Risk Models and Controlled Mitigation of IT Security

R. Ann Miura-Ko

Stanford UniversityFebruary 27, 2009

MaliciousAttackers

Denial of Service

Denial of Service

Viruses and Worms

Viruses and Worms

Data sniffing / spoofing

Data sniffing / spoofing

Unauthorized Access

Unauthorized Access

Malware / Trojans

Malware / Trojans

Port scanningPort scanning

Defenders

Attackers and DefendersPolicies

Firewalls

Intrusion Detection

Anti-Virus Software

Authentication / Authorization

Encryption

Backup / Redundancy

Thesis Overview• Mathematical modeling of IT Risk encompasses a large and

relatively uncharted territory

• Modeled selected anchor points within the space focused on different levels of decision making:

Inter-Organization and Industry level Investments

Enterprise level resource allocation

Physical layer control

How do organizations invest their limited resources given

the relationships they have with one another?

Given an IT budget, how should a manager spend those

resources over time?

How do you design the physical infrastructure to meet reliability

and security requirements?

Motivating Example: Web Authentication•Same / similar

username and password for multiple sites

•Security not equally important to all sites

Shared risk for all

Literature Background

• Interdependent Security▫ IT Security Leads to Externalities: Camp

(2004)

▫Tipping Point for Investments: Kunreuther and Heal (2003)

▫Free Riding: Varian (2004)

•Network Game Theory▫Network Games: Galeotti et al. (2006)

▫Linear Influence Network Games: Balleste and Calvo-Armengol (2007)

Model Fundamentals

•Companies make investments in security

•Companies have complex interdependencies▫Complementarities and competition▫Leads to positive and negative interactions

Who invests and how much? Can we improve this equilibrium?

What does the model say about policy?

Network Model• Network = Directed Graph

▫ Nodes = Decision making agents

▫ Links = influence / interaction▫ Weights = degree of influence

-.1

-.1 -.1

-.1

-.1

-.1 -.1

-.1

-.1

-.1

.2

.2

.2

.2

.2

.1

.1

.1

.1

.1

-.1

-.1 -.1

-.1

-.1

-.1 -.1

-.1

-.1

-.1

.1 .2

.2 .1

.1 .2

.2 .1

.2

.1

Incentive Model•Each agent, i, selects

investment, xi

•Security of i determined by total effective investment:

•Benefit received by agent i:

•Cost of investment:•Net benefit:

How will agents react?• Single stage game of complete information• All agents maximize their utility function:

• bi is where the marginal cost = marginal benefit for agent i

Vi

xi

slope = ci

bi

• If neighbor’s contribution > bi, xi=0

• If neighbor’s contribution < bi, xi = difference

What is an equilibrium?

•Nash Equilibrium▫Stable point (vector of investments) at

which no agent has incentive to change their current strategy

▫This happens when:

▫Leverage Linear Complementarity literature

Existence and Uniqueness •Proposition 1: If W is strictly diagonally

dominant, , then there exists a unique Nash Equilibrium for the proposed game

•Proof: Follows from standard LCP results which states that any P matrix (one with positive principal minors) will have a unique solution to the optimization problem. We simply show that a W matrix is a P matrix.

Convergence• Proposition 2: If W is strictly diagonally

dominant, , then asynchronous best response dynamics converges to the unique Nash Equilibrium from any starting point x(0)>0. The best response dynamics are described by:

• Proof: Follows from standard LCP results which provides a synchronous algorithm. Using the Asynchronous Convergence Theorem (Bertsekas), we can establish that the ABRD also converges

Contribution of player i if all players are isolated

Contribution of player i in networked environment

Investment made by i with no neighbors

Impact of neighbors’ investments

Free Riding•One measure of contribution relative to what

they need, free riding index:

•Another measure of relative contribution allows for network effects to be taken into account, fair share index:

Web Authentication Example•Utility function:

-.1

-.1 -.1

-.1

-.1

-.1 -.1

-.1

-.1

-.1

.1 .2

.2 .1

.1 .2

.2 .1

.2

.1

-.1

-.1 -.1

-.1

-.1

-.1 -.1

-.1

-.1

-.1

.2

.2

.2

.2

.2

.1

.1

.1

.1

.1

Improving the Equilibrium

•Theorem 1: Suppose xi > 0 and xj> 0 for some i≠j. Then, there exists continuous trajectories, W(t) = (wkl(t)) and x∗(t) = (xk(t)) with t∈ [0, T ] such that: 1. x∗(0) = x∗ , W(0) = W 2. x∗(t) is the (unique) equilibrium under W(t) ∀

t 3. xi(t) and xj(t) are strictly decreasing in t

4. xk(t) is constant for all k∉{i, j} and all t

5. W(t) is component-wise differentiable and increasing in t (weakly, in magnitude)

Improving the Equilibrium

•Proof sketch of Theorem 1:▫Observe: if the effective

investments over the purple links are not changed, the investments in Group B will not change

5

6

3

2

4

1

Group A

Group B

▫Pick 2 nodes: i,j

▫For k∉{i.j}

Improvements to Equilibrium

•A linear increase in the strength of the links results in a nonlinear decrease in investments between nodes 1 and 2

Qualitative Implications

•For web authentication:▫Should high risk organizations subsidize the

IT budgets of low risk organizations (e.g. Citibank works with non-profits to aid their authentication efforts)?

▫Should government label websites by risk factor so users know which sites they can safely group together with a single password?