Modeling Internet Security Investments
The Case of Dealing with Information Uncertainty
Abstract
Modern distributed communication networks like the Internet and censorshipresistant networks (also a part of the Internet) are characterized by nodes (users) interconnected with one another via communication links. In this regard, the security of individual nodes depend not only on their own efforts, but also on the efforts and underlying connectivity structure of neighboring network nodes. By the term ‘effort’, we imply the amount of investments made by a user in security mechanisms like antivirus softwares, firewalls, etc., to improve its security. However, often due to the large magnitude of such networks, it is not always possible for nodes to have complete effort and connectivity structure information about all their neighbor nodes. Added to this is the fact that in many applications, the Internet users are selfish and are not willing to cooperate with other users on sharing effort information. In this paper, we adopt a noncooperative gametheoretic approach to analyze individual user security in a communication network by accounting for both, the partial information that a network node possess about its underlying neighborhood connectivity structure, as well as the presence of positive externalities arising from efforts exerted by neighboring nodes. We investigate the equilibrium behavior of nodes and show 1) the existence of symmetric Bayesian Nash equilibria of efforts and 2) better connected nodes choose lower efforts to exert but earn higher utilities with respect to security improvement irrespective of the nature of node degree correlations amongst the neighboring nodes. Our results provide ways for Internet users to appropriately invest in security mechanisms under realistic environments of information uncertainty.
Keywords: security, externality, Bayesian Nash Equilibria
I Introduction
The Internet has become a fundamental and integral part of our daily lives. Billions of people are using the Internet for various types of applications that demand different levels of security. For example, commercial and government organizations run applications that require a high level of security, since security breaches would lead to large financial damage and loss of public reputation. Another example of a high security application in the Internet is maintaining user anonymity through a censorshipresistant network. On the other hand, an ordinary individual for instance generally uses a computing device for purposes that do not demand strict security requirements. However, all these applications are running on a network, that was built under assumptions, some of which are no longer valid for today’s applications, e.g., that all users on the Internet can be trusted and that the computing devices connected to the Internet are static objects. Today, the Internet comprises of both good and malicious users. The malicious users perform illegal activities, are able to aspect many users in a short time period, and at the same time reduce their chances of being discovered. To overcome security related issues, Internet users invest in security mechanisms such as antivirus solutions and firewalls.
It is commonsense information that due to Internet connectivity, the security strength of an Internet user^{1}^{1}1An Internet user could be a single individual or an individual organization. is dependent on the security strength of other users, especially neighboring users. Thus, from an individual user perspective, two important pieces of information are the amount of security investments of its neighbors in the network and the knowledge of the underlying connectivity structure of its neighbors, as they both drive optimal user investments. Unfortunately, due to the large magnitude of the Internet, its not feasible or practical to have exact information about the security investments and connectivity structure of all neighboring Internet users. In addition, most Internet users are selfish in nature and would not be inclined to share investment information with other Internet users. However, users do need to invest in security/defense mechanisms to protect themselves as much as possible. In this paper, we address the problem of optimal security investments when an individual user is uncertain about the underlying network connectivity structure of its neighbors , and accounts for the network externalities^{2}^{2}2An externality is a positive(negative) effect caused to a user not directly involved in an economic transaction, by other users involved in the transaction. For example, an Internet user investing in security mechanisms benefits all the nodes connected to it and thus creates a positive externality for its neighbors. posed by them when they invest in security mechanisms.
We consider models related to two general security scenarios as mentioned in [15] when network externalities are present: 1) where the security strength of an individual user depends upon the sum security strength of itself and other individual nodes in the network under operation and 2) where the security strength of an individual user depends on the strength of the strongest node/s in the network. An example of scenario 1 is a peertopeer network where an attacker might want to slow down the transfer of a given piece of information, whose transfer speed might depend on the aggregate effort of all relevant nodes concerned. An example of scenario 2 is a censorshipresistant network, where a piece of information will remain available to a public domain as long as atleast one node serving that piece of information is unharmed. Another example of scenario 2 is the flow of traffic between two backbone nodes in the Internet. Modeling each path between two backbone nodes as a node, traffic will flow securely between the backbone as long as there is atleast one node that is unharmed by an attacker, i.e., there exists atleast one path between the backbone nodes. Likewise, there are other examples of applications on the Internet that fit scenarios 1 and 2. We emphasize here that there is another practical scenario as mentioned in [15], viz., one where the security strength of an individual user depends on the strength of the weakest node. This scenario is mainly an intraorganization scenario, where once a node in an organization is compromised due to a weak password or a security policy, its easy for an attacker to hack the whole system. However, the information of neighborhood topology structure within an organization may be known to the network users in certainty, but in this paper we focus on the case when users have uncertain information about the neighborhood topology structure of the network in operation.
Our Research Contributions

We present a general model for analyzing individual user security in a non cooperative Internet environment. In this regard, we study security games when 1) Internet users have incomplete information about the underlying neighboring network connectivity structure and 2) Internet users account for the positive externalities posed by the investments of neighboring Internet users. Our model extends work proposed in [5][6] in terms of capturing network information uncertainty. (See Section III.)

We formulate our investment problem as a Bayesian game of incomplete information and show the existence of a symmetric Nash equilibrium of user investments. The equilibrium results show that under incomplete neighboring network topology information, better connected users choose lower efforts to exert and earn higher payoffs, irrespective of the nature of node degree correlations amongst neighboring nodes. ^{3}^{3}3In a network such as the Internet, there exists a correlation between the node degrees [11]. In this paper we explicitly model the degree correlations.. (See Section IV.)
Ii Related Work
There have been very few works related to security investments in the Internet. The authors [9][14] in their works have analyzed selfprotection investments in Internet security under the presence of cyberinsurance, which is a form of a thirdparty risk transfer. Under the assumption of users having complete network topology information, the works show 1) cyberinsurance incentivizes users to invest in selfprotection, 2) cyberinsurance entails optimal user investments both in insurance and in selfprotection, and 3) cooperation amongst Internet users result in higher user selfprotection investments when compared to the case when users do not cooperate. However, attractive though the concept may seem, cyberinsurance may not be a market reality due to factors such as interdependent security, correlated risks, and information asymmetry between the insurer and the insured [1][12]. In addition, it is also infeasible for Internet users to have complete network topology information.
For non cyberinsurance environments, in a recent series of works [7][13], the authors show that Internet users invest suboptimally in security under selfish environments when compared to the case when user cooperation is allowed. They account for externalities but base their results by assuming users having complete network topology information. However, as we have discussed previously, in a large network such as the Internet, having complete network topology information is infeasible. In addition, all the mentioned related works do not model the wellknown security games mentioned in [15], that are in general played by attackers and defenders (non malicious Internet users) when externalities are present in a network. In this regard, the works in [4][5][6] tackle the problem of optimal security investments and model the cited security games mentioned in [15] but do not account for any uncertainty of information that a user has regarding the underlying network topology. In this paper, we advance previous research in security investments and model both, externalities, as well as users having uncertainty of information regarding the connectivity structure of neighboring nodes. However, unlike [5][6], we do not model selfinsurance, and only focus on selfprotection without any cyberinsurance.
Iii Modeling Network Security Investment Games
In this section, we propose a general model for analyzing network security investments using a gametheoretic approach. First, we model the user interaction network in the Internet. Second, we describe the utility/payoff function of the Internet users as a function of their strategies/actions, which are nothing but the security investments of a user. Finally, we explain the information structure of Internet users with respect to the underlying connectivity structure of their neighbors, and highlight the game of investments that results from the information structure.
Iiia Network Structure
We consider a set of Internet users and a connectivity matrix of users, where if the utility of user is affected by the security investment of user , being not equal to , and 0 otherwise. Let denote the set of all the one hop neighbors of , where . We also consider the hop neighbors of node and denote the set by . This set consists of all the nodes that are within hops of node , where . Inductively, we have the following relationships between and :
(1) 
(2) 
We represent the degree of a node by , where equals . In this paper, we assume that each user has perfect knowledge about its own degree but does not have complete information about the degrees of its neighbors. (More on degree information structure in Section IIIC.)
IiiB User Strategies and Payoffs
In this paper we consider two types of non cooperative security investment games concerning the case when users have incomplete information on the topology of the network under operation: (1) the users are selfish and invest to maximize their own utilities, but the security strength of an individual user depends on the sum of security investments of itself and its neighboring individual nodes and 2) the users are selfish and invest to maximize their own utilities, but the security strength of the whole network depends on the security investments of the most robust node/s amongst its neighbors. The latter type of game is often termed as a ‘bestshot’ game. In both these types of games, each user is a player and its strategy is the amount of security investment it makes. We assume here that the strategy/action of each user is and lies in the compact^{4}^{4}4In mathematical analysis, a compact set is one which is closed and bounded. set . We also assume that the utility/payoff to each user is and is a function of the security investments made by itself and its one hop neighbors. Thus , where is the vector of security investments of the one hop neighbors of user . From the structure of user utility functions, we observe that two players having the same degree will have the same utility function. We also model the concept of a positive externality as it forms an integral part of the analysis in Section IV. A positive externality to a user from its one hop neighbors results when they invest in security, thereby improving the individual security strength of the user. We represent the concept mathematically in the following manner: we say that a payoff function exhibits positive externalities if for each and for all , where and are the vectors of security investments of one hop neighbors of user .
In scenarios where the security strength of a user depends on the sum of investments of itself and other neighboring users, we mathematically formulate ’s utility/payoff function as follows:
(3) 
where is a nondecreasing function, is the cost incurred by user for putting in own effort in order to make its system more robust, and is a scalar quantity which determines the magnitude of the positive externality experienced by user due to the security investments made by its one hop neighbors.
The situation when the security strength of a user depends on the investments made by the strongest neighbor/s can be modeled as a special case of the situation when a user security strength depends on the sum of the security investments of its neighbors. We first note that from user ’s perspective, the former situation implies that as long as there is a neighboring node/s that is secure, user is safe. In Section I we have already cited censorship resistant networks and Internet backbone networks to be examples of networks where the former situation might arise leading to a bestshot game. We had also given an example of how the bestshot scenarios arising in these networks can be modeled as a graph to reflect the ‘userneighbor’ concept.
Once we have modeled a bestshot scenario as a graph, we fix the strategy space of individual users to and make and = 1 for all . A binary strategy space of implies that each user decides either to invest or not to invest. If a user or any of its neighbors invest, the former is safe, else it is not. We observe that the ‘sum of investments’ game gets converted to a bestshot game. In this case user ’s payoff follows the following equation:
(4) 
Equation (4) implies that adding a link to a neighbor who invests zero amount in security mechanisms is equivalent to not having the neighbor.
IiiC Information Structure
In this paper we assume that each Internet user (player) knows its own degree but does not have perfect information regarding the degree of its neighbors. It has already been shown by Newman in [11] that nodes in an Internet like network exhibit degree correlations^{5}^{5}5Newman show through empirical studies that technological and Internet networks exhibit negative degree correlation whereas social networks exhibit positive degree correlation. In this regard, we account for the degree correlations between the neighboring nodes of a user in our model, i.e., when a user decides on its strategy, it accounts for the amount of information it has on the degree of its neighbors. Information on degree correlations is important as it guides a user to making better security investments when compared to the situation when it has no information about the correlations.
Let the degrees of the neighbors of user be the vector , whose dimension is . We assume that user does not know the vector but has information regarding its probability distribution, i.e., it knows the value of . We assume that each player in the network under consideration has symmetrical beliefs about the degree of its neighbors. Thus, arises a family of conditional distributions, C , where is a vector of degrees of the neighbors of a node and is the degree of a given node.
We model the strategic interactions between the players of the network as a Bayesian game of incomplete information. The type space of the Bayesian game is the user knowledge on the potential degrees of its neighboring players. The strategy for each player is its security investment conditioned on the knowledge of the degree of their neighbors, and the payoff function for each player is as defined in Section IIIB, which depends on whether the game is a sum of investments game or a bestshot game. Assuming that is the set of possible investments a user could make, the strategy for player is a mapping , where is the set of distribution functions on .
We note that for a player, its conditional distributions concerning the neighbors’ degrees can vary with its own degree. According to our model, players may have different number of neighbors, and the degrees of the neighbors are correlated with each other. Thus, the dimension of the vector of degrees of its neighbors may vary from player to player. In order to address correlation amongst vectors of different dimensions, we adopt the technique of ‘association’ from the domain of statistics [3]. Association is used to track the correlation patterns of groups of random variables, given the complicated interdependencies that might be present between them. A positive association indicates that higher levels of one variable (in this case a player’s degree) implies higher levels of all other variables (in this case a player’s neighbors’ degrees).
Given a player with degree , enumerate the degrees of ’s neighbors as . Now consider a function , where . Let
(5) 
In Equation (5) we fix a subset of user ’s neighbors, and then take the expectation of operating on their degrees. We say that the family of distributions C exhibits positive association if, for all , and any nondecreasing , we have
(6) 
and C exhibits negative association if
(7) 
for all , and any nondecreasing .
Iv Game Analysis
In this section, we analyze thesymmetric Bayesian game of incomplete information played between the users of the network under operation. In any symmetric game, the player payoffs for playing a particular strategy depend only on the strategies of other players and not on who is playing the strategies. We investigate the existence, uniqueness, and monotonicity of our game equilibria. In studying monotonicity of equilibria, we investigate the changes in the best response investment magnitude of a user when other users in the network increase/decrease their best response investment amounts. We also investigate the effect of the increase/decrease in user degrees on the equilibria of the game. We initially give a mathematical definition of our Bayesian game and follow it up with the analysis of game equilibria.
Iva Game Definition
Consider a player (Internet user) having degree in a sumofinvestments game or a bestshot game. Each player chooses a security investment amount from the set as its strategy, where is as defined in Section IIIC. Let be the probability density over induced by the beliefs held by player over the degrees of its neighbors, combined with the strategies played via , the vector of strategies of other users in the network. Let
(8) 
where is the expected utility/payoff of player with degree and investment when other players choose strategy . The Bayesian Nash equilibrium of the game is a strategy vector that maximizes the expected utility of each player in the network [2][10]. In regard to individual user expected payoff functions, we now define the concepts of degree complementarity and degree substitutability that will be of importance in the analysis of the monotonicity of game equilibria.
For a given player , we say that its expected utility function exhibits degree complementarity if
(9) 
where , , and is nondecreasing. Similarly for a given player , we say that its expected utility function exhibits degree substitutability if
(10) 
where , , and is nonincreasing. We have the following lemma and ensuring the conditions under which the expected utility of a player exhibits degree complementarity.
Lemma 1. Given the conditions that (1) , for each player , (2) the ’s for each player exhibit strategic complements^{6}^{6}6 is said to exhibit strategic complements [16] if for all , and implies . Analogously, is said to exhibit strategic substitutes [16] if for all , and implies ., and (3) the family of conditional distributions C is positively associated, then ’s for each player exhibits degree complements.
We omit the proof due to lack of space. We emphasize here that the proof structure also establishes that given (1) , for each player , (2) the ’s for each player exhibit strategic substitutes, and (3) the family of conditional distributions C is negatively associated, ’s for each player exhibits degree substitutes.
IvB Game Equilibria Results
In this section we state the results related to equilibria of our proposed Bayesian game. Given a symmetric environment; i.e., players participate in a symmetric Bayesian game of security investments, we prefer to analyze symmetric equilibria^{7}^{7}7A symmetric equilibrium is one where each player in the game plays the same strategy., as asymmetric behavior seems relatively unintuitive, and difficult to explain in a oneshot interaction [8]. We omit the proofs of the results due to lack of space.
Lemma 2. There exists a symmetric equilibrium in our proposed security investment game. If the expected utility function of users exhibit degree complementarity, the equilibrium is nondecreasing, whereas for user utility functions exhibiting degree substitutes, the equilibrium is nonincreasing.
Lemma 3. Given the conditions that (1) , for each player and (2) degrees of neighboring nodes of users are independent, then strategic substitutes (compliments) of user utility functions result in every symmetric equilibrium of our proposed Bayesian game being monotone increasing (decreasing).
Lemma 4. Suppose , for each player . If C is positively associated, then in every nondecreasing symmetric equilibrium of our proposed Bayesian game, the expected utilities of players are nondecreasing in degree. If C is negatively associated, then in every nonincreasing symmetric equilibrium of our proposed Bayesian game, the expected utilities of players are nondecreasing in degree.
Lemma Comments: From a user (player) perspective, Lemma 2 states that when user expected utilities exhibit degree complementarity, a monotonic increase in the equilibrium security investments of all other users results in an increase in the player’s equilibrium investments, for at least one equilibrium. Thus, the degree complementarity property of user expected utilities prevents freeriding behavior of users for at least one equilibrium. On the other hand, the degree substitutes property ensures that for at least one equilibrium, users are not incentivized to increase their security investments when others in the network do not, in turn providing no additional benefit to other network users by investing relatively more. Lemma 3 states the conditions under which all symmetric equilibria are monotone, and gives an insight on the topology of the network that could result in all symmetric equilibria being monotone. Lemma 4 provides the relation between network degrees of users and their equilibrium payoffs, and identifies the conditions under which payoffs increase/decrease with network degree. The relationships state the contexts in which network connections are advantageous and disadvantageous with respect to equilibrium payoffs.
V Conclusion
In this paper we proposed a security investment model for the Internet in which Internet users account for the positive externality posed to them by other Internet users and make security investments under situations when they do not have complete information about the underlying connecting topology of its neighbors. Our model is based on a gametheoretic approach and we showed 1) the existence of symmetric Bayesian Nash equilibria of efforts and 2) better connected nodes choose lower efforts to exert but earn higher utilities with respect to security improvement irrespective of the nature of node degree correlations amongst the neighboring nodes. Our results provided ways for Internet users to appropriately invest in security mechanisms under realistic environments of information uncertainty. Our results also clarified how the basic strategic features of the game  as manifest in the complements and substitutes property  combine with different patterns of degree association to shape network behavior and user payoffs. As a part of future work, we plan to incorporate the network concepts of centrality and clustering in our model in addition to degree distributions. We also plan to investigate security investments under an asymmetric environment, i.e., a game environment in which user payoffs depend not only on the strategy of other users but also on the identity of the users.
References
 [1] R. Bohme and G. Schwartz. Modeling cyberinsurance: Towards a unifying framework. In WEIS, 2010.
 [2] D.Fudenberg and J.Tirole. Game Theory. MIT Press, 1991.
 [3] J. D. Esary, F. Proschan, and W. Walkup. Association of random variables with applications. Annals of Mathematical Statistics, 38(5), 1967.
 [4] N. Fultz and J. Grossklags. Blue versus red: A model of distributed security attacks. In International Conference on Financial Cryptography and Data Security, 2009.
 [5] J. Grossklags, N. Christin, and J. Chuang. Secure or insure ? a gametheoretic analysis of information security games. In WWW, 2008.
 [6] J. Grossklags, N. Christin, and J. Chuang. Security and insurance management in networks with heterogenous agents. In ACM EC, 2008.
 [7] L. Jiang, V. Ananthram, and J. Walrand. How bad are selfish inverstments in network security. To Appear in IEEE/ACM Transactions on Networking, 2010.
 [8] D. Kreps. Game Theory and Economic Modelling. Oxford University Press, 1990.
 [9] M. Lelarge and J. Bolot. Economic incentives to increase security in the internet: The case for insurance. In IEEE INFOCOM, 2009.
 [10] M.J.Osborne and A. Rubinstein. A Course in Game Theory. MIT Press, 1994.
 [11] M. E. J. Newman. Assortative mixing in networks. Phys.Rev.Lett., 89, 2002.
 [12] N.Shetty, G.Schwarz, M.Feleghyazi, and J.Walrand. Competitive cyberinsurance and internet security. In WEIS, 2009.
 [13] J. Omic, A. Orda, and P. V. Mieghem. Protecting against network infections: A game theoretic perspective. In IEEE INFOCOM, 2009.
 [14] R. Pal and L. Golubchik. Analyzing selfdefense investments in the internet under cyberinsurance coverage. In IEEE ICDCS, 2010.
 [15] H. Varian. System reliability and free riding. In ACM ICEC, 2003.
 [16] H. R. Varian. Microeconomic Analysis. Norton, 1992.