Computer and communication networks depend on some degree of security for their operation. For example, a virus that infects a set of connected computers or a malfunction in a router, domain or switch may adversely influence the entire network and in the worst case scenario, will create contagion of failures by spreading from one part to the rest of the network. The classical approach to this problem focuses exclusively on the engineering design challenges of ensuring the security of the network against viruses and intruders. However, almost all modern networks involve a human element: they are overrated or used by individuals. Network security then depends on the choices of individuals making use of the network. For example, the security of a network of computers will depend on the extent to which individuals making up this network use virus scans and refrain from visiting websites that appear suspicious. There has recently been much greater recognition of the importance of this human element, and the incentives that individual users face.
Anderson and Moore in their review of network security, for example, concluded:
“Security failure is caused at least as often by bad incentives as by bad design.”
A particularly important aspect of individual decisions in this context is their security investments, which are costly investments reducing the likelihood of individual infection (and other decisions, such as more cautious operating behavior to reduce the likelihood of infection can also be considered as a form of investment).
A burgeoning literature at the boundary of economics and computer science investigates how the incentives for security investments are determined and how they affect the resilience of networks. At the root of the economic problem is an externality in security investments. An agent that fails to protect itself adequately not only increases the probability of its own infection but also increases the likelihood that infection will spread to other agents. Therefore, an agent that increases its own investment will create a positive externality and improve the performance of others in the network.
Positive externalities generally lead to underinvestment. When an agent chooses its own security investments, it ignores the beneficial impact that this will create on others. Based on this intuition, the burgeoning literature on economic incentives in network security has so far presumed that there will be underinvestment in security. Such underinvestment would have important implications. First, it would imply a reason why decentralized networks would tend to underperform in terms of their security. Second, it would call for intervention by government or a centralized body to correct for the underinvestment problem and improve the performance of the network. It is therefore important to understand when such underinvestment will emerge and become an important burden on the operation of a network. For example, which structural properties of networks (density and clustering of connections, who is connected to whom, etc.) make underinvestment in network security a particularly pernicious problem?
The conclusions regarding underinvestment in network security are generally based on analyses of “symmetric networks,” however. In symmetric networks, either there is no network structure and all agents interact with all others or, loosely speaking, all agents occupy the same position in the network as all others. Such symmetric networks are neither realistic nor conducive to an understanding of the role of the structure of the network on equilibrium (and optimal) security investments. The lack of realism is obvious: there is considerable heterogeneity across agents in all of the aforementioned networks; domains and routers differ in terms of their size and importance, and computer users are typically connected to very different numbers of users and occupy different positions in the overall network. The importance of analyzing the impact of network structure is also equally salient, and has long been recognized as central for the study of network security.
Anderson and Moore’s review also notes:
“Network topology can strongly influence conflict dynamics... Different topologies have different robustness properties with respect to various attacks.”
Recent work I have been conducting with Azarakhsh Malekian, postdoctoral fellow at the Electrical Engineering and Computer Science department at MIT and Asuman Ozdaglar, professor at the Electrical Engineering and Computer Science at MIT investigates these issues in general networks.
We first show that, the powerful intuitions on underinvestment notwithstanding, there can be overinvestment in security. The reason for this is that in addition to creating positive externalities as explained above, security investments are also strategic substitutes. When an individual invests less, this encourages others to invest more. As a result, decentralized equilibria may involve underinvestment by some agents and overinvestment by others. Furthermore, these overinvestments may be sufficiently substantial to reduce the overall likelihood of contagion in the network relative to what a social planner wishing to maximize the welfare of all network participants would have chosen.
Nevertheless, underinvestment remains more pervasive than overinvestment. We establish sufficient conditions on costs of investment and the structure of a network to ensure that the decentralized equilibrium does indeed feature underinvestment.
We also show how the likelihood of cascading infections can be compared across networks as a function of structural properties of the networks. We also identify a complementary reason for overinvestment in network security: when malicious attacks can target different parts of the network as a function of their network security investments, such investments turn into an “arms race”. The more an individual invests, the less likely he is to be attacked, and the more likely is the attack to go to some other part of the network. This leads to a negative externality complementing the positive externality discussed above: greater investment by an agent increases the likelihood of other agents being exposed to an attack. This negative externality can lead to more pervasive overinvestment.
We view this work as a first step in a systematic analysis of economic incentives and their implications for the secure functioning of large communication and computer networks. More work at the intersection of economics and computer science can shed light on important problems related to the healthy functioning of such networks.
References:
-
Daron Acemoglu, Azarakhsh Malekian and Asuman Ozdaglar (2013) “Network Security and Contagion” MIT working paper.
-
Ross Anderson and Tyler Moore (2006) “The Economics of Network Security” Science, October 2006.
TNIT member Daron Acemoglu is the Elizabeth and James Killian Professor of Economics at MIT.
“How the Economics of Network Security Works” is re-published with permission from Professor Daron Acemoglu and the Toulouse Network for Information Technology (TNIT). It was originally published June 26, 2013 in the TNIT Newsletter.