I regime Λ i in Γ.Consequently, for any (p a , p d ) ∈ R 2 >0 , we can have one of the following three cases: • 0 < p d < pd (p a ): The defense cost is relatively low in both Γ and Γ.We denote the set of (p a , p d ) that satisfy this condition as L (low cost).That is, • pd (p a ) < p d < p d (p a ): The defense cost is relatively high in Γ, but relatively low in Γ.We denote the set of (p a , p d ) that satisfy this condition as M (medium cost).
That is, • p d > p d (p a ): The defense cost is relatively high in both Γ and Γ.We denote the set of (p a , p d ) that satisfy this condition as H (high cost).That is, We next compare the properties of NE and SPE for cost parameters in each set based on Theorems 1 and 2, and Propositions 3.

• Set L:
Attacker : In Γ, the total attack probability is nonzero but smaller than 1, whereas in Γ, the attacker is fully deterred.The attacker's equilibrium utility is identical in both games, i.e., U a = U a .
Defender : The defender chooses identical equilibrium security effort in both games, i.e. ρ * = ρ * , but obtains a higher utility in Γ in comparison to that in Γ, i.e., U d < U d .
• Set M : Attacker : In Γ, the attacker conducts an attack with probability 1, whereas in Γ the attacker is fully deterred.The attacker's equilibrium utility is lower in Γ in comparison to that in Γ, i.e., U a > U a .
Defender : The defender secures each vulnerable facility with a strictly higher level of effort in Γ than in Γ, i.e. ρ * e > ρ * e for each vulnerable facility e ∈ {E|C e − p a > C ∅ }.The defender's equilibrium utility is higher in Γ in comparison to that in Γ, i.e., U d < U d .
• Set H: Attacker : In both games, the attacker conducts an attack with probability 1, and obtains identical utilities, i.e.U a = U a .
Importantly, the key difference between NE and SPE comes from the fact that in Γ, the defender as the leading player is able to influence the attacker's strategy in her favor.Hence, when the defense cost is relatively medium or low (both sets M and L), the defender can proactively secure all vulnerable facilities with the threshold effort to fully deter the attack, which results in a higher defender utility in Γ than in Γ.Thus, we say the defender has the first-mover advantage when the cost parameters lie in the set M or L. However, the reason behind the first-mover advantage differs in each set: • In set M , the defender needs to proactively secure all vulnerable facilities with strictly higher effort in Γ than that in Γ to fully deter the attacker.
• In set L, the defender secures facilities in Γ with the same level of effort as that in Γ, and the attacker is still deterred with probability 1.
On the other hand, in set H, the defense cost is so high that the defender is not able to secure all targeted facilities with an adequately high level of security effort.Thus, the attacker conducts an attack with probability 1 in both games, and the defender no longer has first-mover advantage.Finally, for the sake of illustration, we compute the parameter sets L, M , and H for transportation network with three facilities (edges); see Fig. 1.If an edge e ∈ E is not damaged, then the cost function is e (w e ), which increases in the edge load w e .If edge e is successfully compromised by the attacker, then the cost function changes to ⊗ e (w e ), which is higher than e (w e ) for any edge load w e > 0. The network faces a set of non-atomic

Model Extensions and Dynamic Aspects
In this section, we first discuss how relaxing our modeling assumptions influence our main results.Next we introduce a dynamic setup in which the users of the infrastructure system face uncertainty about the outcome of attacker-defender interaction (i.e., identity of the compromised facility), and follow a repeated learning procedure to make their usage decisions.

Relaxing Model Assumptions
Our discussion centers around extending our results when the following modeling aspects are included: facility-dependent cost parameters, less than perfect defense, and attacker's ability to target multiple facilities.
Our techniques for equilibrium characterization of games Γ and Γ -as presented in Sections 4 and 5 respectively -can be generalized to the case when attack/defense costs are non-homogeneous across facilities.We denote the attack (resp.defense) cost for facility e ∈ E as p a,e (resp.p d,e ).However, an explicit characterization of equilibrium regimes in each game can be quite complicated due to the multidimensional nature of cost parameters.
In normal form game Γ, it is easy to show that the attacker's best response correspondence in Lemma 3 holds except that the threshold attack probability for any facility e ∈ Ē now becomes p d,e /(C e − C ∅ ).The set of vulnerable facilities is given by {E|C e − p a,e > C ∅ }.The attacker's equilibrium strategy is to order the facilities in decreasing order of C e − p a,e , and target the facilities in this order each with the threshold probability until either all vulnerable facilities are targeted or the total probability of attack reaches 1.As in Theorem 1, the former case happens when the cost parameters lie in a type I regime, and the latter case happens for type II regimes, although the regime boundaries are more complicated to describe.In equilibrium, the defender chooses the security effort vector to ensure that the attacker is indifferent among choosing any of the pure actions that are in the support of equilibrium attack strategy.
In the sequential game Γ, Lemmas 4 and 5 can be extended in a straightforward manner except that the threshold security effort for any vulnerable facility e ∈ {E|C e − C ∅ > p a,e } is given by ρ e = (C e − p a,e − C ∅ )/(C e − C ∅ ).The SPE for this general case can be obtained analogously to Theorem 2, i.e. comparing the defender's utility of either securing all vulnerable facilities with the threshold effort to fully deter the attack, or choosing a strategy that is identical to that in Γ.These cases happen when the cost parameters lie in (suitably defined) Type I and Type II regimes, respectively.The main conclusion of our analysis also holds: the defender obtains a higher utility by proactively defending all vulnerable facilities when the facility-dependent cost parameters lie in type I regimes.
(2) Less than perfect defense in addition to facility-dependent cost parameters.
Now consider that the defense on each facility is only successful with probability γ ∈ (0, 1), which is an exogenous technological parameter.For any security effort vector ρ, the actual probability that a facility e is not compromised when targeted by the attacker is γρ e .Again our results on NE and SPE in Sec. 4 -Sec.5 can be readily extended to this case.However, the expressions for thresholds for attack probability and security effort level need to be modified.In particular, for Γ, in Lemma 3, the threshold attack probability on any facility e ∈ Ē is p d,e /γ(C e − C ∅ ).For Γ, the threshold security effort ρ e for any vulnerable facility e ∈ {E|C e − C ∅ > p d,e } is (C e − p a,e − C ∅ )/γ(C e − C ∅ ).If this threshold is higher than 1 for a particular facility, then the defender is not able to deter the attack from targeting it.
If the attacker is not constrained to targeting a single facility, his pure strategy set would be S a = 2 E .Then for a pure strategy profile (s d , s a ), the set of compromised facilities is given by s a \ s d , and the usage cost C sa\s d .Unfortunately, our approach cannot be straightforwardly applied to this case.This is because the mixed strategies cannot be equivalently represented as probability vectors with elements representing the probability of each facility being targeted or secured.In fact, for a given attacker's strategy, one can find two feasible defender's mixed strategies that induce an identical security effort vector, but result in different players utilities.Hence, the problem of characterizing defender's equilibrium strategies cannot be reduced to characterizing the equilibrium security effort on each facility.Instead, one would need to account for the attack/defense probabilities on all the subsets of facilities in E. This problem is beyond the scope of our paper, although a related work [22] has made some progress in this regard.
Finally, we briefly comment on the model where all the three aspects are included.So long as players' strategy sets are comprised of mixed strategies, the defender's equilibrium utility in Γ must be higher or equal to that in Γ.This is because in Γ, the defender can always choose the same strategy as that in NE to achieve a utility that is no less than that in Γ.Moreover, one can show the existence of cost parameters such that the defender has strictly higher equilibrium utility in SPE than in NE.In particular, consider that the attacker's cost parameters (p a,e ) e∈E in this game are such that there is only one vulnerable facility ē ∈ E such that C ē − C ∅ > p a,ē , and the threshold effort on that facility In this case, if the defense cost p d,ē is sufficiently low, then by proactively securing the facility ē with the threshold effort ρ ē, the defender can deter the attack completely and obtain a strictly higher utility in Γ than that in Γ.Thus, for such cost parameters, the defender gets the first mover advantage in equilibrium.

Rational Learning Dynamics
We now discuss an approach for analyzing the dynamics of usage cost after a security attack.Recall that the attacker-defender model enables us to evaluate the vulnerability of individual facilities to a strategic attack for the purpose of prioritizing defense investments.One can view this model as a way to determine the set of possible post-attack states, denoted s ∈ S ∆ = E ∪ {∅}.In particular, we consider situations in which the distribution of the system state, denoted θ ∈ ∆(S), is determined by an equilibrium of attacker-defender game (Γ or Γ).In Γ, for each s ∈ S, the probability θ(s) is given as follows: For Γ the probability distribution θ can be analogously defined in terms of σ * a and ρ * .Let the realized state be s = e, i.e., the facility e ∈ E is compromised by the attacker.If this information is known perfectly to all the users immediately after the attack, they can shift their usage choices in accordance to the new state.Then the cost resulting from the users' choices indeed corresponds to the usage cost C s = C e , which governs the realized payoffs of both attacker and defender.However, from our results (Theorems 1 and 2), it is apparent that the support of equilibrium player strategies (and hence the support of θ) can be quite large.Due to inherent limitations in perfectly diagnosing the location of attack, in some situations, the users may not have full knowledge of the realized state.Then, the issues of how users with imperfect information make their decisions in a repeated learning setup, and whether or not the long-run usage cost converges to the actual cost C e become relevant.
To contextualize the above issues, consider the situation in which a transportation system is targeted by an external hacker, and that the operation of a single facility is compromised.Furthermore, the nature of attack is such that travelers are not able to immediately know the identity of this facility.This situation can arise when the diagnosis of attack and/or dissemination of information about the attack is imperfect.Examples include cyber-security attacks to transportation facilities that can result in hard-to-detect effects such as compromised traffic signals of a major intersection, or tampering of controllers governing the access to a busy freeway corridor.Then, one can study the problem of learning by rational but imperfectly informed travelers using a repeated routing game model.We now discuss the basic ideas behind the study of this problem.A more rigorous treatment is part of our ongoing work, and will be detailed in a subsequent paper.
Let the stages of our repeated routing game be denoted as t ∈ T = {1, 2, . . .}.In this game, travelers are imperfectly informed about the network state.In particular, in each stage t ∈ T , they maintain a belief about the state θ t .The initial belief θ 0 can be different from the prior state distribution θ.However, we require that θ 0 is absolutely continuous with respect to θ ( [32]): That is, the initial belief of travelers does not rule out any possible state.
The solution concept we use for this repeated game is Markov-perfect Equilibrium (see [38]), in which travelers use routes with the smallest expected cost based on the belief in each stage.Equivalently, the equilibrium routing strategy in stage t is a Wardrop equilibrium of the stage game with belief θ t ( [21]).We also consider that at the end of each stage, travelers receive noisy information of the realized costs on routes that are taken.However, no information is available for routes that are not chosen by any traveler.Based on the received information, travelers update their belief of the state using Bayes' rule.
We note that numerous learning schemes have been studied in the literature; for e.g.fictitious play ( [15], [29], and [31]); reinforcement learning ( [10], [19] and [20]), and regret minimizations ( [14] and [37]).These learning schemes typically assume that strategies in each stage are determined by a certain function of the history payoff or actions.To explain the learning dynamics in our set-up we consider that in each stage travelers are rational, and they aim to maximize the payoff myopically based on their current belief about other travelers' strategies.The players update their beliefs based on observed actions on the play-path.This so-called rational learning dynamics has been investigated by [9], [27], [32], and [33].Our model is different from the ones in literature in that travelers are uncertain about the payoff functions, but correctly anticipate the opponents' strategies.Additionally, the information of the payoff in each stage is noisy and limited (only the realized costs on the taken routes are known).
The game can be understood easily via an example of a transportation network in Fig. 1.In each stage t, travelers with inelastic demand D choose route r 1 (e 2 − e 1 ) or route r 2 (e 3 − e 1 ).We denote the equilibrium routing strategy in stage t as q t * (θ t ) = (q t * r (θ t )) r∈{r 1 ,r 2 } , where q t * r (θ t ) is the demand of travelers using route r given the belief θ t .Hence, aggregate flow on edge e 2 (resp.e 3 ) is w t * 2 (θ t ) = q t * 1 (θ t ) (resp.w t * 3 (θ t ) = q t * 2 (θ t )), and the aggregate flow on edge e 1 is w t * 1 (θ t ) = D.Each stage game is a congestion game, and hence admits a potential function.The equilibrium routing strategy q t * (θ t ) can be computed efficiently for this game.Moreover, in each stage, the equilibrium is essentially unique in that the equilibrium edge load is unique for a given belief ( [45]).
The realized cost on each edge e ∈ E, denoted c s e (w t * e (θ t )), equals to the cost (shown in Fig. 1 for the example network) plus a random variable e : We illustrate two cases that can arise in rational learning: • Long-run usage cost equals to C s for any s ∈ {e 1 , e 2 , e 3 , ∅}.
Consider the case where the initial belief is θ(e 1 ) = 1/12, θ(e 2 ) = 1/3, θ(e 3 ) = 1/12, θ(∅) = 1/2 (The initial belief can be any probability vector which satisfies the continuity assumption).For any e ∈ E, the random variable e in ( 44) is distributed as U [−3, 3].The total demand D = 10.Fig. 3a-3d show how the belief of each state evolves.We see that eventually travelers learn the true state, and hence the long-run usage cost converges to the actual post-attack usage cost C s , even though initially all travelers are imperfectly informed about the state.
• Long-run usage cost is higher than C s .
Consider the case when, as a result of attack on edge e 2 , the cost function on e 2 changes to ⊗ 2 (w 2 ) = 7/3w 2 + 50.The total demand is D = 5, and the initial belief is θ(e 1 ) = 1/12, θ(e 2 ) = 1/3, θ(e 3 ) = 1/12, θ(∅) = 1/2.Starting from this initial belief, travelers exclusively take route r 2 , and hence they do not obtain any information about e 2 .Even when the realized state is s = ∅, travelers end up repeatedly taking r 2 as if e 2 is compromised.Thus, the long-run average cost is C e 2 , which is higher than the cost corresponding to the true state C ∅ .Therefore, rational learning dynamics can lead to long-run inefficiency.We illustrate the equilibrium routing strategies and beliefs in each stage in Fig. 4a and Fig. 4b      These cases illustrate that if the post-attack state is not perfectly known by the users of the system, then the cost experienced by the users depend on the learning dynamics induced by the repeated play of rational users.Particularly, the learning dynamics can induce a higher usage cost in the long-run in comparison to the cost corresponding to the true state.Following previously known results [28], one can argue that if sufficient amount of "off-equilibrium" experiments are conducted by travelers, then the learning will converge to Wardrop equilibrium with the true state.However, such experiments are in general not costless.As a final remark, we note another implication of proactive defense strategy in ranges of attack/ defense cost parameters where the first-mover advantage holds.In particular, when the cost parameters are in the sets L and M as given in ( 41)-( 42), the attack is completely deterred in the sequential game Γ and there is no uncertainty in the realized state.In such a situation, one does not need to consider uncertainty in the travelers' belief about the true state and issue of long-run inefficiency due to learning behavior does not arise.
Proof of Proposition 1.We prove the result by the principal of iterated dominance.We first show that any s d such that s d Ē is strictly dominated by the strategy s d = s d ∩ Ē.Consider any pure strategy of the attacker, s a ∈ E, the utilities of the defender with strategy s d and s d are as follows:  4), we know that ρ * e = 0 for any e ∈ E \ Ē.We denote the set of defender's pure strategies that are not strictly dominated as Sd = {s d |s d ⊆ Ē}.Consider any s d ∈ Sd , we show that any s a ∈ E \ Ē is strictly dominated by strategy ∅.The utility functions of the attacker with strategy s a and ∅ are as follows: . Hence, any s a ∈ E \ Ē is strictly dominated.Hence, in equilibrium, the probability of the attacker choosing facility e ∈ E \ Ē is 0 in Γ.

B Proofs of Section 4
Proof of Lemma 2. The utility functions of the attacker with strategy σ a in Γ 0 and Γ are related as follows: Thus, for a given σ d , any σ a that maximizes U 0 a (σ d , σ a ) also maximizes U a (σ d , σ a ).So the set of best response strategies of the attacker in Γ 0 is identical to that in Γ. Analogously, given any σ a , the set of best response strategies of the defender in Γ is identical to that in Γ 0 .Thus, Γ 0 and Γ are strategically equivalent, i.e. they have the same set of equilibrium strategy profiles.Using the interchangeability property of equilibria in zero-sum games, we directly obtain that for any Proof of Proposition 2. From Lemma 2, the set of attacker's equilibrium strategies Σ * a is the optimal solution of the following maximin problem: Given any s d ∈ S d , we can express the objective fucntion in (45) as follows: e∈ Therefore, we can write: min Thus (45) is equivalent to (10), and Σ * a is the optimal solution set of (10) By introducing an | Ē|-dimensional variable v = (v e ) e∈ Ē , (10) can be changed to a linear optimization program (11), and Σ * a is the optimal solution set of (11).Proof of Lemma 3. We first argue that the defender's best response is in (13).For edge e ∈ E such that σ a (e) < Ce−C ∅ , any ρ e ∈ [0, 1] can be a best response.We next prove (14).We show that if a feasible σ a violates (14a), i.e., there exists a facility, denoted ē ∈ Ē such that σ a (ē) > p d Cē−C ∅ , then σ a cannot be an equilibrium strategy.There are two cases: (a) There exists another facility e ∈ Ē such that σ a ( e) < p d C e −C ∅ .Consider an attacker's strategy σ a defined as follows: where is a sufficiently small positive number so that σ a (ē) > p d Cē−C ∅ and σ a ( e) < p d C e −C ∅ .We obtain: The last inequality holds from (7a) and e ∈ Ē.Therefore, σ a cannot be an attacker's equilibrium strategy.
(b) If there does not exist such ē as defined in case (a), then for any e ∈ Ē, we have σ a (e) ≥ p d Ce−C ∅ .Now consider σ a as follows: where is a sufficiently small positive number so that σ a (ē) > p d Cē−C ∅ .We obtain: Therefore, σ a also cannot be an attacker's equilibrium strategy.
Thus, we can conclude from cases (a) and (b) that in equilibrium σ * a must satisfy (14a).Additionally, from Proposition 1, (14b) is also satisfied.
We next prove the defender's equilibrium security effort.By definition of Nash equilibrium, the probability vector ρ * is induced by an equilibrium strategy if and only if it satisfies the following two conditions: (1) ρ * is a best response to any σ * a ∈ Σ * a .
(2) Any attacker's equilibrium strategy is a best response to ρ * , i.e. the attacker has identical utilities for choosing any pure strategy in his equilibrium support set, and the utility is no less than that of any other pure strategies.
Note that in both conditions, we require ρ * to be a best response to any attacker's equilibrium strategy.This is because given any σ * a ∈ Σ * a , (ρ * , σ * a ) is an equilibrium strategy profile (Lemma 2).We now check these conditions in each regime: (a) Type I regimes Λ i : Since σ * a (e) = 0 for any e ∈ E. From Lemma 3, the best response of the defender is ρ * e = 0 for any e ∈ E. • If i = 1, . . ., K: From Lemma 3, we know that ρ * e = 0 for any e ∈ E \ ∪ i k=1 Ē(k) .Since σ * a (∅) > 0, ρ * e must ensure that the attacker's utility of choosing any facility e ∈ ∪ i k=1 Ē(k) is identical to that of choosing no attack ∅.Consider any e ∈ ∪ i k=1 Ē(k) : For any ē ∈ E \ ∪ i k=1 Ē(k) , since ρ * ē = 0, the attacker receives utility C ē − p a by targeting ē, which is lower than C ∅ .Therefore, ρ * in (24a)-(24b) satisfies both conditions (1) and ( 2).ρ * is the unique equilibrium strategy.
Since p d satisfies (21), we know that 1 E (1) < p d C (1) −C ∅ .One can check that σ a satisfies (25b)-(25c), and thus σ a ∈ Σ * a .Therefore, we know from Lemma 3 that ρ * e = 0 for any e ∈ E. • If j = 1, . . ., K: Analogous to our discussion for j = 0, the following is an equilibrium strategy of the attacker: From Lemma 3, we immediately obtain that ρ * e = 0 for any e ∈ E \ ∪ j−1 k=1 Ē(k) .Furthermore, for any e ∈ ∪ j−1 k=1 Ē(k) , the utility of the attacker in choosing e must be the same as the utility for choosing any facility in Ē(j) , which is C (j) − p a .Therefore, for any e ∈ ∪ j−1 k=1 Ē(k) , ρ * satisfies: Additionally, for any e ∈ E \ ∪ j k=1 Ē(k) , the utility for the attacker targeting e is C e − p a , which is smaller than C (j) − p a .Thus, both condition (1) and ( 2) are satisfied.ρ * is the unique equilibrium security effort.

C Proofs of Section 5
Proof of Lemma 4. For any non-vulnerable facility e, the best response strategy σ a must be such that σ a (e, ρ) = 0 for any ρ.Now consider any e ∈ {E|C e − p a > C ∅ }.If ρe > ρ e , then we can write: That is, the attacker's expected utility of targeting the facility e is less than the expected utility of no attack.Thus, in any attacker's best response, σ a (e, ρ) = 0 for any such facility e.Additionally, if ρe = ρ e , then U a (e, ρ) = U a (∅, ρ), i.e. the utility of targeting such facility is identical with the utility of choosing no attack, and is higher than that of any other pure strategies.Hence, the set of best response strategies of the attacker is ∆( Ē * ∪ {∅}), where Ē * is the set defined in (28).Otherwise, if there exists a facility e ∈ {E|C e − p a > C ∅ } such that ρe < ρ e , then we obtain: Thus, no attack cannot be chosen in any best response strategy, which implies that the attacker chooses to attack with probability 1.Finally, Ē is the set of facilities which incur the highest expected utility for the attacker given ρ, thus BR(ρ) = ∆( Ē ).
Proof of Lemma 5. We first prove that the total attack probability is either 0 or 1 in any SPE.We discuss the following three cases separately: • There exists at least one single facility e ∈ { Ē|C e − p a > C ∅ } such that ρ * e < ρ e .Since σ * a (ρ * ) ∈ BR(ρ * ), from Lemma 4, we know that e∈ Ē σ * a (e, ρ * ) = 1.
We next show that in any SPE, the defender's security effort on each vulnerable facility e is no higher than the threshold ρ e defined in (27).Assume for the sake of contradiction that there exists a facility ē ∈ { Ē|C e − p a > C ∅ } such that ρē > ρ ē.We discuss the following two cases separately: • The set e ∈ { Ē|C e − p a > C ∅ , ρe < ρ e } is non-empty.We know from Lemma 4 that BR(ρ) = ∆( Ē ), where the set Ē in ( 29) is the set of facilities which incur the highest utility for the attacker.Clearly, Ē ⊆ { Ē|C e − p a > C ∅ , ρe < ρ e }, and hence ē / ∈ Ē .
We consider ρ such that ρ ē = ρē − , where is a sufficiently small positive number, and ρ e = ρe for any other facilities.Then ρ ē > ρ ē still holds, and the set Ē does not change.The attacker's best response strategy remains to be BR(ρ ) = ∆( Ē ).Hence, the utility of the defender given ρ increases by p d compared to that given ρ, because the expected usage cost E σ [C] does not change, but the expected defense cost decreases by p d .Thus, such ρ cannot be the defender's equilibrium effort.
• For all e ∈ { Ē|C e − p a > C ∅ }, ρe ≥ ρ e .We have already argued that σ * a (∅, ρ) = 1 in this case.Since the defense cost p d > 0, if there exists any e such that ρe > ρ e , then by decreasing the security effort on e, the utility of the defender increases.Therefore, such ρ cannot be an equilibrium strategy of the defender.
From both cases, we can conclude that for any e ∈ { Ē|C e − p a > C ∅ }, ρ * e ≤ ρ e Finally, any non-vulnerable facilities e ∈ E \ {E|C e − p a > C ∅ } will not be targeted, hence we must have ρ * e = 0. Proof of Lemma 6.We first show that the threshold p d (p a ) as given in ( 31) is a welldefined function of p a .Given any 0 ≤ p a < C (1) − C ∅ , there is a unique i ∈ {1, . . ., K} such that C (i+1) − C ∅ ≤ p a < C (i) − C ∅ .Now, we need to show that there is a unique j ∈ {1, . . ., i} such that Thus, ĵ ∈ {1, . . ., i − 1}, and from (31), . Since is a sufficiently small positive number, we have: . Hence, from (31), when Thus, p d (p a ) is continuous at C (i) − C ∅ for any i = 2, . . ., K.
For any i = 1, . . ., K, we next show that p d (p a ) is continuous at Hence, we can conclude that p d (p a ) is continuous and strictly increasing in p a .
Additionally, for any i = 1, . . ., K, consider any p a such that C , then for any j = 1, . . ., i, we have: Therefore, for any 0 < p a < C (1) − C ∅ , we have: Finally, if p a = 0, then we know that p d (0) = p KK d (0).From (30), we can check that = lim We define the partition as: where {Λ i } K i=0 are type I regimes in the normal form game defined in ( 18)-( 20), and Λ i j is the set of (p d , p a ), which satisfy: We can check that sets in P are disjoint, and cover the whole space of (p d , p a ).Lemma 7 characterizes SPE in sets {Λ i } K i=0 , and Lemma 8 characterizes SPE in sets Λ i j i=K,j=i i=1,j=1 .
Proof of Lemma 7.
Therefore, such ρ cannot be an equilibrium strategy profile.We thus know that ρ * is as given in (38).The attacker's equilibrium strategy can be derived from Lemmas 4 and 5 directly.
Lemma 8.For (p a , p d ) in Λ i j , where i = 1, . . ., K, and j = 1, . . ., i, there are two cases of SPE: , where p ij d is as given in (30): -If j = 1, then SPE is as given in (39).
• If p d < p ij d , then the SPE is as given in (38).Proof of Lemma 8. Consider cost parameters in the set Λ i j defined in (52), where i = 1, . . ., K and j = 1, . . ., i.The set of vulnerable facilities is ∪ i k=1 Ē(k) .From Lemma 5, we know that the defender can either secure all vulnerable facilities e ∈ ∪ i k=1 Ē(k) with the threshold effort ρ e defined in (27), or leave at least one vulnerable facility secured less than the threshold effort.We discuss the two cases separately: (1) If any e ∈ ∪ i k=1 Ē(k) is secured with the threshold effort ρ e , then from Lemma 5, we know that the total probability of attack is 0. The defender's utility can be written as: (2) If the set {E|C e − p a > C ∅ , ρe < ρ e } is non-empty, then we define P as the set of feasible ρ in this case.We denote ρ † as the secure effort vector that incurs the highest utility for the defender among all ρ ∈ P .Then, ρ † can be written as: > p d .
Hence, from Lemma 8, we know that for any i k=1 , SPE is as given in (38).For any Again from Lemma 8, SPE is in (38).Therefore, we can conclude that in regime Λ i , SPE is in (38).We next show that for any j = 1, . . ., K, and any i = j, . . ., K, the set Λ

) Lemma 6 .
Given any attack cost 0 ≤ p a < C (1) − C ∅ , the threshold p d (p a ) is a strictly increasing and continuous function of p a .Furthermore, for any 0 < p a < C (1) − C ∅ , p d (p a ) > pd (p a ).If p a = 0, p d (0) = pd (0).If p a → C (1) − C ∅ , p d (p a ) → +∞.Since p d (p a ) is a strictly increasing and continuous function function of p a , the inverse function p −1 d (p d ) is well-defined.Now we are ready to formally define the regimes for the game Γ:

aProposition 3 .
) in Γ, and U Λ i d and U Λ i a (resp.U Λ j d and U Λ j a ) in regime Λ i (resp.Λ j ) in Γ.In both Γ and Γ, the equilibrium utilities are unique in each regime.Specifically, (a) Type I ( I) regimes Λ i ( Λ i ):

Figure 2 :
Figure 2: (a) Regimes of NE in Γ, (b) Regimes of SPE in Γ, (c) Comparison of NE and SPE.

Figure 3 :
Figure 3: Rational learning leads to the usage cost of the true state.
s a ), and thus U d (s d , s a ) < U d (s d , s a ).If s a = e ∈ s d \ Ē, then e / ∈ Ē, and C e ≤ C ∅ .We have C(s d , s a ) = C ∅ ≥ C e = C(s d , s a ), and thus U d (s d , s a ) ≥ −C(s d , s a ) − |s d |p d > U d (s d , s a ).Therefore, any s d such that s d Ē is a strictly dominated strategy.Hence, in Γ, any equilibrium strategy of the defender satisfies σ * d (s d ) = 0. From ( max σa min s d ∈S d e∈ Ē (C(s d , e) + |s d |p d − p a ) • σ a (e) + (C(s d , ∅) + |s d |p d ) • σ a (∅) s.t.e∈ Ē σ a (e) + σ a (∅) = 1, (45a)

C
the value p d (p a ) is defined as p ij d (p a ) for a unique j ∈ {1, . . ., i}.Therefore, we can conclude that for any 0 ≤ p a < C (1) − C ∅ , p d (p a ) is a well-defined function.We next show that p d (p a ) is continuous and strictly increasing in p a .Since for any i = 1, . . ., K, and any j = 1, . . ., i, the function p ij d (p a ) is continuous and strictly increasing in p a , p d (p a ) must be piecewise continuous and strictly increasing in p a .It remains to be shown that p d (p a ) is continuous at p a ∈ C (i) − C ∅ (k) −C ∅ j=1,...,i,i=1,...K .We now show that for any i = 2, . . ., K, p d (p a ) is continuous at C (i) − C ∅ .Consider p a = C (i) − C ∅ − where is a sufficiently small positive number.There is a unique ĵ ∈ {1, . . ., i} such that p d (p a ) = p i ĵ d (p a ).We want to argue that ĵ = i: p a approaches C (1) − C ∅ , then p d (p a ) = p 11 d (p a ), and we have: lim pa→C (1) −C ∅ p d (p a ) (30) e∈∪ i k=1 Ē(k) {ρ e C ∅ + (1 − ρe )C e } = ρe C ∅ + (1 − ρe )C e , ∀e ∈ Ē .The utility of the defender can be written as:U d (ρ, σ * a (ρ)) = −λ − e∈E ρe • p d .We now consider ρ as follows:ρ e = ρe + C e − C ∅ , ∀e ∈ Ē , ρ e = ρe , ∀e ∈ E \ Ē ,

1 <
p d < p d (p a ), the cost parameters (p a , p d ) are in the set Λ ĵ i , and p d < p d (p a ) = p i ĵ d (p a ).

C- 1 . 1 ≥ 1 .
i j ∩ {(p a , p d ) |p d > p d (p a )} ⊆ Λ i j ∩ {(p a , p d ) |p d > p ij d (p a )}.Consider any cost parameters (p a , p d ) in the set Λ i j ∩ {(p a , p d ) |p d > p d (p a )}, from (31), we can find ĵ such thati k= ĵ+1 E (k) (k) −C ∅ , and p d (p a ) = p i ĵ d (p a ).We discuss the following three cases separately: If ĵ > j, then we must have p a < From the definition of the set Λ i j in (52), we know that p d > p ij d (p a ) in this set, and thus (p a , p d ) ∈ Λ i j ∩ {(p a , p d ) |p d > p ij d (p a )}.-If ĵ = j, then we directly obtain that (p a , p d ) ∈ Λ i j ∩ {(p a , p d ) |p d > p ij d (p a )}.-If ĵ < j, then since p a ≥ i k= ĵ+1 E (k) i k=1 E (k) C (k) −C ∅ , from (30), we have p d (p a ) = p i ĵ d (p a ) ≥ ĵ k=1 E (k) C (k) −C ∅ −From the definition of the set Λ i j in (52), the set Λ i j ∩ {(p a , p d ) |p d > p d (p a )} is empty, and thus can be omitted.We can conclude from all three cases that Λi j ∩ {(p a , p d ) |p d > p d (p a )} ⊆ Λ i j ∩ {(p a , p d ) |p d > p ijd (p a )}.Therefore, from Lemma 8, SPE is in (40) (or (39) if j = 1) in the regime Λ j .
other words, ρ e (σ d ) is the level of security effort exerted by the defender on facility e under the security plan σ d .Since σ d (s d ) ≥ 0 for any s d ∈ S d , we obtain that 0 ≤ ρ e (σ d ) = s d e σ d (s d ) ≤ s d ∈S d σ d (s d ) = 1.Hence, any σ d induces a valid probability vector ρ ∈ [0, 1] |E| .In fact, any vector ρ ∈ [0, 1] |E| can be induced by at least one feasible σ d .The following lemma provides a way to explicitly construct one such feasible strategy. respectively.