Coordination in Network Security Games: a Monotone Comparative Statics Approach

TL;DR

This paper analyzes how agents in network security games decide on security investments, identifying conditions for incentive alignment and highlighting the inefficiencies caused by strategic behavior and network externalities.

Contribution

It introduces a monotone comparative statics approach to model security investments and incentive alignment in network security games, revealing inefficiencies and coordination challenges.

Findings

Optimal security investment increases with vulnerability and potential loss.

Only a small fraction of expected loss should be invested in security.

Security investments are socially inefficient due to network externalities.

Abstract

Malicious softwares or malwares for short have become a major security threat. While originating in criminal behavior, their impact are also influenced by the decisions of legitimate end users. Getting agents in the Internet, and in networks in general, to invest in and deploy security features and protocols is a challenge, in particular because of economic reasons arising from the presence of network externalities. In this paper, we focus on the question of incentive alignment for agents of a large network towards a better security. We start with an economic model for a single agent, that determines the optimal amount to invest in protection. The model takes into account the vulnerability of the agent to a security breach and the potential loss if a security breach occurs. We derive conditions on the quality of the protection to ensure that the optimal amount spent on security is an increasing function of the agent's vulnerability and potential loss. We also show that for a large class of risks, only a small fraction of the expected loss should be invested. Building on these results, we study a network of interconnected agents subject to epidemic risks. We derive conditions to ensure that the incentives of all agents are aligned towards a better security. When agents are strategic, we show that security investments are always socially inefficient due to the network externalities. Moreover alignment of incentives typically implies a coordination problem, leading to an equilibrium with a very high price of anarchy.