Morshed: Guiding Behavioral Decision-Makers towards Better Security Investment in Interdependent Systems

TL;DR

This paper models human behavioral biases in securing interdependent systems, demonstrating their suboptimal resource allocation and proposing learning techniques to improve decision-making, supported by empirical evidence and real-world system analysis.

Contribution

It introduces a behavioral bias model for security decision-making in interdependent systems and proposes learning techniques to mitigate suboptimal outcomes.

Findings

Behavioral biases lead to suboptimal security resource allocation.

Learning techniques improve decision-making in multi-round security scenarios.

Quantified benefits over traditional rational decision models.

Abstract

We model the behavioral biases of human decision-making in securing interdependent systems and show that such behavioral decision-making leads to a suboptimal pattern of resource allocation compared to non-behavioral (rational) decision-making. We provide empirical evidence for the existence of such behavioral bias model through a controlled subject study with 145 participants. We then propose three learning techniques for enhancing decision-making in multi-round setups. We illustrate the benefits of our decision-making model through multiple interdependent real-world systems and quantify the level of gain compared to the case in which the defenders are behavioral. We also show the benefit of our learning techniques against different attack models. We identify the effects of different system parameters on the degree of suboptimality of security outcomes due to behavioral decision-making.