A Tale of Two Mechanisms: Incentivizing Investments in Security Games
Abstract
In a system of interdependent users, the security of an entity is affected not only by that user’s investment in security measures, but also by the positive externality of the security decisions of (some of) the other users. The provision of security in such system is therefore modeled as a public good provision problem, and is referred to as a security game. In this paper, we compare two wellknown incentive mechanisms in this context for incentivizing optimal security investments among users, namely the Pivotal and the Externality mechanisms. The taxes in a Pivotal mechanism are designed to ensure users’ voluntary participation, while those in an Externality mechanism are devised to maintain a balanced budget. We first show the more general result that, due to the nonexcludable nature of security, no mechanism can incentivize the socially optimal investment profile, while at the same time ensuring voluntary participation and maintaining a balanced budget for all instances of security games. To further illustrate, we apply the Pivotal and Externality mechanisms to the special case of weighted total effort interdependence models, and identify some of the effects of varying interdependency between users on the budget deficit in the Pivotal mechanism, as well as on the participation incentives in the Externality mechanism.
keywords:
Interdependent security games, Budget balance, Voluntary participation, Mechanism design[myfootnote]{naghizad, mingyan}@umich.edu
1 Introduction
The improved infrastructure and an increase in the adoption of cybertechnology have led to increased connection and ease of interaction for users across the globe. However, at the same time, these developments have increased users’ exposure to risk. The importance of investing in security measures in this developing landscape is twofold: while such expenditure helps entities protect their assets against security threats, by association it also benefits other interacting users, as an investing entity is less likely to be infected and used as a source of future attacks. In other words, a users’ expenditure in security in an interconnected system provides positive externalities to other users. Consequently, the provision of security is often studied as a problem of public good provision. In particular, when users are rational, the strategic decision making process leading to security investment decisions is studied as an (interdependent) security game (1).
It is wellknown that in an unregulated environment, the provision of public goods is in general inefficient (2). To eliminate this inefficiency, the literature has proposed regulating mechanisms for implementing the socially optimal levels of security in these games, see e.g. (1); (3); (4); (5). Specifically, examples of existing mechanisms in the literature include introducing subsidies and fines based on security investments (6); (3), assessing rebates and penalties based on security outcomes (3), imposing a level of due care and establishing liability rules (6); (7), etc.
Our focus in the current paper is on mechanisms that use monetary payments/rewards to incentivize improved security behavior. Within this context, we will examine two incentive mechanisms, namely the Pivotal (8) and Externality (9) mechanisms, both of which induce socially optimal user behavior by levying a monetary tax on each user participating in the proposed mechanism.
Aside from inducing optimal behavior, incentive mechanisms are often designed so as to maintain a (weakly) balanced budget (BB) and ensure voluntary participation (VP) by all users. The budget balance requirement states that the designer of the mechanism prefers to redistribute users’ payments as rewards, and ideally to either retain a surplus as profit or at least to not sustain losses. Otherwise, the designer would need to spend external resources to achieve social optimality.
The voluntary participation constraint on the other hand ensures that all users voluntarily take part in the proposed mechanism and the induced game, and prefer its outcome to that attained if they unilaterally decide to opt out of the mechanism. A user’s decision when contemplating participation in an incentive mechanism is dependent not only on the structure of the game induced by the mechanism, but also on the options available when staying out. The latter is what sets the study of incentive mechanisms for security games apart from other public good problems where similar Pivotal and Externality mechanisms have been applied, e.g., (10); (11).
To elaborate on this underlying difference, we note that security is a nonexcludable public good. That is, although the mechanism optimizes the investments in a way that participating users are exposed to lower risks, those who stay out of the mechanism can benefit from the externalities of such improved state of security as well. The availability of these spillovers in turn limits users’ willingness to pay for the good or their interest in improving their actions. In contrast, with excludable public goods, e.g. transmission power allocated in a communication system (11), users’ willingness to participate is determined by the change in their utilities when contributing and receiving the good, as compared to receiving no allocation at all. This means that the designer has the ability to collect more taxes and require a higher level of contribution when providing an excludable good. As a result, taxbased mechanisms, such as the Externality mechanism (e.g. (11)) and the Pivotal mechanism (e.g. (10)), can be designed so as to incentivize the socially optimal provision of an excludable good, guarantee voluntary participation, and maintain (weak) budget balance.
However, in this paper we show that given the nonexcludable nature of security, there is no reliable taxbased mechanism that can achieve social optimality, voluntary participation, and (weak) budget balance simultaneously in all instances of security games. We show this result through two sets of counterexamples: we first limit the network structure to a star topology, and then consider the commonly studied weakest link model for users’ risk functions. We then further elaborate on this particular nature of security games by examining the Pivotal and Externality mechanisms in the special case of a weighted total effort interdependence model. This interdependence model is of particular interest as it can capture varying degrees and possible asymmetries in the influence of users’ security decisions on one another. Specifically, we evaluate the effects of: (i) increasing users’ selfdependence (equivalently, decreasing their interdependence), (ii) having two diverse classes of selfdependent and reliant users, and (iii) presence of a single dominant user, on the performance of the Pivotal and Externality mechanisms. We show that when possible, the selection of equilibria that are less beneficial to the outliers helps the performance of both mechanisms, so that they can achieve optimality, budget balance, and voluntary participation simultaneously. In addition, we see that these incentive mechanisms become of interest when they can facilitate a taxtransfer scheme, such that users who are highly dependent on externalities pay to incentivize improved investments by others who are key to improving the state of security.
The main findings of this work can therefore be summarized as follows. First, we show that there is no taxbased incentive mechanism that can simultaneously guarantee social optimality, voluntary participation, and weak budget balance in all instances of security games. This result is applicable to other problems concerning the provision of nonexcludable public goods over social and economic networks as well (see Section 5). Second, we provide further insight on this impossibility by evaluating two incentive mechanisms, namely the Pivotal and Externality mechanisms, in weighted total effort games. We identify some of the parameters affecting the performance of these mechanisms, and instances in which the implementation of each mechanism is of interest.
The rest of this paper is organized as follows. We present the model for security games, as well as the Pivotal and Externality mechanisms, in Section 2, followed by the general impossibility result in Section 3. Section 4 illustrates this result by applying the Pivotal and Externality mechanisms to weighted total effort models. We summarize related work in Section 5, and conclude in Section 6.
2 Security games: Model and Preliminaries
2.1 Model
Consider a network of interdependent users. Each user can choose to exert effort towards securing its system, consequently achieving the level of security or level of investment . Let denote the state of security of the system, i.e., the profile of security levels of all users.
We let denote the investment cost function of user ; it determines the monetary expenditure required to implement a level of security . We assume this function is continuous, increasing, and convex. The assumption of convexity entails that security measures get increasingly costly as their effectiveness increases.
The expected amount of assets user has subject to loss, given the state of security , is determined by the risk function, and is denoted by . We assume is continuous, nonincreasing, and strictly convex, in all arguments . The nonincreasing nature of this function in arguments , models the positive externality of users’ security decisions on one another. The convexity on the other hand implies that the effectiveness of security measures in preventing attacks (or the marginal utility) is overall decreasing, as none of the available security measure can guarantee the prevention of all possible attacks.
A user ’s (security) cost function at a state of security is therefore given by:
(1) 
We refer to the onestage, full information game among the utility maximizing users with utility functions as the security game. The level of investments in the Nash equilibrium of these games, and their suboptimality when compared to the socially optimal investments, has been extensively studied in the literature, see e.g. (1); (5); (12). Here, the socially optimal investment levels are those maximizing the total welfare, or equivalently, minimizing the sum of all users’ costs, i.e.,
(2) 
The literature has further proposed mechanisms for decreasing the inefficiency gap in security games, by either incentivizing or dictating improved security investments; see (1) for a survey. Our focus in the present paper is on regulating mechanisms that use monetary taxation to incentivize socially optimal security behavior. Such mechanisms assess a tax on each user ; this tax may be positive, negative, or zero, indicating payments, rewards, or no transaction, respectively.
We further assume that users’ utilities are quasilinear. Therefore, the total cost of a user when it is assigned a tax is given by:
(3) 
In addition to implementing the socially optimal solution, incentive mechanisms are often required to satisfy two desirable properties. First, when using taxation, the mechanism designer prefers to maintain (weak) budget balance (BB); i.e., it is desirable to have . In particular, implies a budget deficit, such that the implementation of the mechanism would call for the injection of additional resources by the designer.
In addition, it is desirable to design the mechanism in a way that users’ voluntary participation (VP) conditions are satisfied; i.e. users prefer implementing the socially optimal outcome while being assigned taxes , to the outcome attained had they unilaterally opted out. Otherwise, the designer would need to enforce initial cooperation in the mechanism. Note that we focus on the notion of voluntary participation instead of the usual individual rationality (IR) constraint, which requires a user to prefer participation to the outcome it attained at the state of anarchy (i.e., prior to the implementation of the mechanism). As mentioned in Section 1, such distinction is important as security is a nonexcludable public good, i.e., users can still benefit from the externalities of the actions of users participating in the mechanism, even when opting out themselves. This is in contrast to games with excludable public goods, where VP and IR are equivalent.
We now proceed to introduce the Pivotal and Externality taxbased incentive mechanisms for security games.
2.2 The Pivotal Mechanism
Groves mechanisms (2); (10), also commonly known as VickeryClarkeGroves (VCG) mechanisms, refer to a family of mechanisms in which, through the appropriate design of taxes for users with quasilinear utilities, a mechanism designer can incentivize users to reveal their true preferences in dominant strategies, thus implementing the socially optimal solution. However, the (weak) budget balance and voluntary participation conditions do not necessarily hold in these mechanisms, and are further dependent on the specifics of the design, as well as the game environment.
In general, let be user ’s utility. Here, is user ’s type; a user’s type determines the preference of the user over possible outcomes. In security games, a user ’s type is its risk and investment cost functions , or equivalently, its cost function . Users are required to report their types to the mechanism designer, based on which the designer decides on an allocation . In security games, an allocation is the vector of investments prescribed by the mechanism.
The VCG family of mechanisms achieve truth revelation and efficiency by assigning the following taxes to users, when their reported types are :
Here, is the socially optimal allocation given users’ reported types, and is an arbitrary function that depends on the reported types of users other than . Any choice of this function results in truth revelation and a socially efficient outcome, and a careful design may further result in VP and/or (W)BB.
One such choice that can achieve VP in certain environments is the Pivotal, or Clarke, mechanism (8); (10), with taxes given by:
Here, , is the outcome maximizing the social welfare in the absence of user . This mechanism satisfies the participation constraints and achieves weak budget balance in many private and public good games (10); however, this is not necessarily the case in security games.
The taxes in the Pivotal mechanism for the security game can be set as follows:
(4) 
where, is user ’s security cost function, is the socially optimal solution, and is the cost minimizing actions of users given user ’s action , and is determined by . In a game of complete information, will be the Nash equilibrium of the game between user and the participating users.
It is straightforward to verify that this design of the Pivotal mechanism in security games internalizes the externalities of users’ actions, and can thus lead to the implementation of the socially optimal solution. Formally,
Proposition 1.
In the Pivotal mechanism with taxes given by (4), investing the socially optimal level of investment will be individually optimal, for all users . Therefore, the socially optimal solution is implemented.
Furthermore, such design will ensure participation by all users. That is,
Proposition 2.
The Pivotal mechanism with taxes given by (4) satisfies all voluntary participation constraints.
The proofs of these propositions follow directly from existing literature, see e.g. (10).
2.3 The Externality Mechanism
We next examine a taxation mechanism that can achieve the socially optimal solution in security games, while maintaing a balanced budget. This mechanism is adapted from (9). The components of the mechanism are as follows.
The message space: Each user provides a message to the mechanism designer. denotes user ’s proposal on the public good, i.e., it proposes the amount of security investment to be made by everyone in the system, referred to as an investment profile.
denotes a pricing profile which suggests the amount to be paid by everyone. As illustrated below, this is used by the designer to determine the taxes of all users. Therefore, the pricing profile is user ’s proposal on the private good.
The outcome function: The outcome function takes the message profiles as input, and determines the security investment profile and a tax profile as follows:
(5)  
(6) 
In (6), and are treated as and , respectively.
Note that as by (6), the budget balance condition is satisfied through this construction. What this means is that the designer will not be spending resources or making profit, as the users whose tax is positive will be financing the rewards for those who have negative taxes. In other words, the mechanism proposes a tax redistribution scheme to incentivize improved security investments.
To establish that the Externality mechanism can implement the socially optimal outcome in security games, we first need to show that a profile , derived at any possible NE of the Externality regulated game, is the socially optimal solution. Formally,
Theorem 1.
Let be the investment and tax profiles obtained at the Nash equilibrium of the regulated security game. Then, is the optimal solution to the centralized problem (2). Furthermore, if is any other Nash equilibrium of the proposed game, then .
Furthermore, we have to show the converse of the previous statement, i.e., given an optimal investment profile, there exists an NE of Externality regulated game which implements this solution. Formally, we can show the following:
Theorem 2.
Let be the optimal investment profile in the solution to the centralized problem (2). Then, there exists at least one Nash equilibrium of the regulated security game such that .
The proofs of these theorems follow the method used by (9); (11). We refer the interested reader to these papers, as well as our earlier work (13), where we present a sketch of the proof of Theorem 1, along with an intuitive interpretation for this mechanism. Using the proof of 1, we show that the tax terms at the equilibrium of the Externality mechanism are given by:
(7) 
The interpretation is that by implementing this mechanism, each user will be financing part of user ’s reimbursement. According to (7), this amount is proportional to the positive externality of ’s investment on user ’s utility.
3 An impossibility result
In the previous section, we stated two wellknown taxbased incentive mechanisms for incentivizing socially optimal actions, namely the Pivotal and the Externality mechanisms, in the context of security games. The Pivotal mechanism is designed to guarantee voluntary participation, while the Externality mechanism focuses on budget balance. Following these observations, one may ask whether either of these schemes, or other taxbased mechanisms, can achieve social optimality, while guaranteeing both budget balance and voluntary participation simultaneously, in all instances of security games. In this section, we show that in fact no such reliable mechanism exists. We illustrate this impossibility through two families of counterexamples. The first counterexample considers games in which the network structure is a star topology, while the second family focuses on security games with weakest link risk functions.
In what follows, to evaluate users’ voluntary participation conditions, we consider a user , referred to as the loner or outlier, who is unilaterally contemplating opting out of this mechanism. As the game considered here is one of full information, the remaining participating users, who are choosing a welfare maximizing solution for their ()user system, will have the ability to predict the bestresponse of the loner to their collective action, and thus choose their investments accordingly. As a result, the equilibrium investment profile when user opts out is the Nash equilibrium of the game between the participating users and this loner. We will henceforth refer to this equilibrium as the exit equilibrium (EE).
3.1 Counterexample I: the star topology
Assume some taxbased incentive mechanism is proposed for security games. Consider users connected through the star topology depicted in Fig. 1, where the security decisions of the root affects all leaves, but each leaf’s investment only affects itself and the root. Formally, let the cost function of the root be given by:
and that of all leaves be:
Here, is any function satisfying the assumptions in Section 2. The investment cost functions are linear, with the same unit investment cost for all users.
To find the socially optimal investment profile, we solve the optimization problem of minimizing the sum of all users’ costs, , subject to nonnegative user investments. This profile, , should satisfy:
Based on the above, it is easy to see that in the socially optimal investment profile for this graph, only the root will be investing in security, while all leaves freeride on the resulting externality. This socially optimal investment profile is given by:
Now, assume the root user is considering stepping out of the mechanism. To find the investment profile resulting from this unilateral deviation, first note that the leaves’ security decisions will not affect one another, so that the socially optimal investment profile for the leaves is the same as their individually optimal decisions. User 1 will also be choosing its individually optimal level of investment. Therefore, using users’ first order conditions for cost minimization, the exit equilibrium is:
Finally, if any leaf user leaves the mechanism, the exit equilibrium will satisfy:
Again, it is easy to see that . Therefore, the exit equilibrium when user unilaterally leaves the mechanism is given by:
We now use the socially optimal investment profile and the exit equilibria to evaluate voluntary participation and budget balance in a general mechanism . Assume assigns a tax to a participating user . Then, voluntary participation will hold if and only if , which reduces to:
The sum of these taxes is thus bounded by:
However, the above sum could be negative, e.g., when or , indicating that weak budget balance will fail regardless of how the taxes are determined in a mechanism .
3.2 Counterexample II: weakestlink games
In this section, we again assume a general taxbased incentive mechanism is proposed for the security games. We focus on a family of security games which approximate the weakest link risk function (7); (1). Intuitively, this model states that an attacker can compromise the security of an interconnected system by taking over the least protected node. To use this model in our current framework, we need a continuous, differentiable approximation of the minimum function. We use the approximation , where the accuracy of the approximation is increasing in the constant . User ’s cost function is thus given by:
where investment cost functions are assumed to be linear, with the same unit investment cost for all users.
In this game, the socially optimal investment profile is given by the solution to the first order condition , which leads to:
By symmetry, all users will be exerting the same socially optimal level of effort:
Next, assume a user unilaterally steps out of the mechanism, while the remaining users continue participating. The exit equilibrium profile can be determined using:
Solving the above, we get:
We now use the socially optimal investment profile and the exit equilibria to analyze users’ participation incentives in a general mechanism , as well as the budget balance conditions. Denote by the tax assigned to user by . A user ’s total cost functions when participating and staying out are given by:
The voluntary participation condition for this user will hold if and only if , which reduces to:
(8) 
On the other hand, for weak budget balance to hold, we need . Nevertheless, by (8), we have:
It is easy to see that given and for any , the above sum will always be negative, indicating a budget deficit for a general mechanism , regardless of how taxes are determined.
3.3 A note on the nature of this impossibility result
To close this section, we would like to point out that the impossibility result on a simultaneous guarantee of social optimality, voluntary participation, and weak budget balance, is demonstrated through two family of counterexamples. In other words, we have shown that without prior knowledge of the graph structure or users’ preferences, it is not possible for a designer to propose a reliable mechanism; that is, one which can promise to achieve SO, VP, and WBB, regardless of the realizations of utilities. Nevertheless, it may still be possible to design reliable mechanisms under a restricted space of problem parameters; in fact we identify a few such instances in Section 4 by analyzing the class of weighted total effort models.
4 Weighted total effort models: analysis and simulation
In the remainder of the paper, to further illustrate some of the parameters affecting the performance of incentive mechanisms in security games, we focus on the Pivotal and Externality mechanisms. We consider the special case of weighted total effort games, and identify some of the factors that affect the total budget and participation incentives in the Pivotal and Externality mechanisms, respectively.
4.1 Choice of the risk function
The gap between the Nash equilibrium and the socially optimal investment profile of a security game, as well as users’ participation incentives and possible budget imbalances, are dependent on the specifics of the security cost functions defined in (1). In particular, an appropriate choice of the risk functions for a given game is based on factors such as the type of interconnection, the extent of interaction among users, and the type of attack. Several models of security interdependency have been proposed and studied in the literature; these include the total effort, weakest link, and best shot models considered in the seminal work of Varian on security games (7), as well as the weakest target games proposed in (12), the effective investment and bad traffic models in (5), and the linear influence network games in (14).
In this paper, we take the special case of the weighted total effort games, with exponential risks and linear investment cost functions, to study the effects of interdependency on the performance of the Pivotal and Externality mechanisms. Formally, the total cost function of a user in this model is given by:
(9) 
Here, the investment cost function is assumed linear, . The coefficients determine the dependence of user ’s risk on user ’s action. Consequently, user ’s risk is dependent on a weighted sum of all users’ actions.
In particular, to isolate the effect of different features of the model on the performance of the two mechanisms, we focus on three subclasses of the weighted total effort model. We first look at the effects of varying users’ selfdependence. Next, we consider the effects of diversity, by breaking users into two groups of selfdependent and reliant users. Finally, we study the effect of making all users increasingly dependent on a single node’s action. We present numerical results and intuitive interpretation for each of the above scenarios; formal analysis is given in the online appendix.
4.2 Effects of selfdependence
Consider a collection of users, with total cost functions determined according to (9), with , and :
We assume , so as to ensure the existence of nonzero equilibria; i.e., at least one user exerts nonzero effort at any equilibrium of the game. The socially optimal and exit equilibria of this game can be determined by using the first order conditions on the users’ cost minimization problems, subject to nonnegative investments. The resulting systems of equations can be solved to determine the possible exit equilibria, as well as parameter conditions under which each equilibrium happens; the results are summarized in Table 1.
According to this table, we can identify five sets of parameter conditions under which different exit equilibria are possible. We can further analyze each case separately to find whether the voluntary participation conditions are satisfied under the Externality mechanism, as well as whether the Pivotal mechanism can operate without a budget deficit. These results are summarized in Table 1 as well.
Exit  
Equilibrium  Parameter Conditions  VP in  
Externality  BB in Pivotal  
CASE  , and  
Never  Never  
CASE  , and  
Never  Never  
CASE  , and  Never  Never  
CASE  , and  
Always  Always  
CASE  , and  
Always  Always 
Simulations: cases
As seen in Table 1, when , neither of the two mechanisms can maintain a balanced budget and guarantee voluntary participation simultaneously, in either of the realized equilibria. In this section, we further examine the effect of changing , , and on the mechanisms’ performance. In particular, we plot the sum of all taxes, , in the Pivotal mechanism. For the Externality mechanism, we plot per user ; i.e., the benefit of participation (in terms of cost reduction) for that user. We also consider the effect of these changes on the price of anarchy of the security game, by looking at the ratio of sum of the costs at the symmetric Nash equilibrium, over the sum of the costs at the socially optimal solution.
Changing In order to understand the effect of the unit cost, we set and . We then change the fraction , so that initially we are in [Case ]: , and gradually move to [Case ]: . Intuitively, we will be gradually reducing the unit cost of investment, so that the outlier finds it efficient to continue investing even when leaving the mechanism. Figure 3 illustrates the results.
Changing We next set and . We then increase , starting from , so that initially we are in [Case ]: , and gradually move to [Case ]: . Intuitively, we are gradually increasing selfdependence, and therefore making a unit of investment more effective for the user, so that outliers exert nonzero effort. Figure 3 illustrates the results.
Changing Finally, we set and , and increase the number of users , starting from . As a result, we will initially be in [Case ]: , and gradually move to [Case ]: . That is, once enough users participate in the mechanism, the externality is high enough for outliers to stop exerting effort. Figure 4 illustrates the results.
Intuitive explanation
We conclude that as predicted by the analysis, the Pivotal mechanism will always carry a deficit, while the Externality mechanism will always fail to guarantee voluntary participation. We also observe that when the performance of the mechanisms starts improving, the price of anarchy is decreasing, i.e., the reduction in costs from introducing an incentive mechanism is decreasing. This is because the performance of the mechanisms only improves when the system is less interdependent: higher selfdependence, smaller unit costs, or small number of users, all lead to closer to optimal investments by individual users in the state of anarchy. Such users would require smaller incentives to move to the optimal state, hence the reduced budget deficit or smaller participation gap in the Pivotal and Externality mechanisms, respectively. We conclude that in these games, when incentive mechanism are more effective, there will be a need for more substantive secondary incentives, or a higher initial budget injection, in order to incentivize optimal investments.
4.3 Effects of diversity: two classes of selfdependence
Next, consider a collection of users with the following total cost functions:
Assume that we have two classes of users: the selfdependent users for whom , and the reliant users for whom . We let . The assumption of entails that users in are affected primarily by other users’ security decisions, while those in are more selfdependent. The assumption of ensures that in any equilibrium of the game, at least one user will be exerting nonzero effort.
Similar to the previous section, the socially optimal investment profile and the exit equilibria can be determined according to the first order conditions on users’ cost minimization problems subject to nonnegative investments. Denote the investments of users in and by and , respectively, It is easy to show that given the same unit investment costs , and the fact that , we get in the socially optimal investment profile. In other words, the users in will never invest in security as they will instead rely on the externality from users in . Also, with , we get . Therefore, selfdependent users in will be main investors, while reliant users in are freeriders. We again omit full analysis for the derivation of the socially optimal solution and the exit equilibria (see online appendix), and limit our discussion to some interesting features of the possible exit equilibria.
First, it is easy to show that any reliant user staying in the mechanism following the unilateral deviation of one other user will continue as a freerider. However, when such user unilaterally exits a mechanism, although there always exists an exit equilibrium in which this user continues as a freerider, there may also exist equilibria under which this user exerts nonzero effort while all other users freeride. In particular, for , an exit equilibrium exists if and only if:
Intuitively, with small enough, given that no other user is investing in security, user will need to exert relatively high effort to reduce its own risk. The considerable externality from this high effort ensures that not investing is a best response for the remaining users.
Similarly, a user from who leaves the mechanism may continue investing, or become a freerider. In particular, for , an exit equilibrium , where becomes a freerider, exists if and only if:
Simulations
Assume first that is relatively small, such that when users from step out, is a possible exit equilibrium. We gradually increase , so that initially is a possible EE for users from , but past a threshold, is the realized equilibrium. We look at the and users’ benefit (in terms of cost reduction) from participating in the Externality mechanism, the budget of the Pivotal mechanism, and the price of anarchy of the game, defined as the sum of costs at the symmetric NE over the total costs at the SO.
In particular, we set , and , , , and change . The results are depicted in Fig. 5. First, we observe that the Pivotal mechanism will carry a surplus; i.e., WBB holds. Also, VP constraints for users in will be satisfied in the Externality mechanism. However, users from will only have VP when the exit equilibrium is one with . We conclude that these users are only willing to participate in the mechanism if they have to exert nonzero effort even when they stay out.
We next repeat the same simulations, but this time focus on a case with . With this choice of , the EE for a user is so that . In other words, these users’ will be freeriders whether they participate or not. Consequently, we observe that the participation incentives of users in will no longer be satisfied in the Externality mechanism. In addition, the Pivotal mechanism will carry a budget deficit. These observations are illustrated in Fig. 6.
Intuitive explanation
The previous figures illustrate how users’ voluntary participation constraints in the Externality mechanism are highly affected by their actions in the exit equilibria. In particular, in the first scenario, we observe that the VP conditions of users in are satisfied only when they are required to exert nonzero effort even when exiting. Similarly, by comparing Figs 5 and 6, we see that users in will voluntarily participate if they are forced to act as investors when staying out. Finally, when the exit equilibrium requires users in to invest in security, the Pivotal mechanism is able to extract higher taxes from users in , as such equilibrium increases other users’ costs considerably compared to the socially optimal solution. This in turn leads to the budget surplus illustrated in Fig. 5.
4.4 Effects of a single dominant user
Consider a collection of users with weighted total effort risk functions (9). Let , and . That is, as grows, all users’ risks become increasingly affected by user ’s effort. Thus, users’ total cost functions are given by:
We again assume that , so as to ensure that at least one user exerts nonzero effort at any equilibrium of the game.
It is easy to show that in a socially optimal investment profile , only user 1 will be exerting effort. This will also be the case when users other than the dominant user leave the mechanism. When the dominant user opts out of the mechanism, however, the exit equilibria will depend on the externality available to this user from the participating nodes. The possible equilibria and parameter conditions for which each is possible, as well as the performance of both mechanisms, are summarized in Table 2.
Exit  
Equilibrium  Parameter Conditions  VP in  
Externality  BB in Pivotal  
CASE  
Never  Never  
CASE  
Never  Never 
Simulations
To verify the analysis summarized in Table 2, we plot a user’s benefit from participating in the Externality mechanism (i.e., ), the budget of the Pivotal mechanism (i.e., ), and the price of anarchy of the game, as the dependence on the dominant user, , increases.
In particular, we set , , and increase from 1 to 15. As a result, we will initially be in Case , with and move to Case , with once . The results are depicted in Fig. 7. As predicted by our analysis, the Pivotal mechanism will always carry a deficit. Also, the voluntary participation condition for nondominant users will fail under both mechanisms.
Intuitive explanation
We observe that in these family of games, having a less beneficial equilibrium leads to the voluntary participation of the dominant user, as seen in the top plot in Fig. 7. As the exit equilibria for the nondominant users remains unchanged, so does their participation incentives. Furthermore, we see that no equilibrium can lead to budget surplus in the Pivotal mechanism. That is, although the Pivotal mechanism needs to give out a smaller reward to the dominant user in Case as compared to Case (hence the jump in the third plot in Fig. 7), it still fails to avoid a deficit in both cases, due to the small willingness of freeriders to pay the taxes required to cover this reward.
4.5 Insights from the weighted total effort model
First, note that we have identified families of positive instances; i.e, problem parameters under which one or both mechanisms can achieve participation and maintain a balanced budget simultaneously. These include Cases and in Table 1, which are positive instances for both mechanisms, as well as the region with small and parameters, Fig. 5, which is a positive instance for the Pivotal mechanism. It is also worth mentioning the insight behind the existence of each positive instance:

In Cases and of Table 1, incentive mechanisms allow an exchange of favors among users: as all users are mainly dependent on others’ investments, they coordinate to each increase their investments in return for improved investments by other users.

In the region with small and parameters in Fig. 5, the Pivotal mechanism is successful as it facilitates the transfer of funds from the reliant users to the selfdependent users in return for their improved investments.
Second, we observe that when possible, the selection of exit equilibria that are less beneficial to the outliers helps the performance of both mechanisms. A less beneficial equilibrium can be one that requires a freerider to become an investor when leaving the mechanism, or one that requires an investor to continue exerting effort when out (although possibly at a lower level). One instance of this feature can be seen by comparing Cases and with Case in Table 1. The same can be observed from Fig. 5, when grows, and also by comparing Figs. 5 and 6. Based on this observation, we can expect that in a repeated game setup of security games, by punishing outliers with an appropriate selection of less beneficial equilibria, social optimality, voluntary participation, and budget balance conditions can be simultaneously guaranteed.
5 Related Work
The problem of incentivizing optimal security investments in an interconnected system is one example of problems concerning the provision of nonexcludable public goods in social and economic networks. Other examples include creation of new parks or libraries at neighborhood level in cities (15), reducing pollution by neighboring towns (16), or spread of innovation and research in industry (17). We summarize some of the work most relevant to the current paper.
(17) introduces a network model of public goods, and studies different features of its Nash equilibria. This model is equivalent to a total effort game with linear investment costs and a general interdependence graph. The authors show that these games always have a specialized Nash equilibrium; i.e., one in which users are either specialists exerting full effort (equivalent to main investors in our terminology), or freeriders. They show that such equilibria correspond to maximal independent sets of the graph, and that specialized equilibira may lead to higher welfare compared to other (distributed) Nash equilibria. Similarly, (18) studies the Nash equilibrium of a linear quadratic interdependence model, and relates the equilibrium effort levels to the nodes’ Bonacich centrality in a suitably defined matrix of local complementarities. The work in (15) generalizes these results by studying existence, uniqueness, and closed form of the Nash equilibrium in a broader class of games for which bestresponses are linear in other players’ actions. All the aforementioned work focuses on the Nash equilibrium in public good provision environments.
The work of (16) is the most relevant to our work, as it focuses on implementation of Pareto efficient public good outcomes, rather than the Nash equilibria on a given network. The authors define a benefits matrix for any given network graph; an entry of the matrix is the marginal rate at which ’s effort can be substituted by the externality of ’s action. The main result of the paper states that efforts at a Lindahl outcome constitute an eigenvalue centrality vector of this benefits matrix. One such Pareto efficient outcome, the socially optimal outcome, can be implemented using Lindahl taxes determined through the Externality mechanism. The current paper differs from (16) in both modeling and results. First, while a user’s action in (16) is strictly costly for the user itself, users in our framework benefit from their own investments as well. More importantly, the focus of (16) is on characterizing users’ effort levels in terms of network structure for Lindahl outcomes, the individual rationality of which is established by comparing the Pareto efficient outcome with the state of anarchy, rather than considering unilateral deviations from the mechanism. Our work on the other hand considers both Lindahl and Pivotal taxes, and focuses on users’ voluntary participation incentives when unilaterally opting out, as well as tax balance issues.
Finally, in the context of security games, our work in Section 4 is most related to (5); (14). The weighted total effort risk model is a generalization of the total effort model in (7), and is similar to the effective investment model in (5) and the linear influence network game in (14). The linear influence models in (14) have been proposed to study properties of the interdependence matrix affecting the existence and uniqueness of the Nash equilibrium. The effective investment model in (5) has been considered to determine a bound on the price of anarchy gap, i.e. the gap between the socially optimal and Nash equilibrium investments, in security games. Our work on the above model complements this literature, by considering the effect of users’ interdependence on the performance of incentive mechanisms.
6 Conclusion
We have shown that in the problem of provision of nonexcludable public goods on networks, under general assumptions on the graph structure and users’ preferences, it is not possible to design a taxbased incentive mechanism to implement the socially optimal solution while guaranteeing voluntary participation and maintaining a (weakly) balanced budget. Even under a fully connected graph and users with weighted total effort risk functions, we need further conditions on problem parameters (e.g. number of users, the level of interdependence, and cost of investment) to ensure that the wellknown Pivotal and Externality mechanisms can achieve social optimality, budget balance, and voluntary participation, simultaneously. These positive instances occur when users can exchange favors by agreeing on increasing their investments, or when they can transfer funds to the more influential users in return for their increased efforts. A comprehensive characterization of problem instances in which all requirements can be simultaneously satisfied remains a main direction of future work.
Acknowledgment
The authors would like to thank Armin Sarabi and Hamidreza Tavafoghi for many useful discussions. This work is supported by the Department of Homeland Security (DHS) Science and Technology Directorate, Homeland Security Advanced Research Projects Agency (HSARPA), Cyber Security Division (DHS S&T/HSARPA/CSD), BAA 1102 via contract number HSHQDC13CB0015.
References
Appendix
Appendix A Exit equilibria of the weighted total effort model  varying selfdependence
In this appendix, we solve for the socially optimal investment profile, and identify the possible exit equilibria, and parameter conditions under which each equilibrium is possible.
The socially optimal investment profile in this game will be given by:
To find the exit equilibrium when a user steps out, , we can write the first order conditions on the users’ cost minimization problems. To simplify notation, we denote and . The system of equation determining and is given by:
(10) 
There are four possible exit equilibria, depending on the whether and/or are nonzero. We look at each case separately.
a.1 Exit equilibria with
Intuitively, when user steps out, both sides continue to invest in security, perhaps at reduced levels, but no user is fully freeriding. We would need the following to hold simultaneously:
Let and . Solving for leads to:
To find the range of parameters for which the above holds, we need to ensure that are indeed positive.

If , then . For , we need:

If , then . For , we need:
a.2 Exit equilibria with
In this case, the participating users revert to investing zero, so that the outlier is forced to increase its investment:
As a result, we get . For this to be consistent with the second condition, we require:
The above always fails to hold for , as the LHS is always more than 1, while the RHS is surely less than 1 by the assumption . Intuitively, when selfdependence is higher than codependence on the outlier, the remaining users will not rely solely on externalities and continue investing when user steps out.
For on the other hand, for a small enough (which in turn leads to higher investment be the outlier), the equation may hold.
a.3 Exit equilibria with
This means that the loner freerides, so that we have:
As a result, we get . For this to be consistent with the first condition, we need:
Note that this always hold for , but not necessarily for .
a.4 Exit equilibria with
We would need the following to hold simultaneously:
which will never hold, as we initially required that .
Appendix B BB and VP in exit equilibria  varying selfdependence
In this appendix, we separately analyze each of the possible cases identified in Appendix A, summarized in Table 1. Specifically, we are interested in the Budget balance condition under the Pivotal mechanism, and users’ participation incentives in the Externality mechanism.
b.1 Case : fails BB, fails VP
In this case, the underlying parameters satisfy and . As a result, the exit equilibrium (EE) is such that , and . Therefore, the costs of users at the SO and EE are given by: