BASCPS: How does behavioral decision making impact the security of cyber-physical systems?

TL;DR

This paper investigates how human-like behavioral biases in decision making affect the security of interconnected cyber-physical systems, revealing that such biases lead to suboptimal resource allocation and increased security risks.

Contribution

It introduces behavioral security games modeling human decision biases, supported by empirical experiments, and analyzes their impact on security outcomes in real-world CPS scenarios.

Findings

Behavioral decision making causes suboptimal security resource allocation.

Interdependency among subsystems amplifies the negative effects of behavioral biases.

Selfish and biased decisions significantly increase security risks.

Abstract

We study the security of large-scale cyber-physical systems (CPS) consisting of multiple interdependent subsystems, each managed by a different defender. Defenders invest their security budgets with the goal of thwarting the spread of cyber attacks to their critical assets. We model the security investment decisions made by the defenders as a security game. While prior work has used security games to analyze such scenarios, we propose behavioral security games, in which defenders exhibit characteristics of human decision making that have been identified in behavioral economics as representing typical human cognitive biases. This is important as many of the critical security decisions in our target class of systems are made by humans. We provide empirical evidence for our behavioral model through a controlled subject experiment. We then show that behavioral decision making leads to a suboptimal pattern of resource allocation compared to non-behavioral decision making. We illustrate the effects of behavioral decision making using two representative real-world interdependent CPS. In particular, we identify the effects of the defenders' security budget availability and distribution, the degree of interdependency among defenders, and collaborative defense strategies, on the degree of suboptimality of security outcomes due to behavioral decision making. In this context, the adverse effects of behavioral decision making are most severe with moderate defense budgets. Moreover, the impact of behavioral suboptimal decision making is magnified as the degree of the interdependency between subnetworks belonging to different defenders increases. We also observe that selfish defense decisions together with behavioral decisions significantly increase security risk.