Closing the Price of Anarchy Gap in the Interdependent Security Game

arXiv:1308.0979v2 [cs.GT] 26 Aug 2014 h otx fcmue ytmrlaiiy ntemajority in the [2] airlines In Varian reliability. of by system incentive and computer by of systems, the presented context checking study the baggage first to in were invest [1] to games [4], Heal Interdepen the [3], IDS and as [2], to Kunreuther game. [1], referred often (IDS) e.g. is see and Security [8], theory, [7], game [6], of [5], stud in extensively framework as been the well has as security, in general computer in of both context users, the selfish of group connected i resulting effort, security. others’ strat in on Consequently, under-investment free-ride overall it. to with postu choose interacting can security users users the other improve the also of will technologies security falkns n l hrn ytm,tescrt fauser, a of security network the a systems, or sharing entity, file or and kinds, all of n eiblt fteitronce ytmi iwda a as viewed is system a interconnected good the secu public of the the but Accordingly, reliability by security, users. and exerted interconnected in effort of the investment solel collection on own longer dependent no user’s increasingly is becomes that networks, by or entities determined users, connected of nacnetdsystem. connected a in uhhre ostsyi einn mechanism. a designing ration in individual satisfy make to can harder stay investment much to problems, others’ incentive allocation on the externality, resource free-ride o positive many with levels that in argue ofte satisfy optimal rationality, interdependencie to individual user socially of of condition issue model in the general game, consider a IDS further results the to in applicable gap it is Anarchy it of (1) Price the tax/pri closing that exi investment, from and different in is investment mechanism solutions security This another. one the user of which profiles about in process, proposals exchange equilibriu message submit a optimal through game socially p IDS pos the we an on paper, implements free-ride this that In users mechanism contributions. selfish as others’ as known of inefficient, for externalities problem, equilibria often good The are public game. games (IDS) a Security as str Interdependent modeled sec by the in typically technologies effort is security collective users in users’ all investments on Consequently, depends system nected 1 oiieexternality positive hspolmo udr)neteti euiyb ninter- an by security in (under-)investment of problem This sarsl fterpdgot fteItre,networks Internet, the of growth rapid the of result a As Abstract hs em r sditrhnebyi hspprt denote to paper this in interchangeably used are terms These Terlaiiyadscrt faue na intercon- an in user a of security and reliability —The o hc h netet nscrt exhibit security in investments the which for , lsn h rc fAacyGpi the in Gap Anarchy of Price the Closing .I I. fet h neteto n sron user one of investment the effect: 1 ntecneto igrsystem bigger a of context the in , NTRODUCTION nedpnetScrt Game Security Interdependent eateto lcrclEgneigadCmue Science Computer and Engineering Electrical of Department nvriyo ihgn n ro,Mcia,48109-2122 Michigan, Arbor, Ann Michigan, of University aia ahzdhadMnynLiu Mingyan and Naghizadeh Parinaz Email: { ahzd mingyan naghizad, igeunit single a trivial a n eeta resent u and out ategic .We s. urity. sting in m an n such ality dent egic itive and rity ied (2) of ce re y s f oee,teemcaim r otyi hti sdifficult Alternativel damage. is a it of that cause the in determine costly accurately securit are to in under-investment mechanisms their these by However, caused damages the the is for investment of levels optimal rule in result that may mec securi incentive that ensures a attractive of or theoretically and case Another in investments, whether incident. compensation adequate security on get made users based certified have users they classifies not authority certifying a lev [1]. appropriate self-protection ensure the in to specifying investment accordingly problem, of contract hazard the moral of terms the prevent us to inspect when and/or devices investments is monitor solutions to such chooses these insurer of an with example An fees mind. premium infor- in the the considerations calculate mitigate and somehow their asymmetry to There mation lower needs insured). company (users being insurance users hazard the after classic moral risk self-protection the in and (higher paying investment by protection) selection for affected more return adverse in seek is of insurer Cyberinsurance problems an insurance fee. to risks premium security a the tr users of insurance, Using part [8]. [9], [1], approaches studied nsecurity, in and punishment. users of monitor threat accurately credible to a Internet power establish if an enough effective or only has government are authority methods the These as e.g. (ISP). such provider security, service authority an in leve of [8], investment inspections power party third user and audits, dictate regulations, that Mechanisms ae nwehrthey categor main whether two on into based fall mechanisms propos These security. been literature. have the network system, interconnected the improving thu of and reliability investments, for users’ increasing mechanisms for methods in Several of technologies study motiva security [7], the problem improved under-investment threat the of security for compensating new insufficiency of the emergence and constant the Internet, the IDS of the levels optimal of socially equilibrium the Nash with investment. a them comparing in and exerted game, effort of fin levels by verified the is security in under-investment papers, these ehdsmlrt nuac spooe n[] where [3], in proposed is insurance to similar method A mn h ehnssta netvz srinvestment user incentivize that mechanisms the Among h nraignme fupoetddvcscnetdto connected devices unprotected of number increasing The 1,[] hr sr r eurdt opnaeothers compensate to required are users where [2], [1], } @umich.edu cyberinsurance incentivize soeo h otcommonly most the of one is or dictate srcooperation. user aethe rage liability hanism ansfer din ed fore, the s ding ers’ ies, the els tes ty y. y, s, [2] proposes assigning a level of due care, in which following security interdependencies and their valuations of security. We a security incident, a user is penalized only if its level of make the following assumptions about the functions fi(·): investment is lower than a pre-specified threshold. Finally, Assumption 1: fi(·) > 0 is differentiable and decreasing in users can be incentivized to invest in security if they are xj , for all i and all j. assigned bonuses/penalties based on their security outcome The assumption of ∂fi/∂xj < 0 models the positive external- (e.g. users get a reward if their security has not been breached), ities of security investments. or get subsidized/fined based on their effort (e.g. users are Assumption 2: fi(·) is strictly convex. given discounts if they buy security products) [5]. The assumption of convexity means that initial investment in In this paper, we take a mechanism design approach to security offers considerable protection to the users [8], [10]. the security investment problem. Specifically, we present a However, even with high effort, it is difficult to reduce the cost game form, consisting of a message exchange process and to zero, as there is no strategy that could prevent all malicious an outcome function, through which users converge to an activity [7], [10]. equilibrium where they make the socially optimal levels of investment in security. Our method is different from the The utility function of a user i is defined as: previous solutions in several ways, highlighted as follows. ui(x)= −fi(x) − cixi − ti . (1) 1) The proposed mechanism is applicable to the general model of interdependence proposed in [7]. This model In (1), gi(x) := fi(x)+cixi is referred to as the cost function allows continuous levels of effort (as opposed to a binary of user i [7], and represents all the costs associated with decision of whether or not to invest in security [1], [3], security investments and breaches. The term ti is the monetary [6]). transfer that can be imposed on/awarded to users throughout 2) It does not assume perfect protection once investment is the mechanism, which may itself depend on the vector of made (unlike epidemic models [1], [8]). Another similar investments x (as detailed shortly). This term is commonly assumption is to decompose the risks of a user into known as numeraire commodity in the literature of mechanism direct and indirect (i.e. spreading from another infected design [11], as opposed to the commodity of interest, which user) risks, and assume perfect protection against direct are the security investments in our context. To illustrate the risks only [8]. Nevertheless, none of these models can be purpose of including this term in a user’s utility function, descriptive of an IDS game, as no security technology note that externalities are defined as the side-effects of users’ can provide perfect protection against all threads. actions on one another, the costs or benefits of which are 3) It models the heterogeneity in users’ preferences and not accounted for when users pick their actions. A numeraire their importance to the system by allowing for a more commodity is often used in problems involving externalities general utility function (in contrast to [1], [2], [4], [5], to bring such side-effects into strategic individuals’ decision [9], [6]). making process, a tactic referred to as “internalizing the 4) This mechanism not only improves the levels of invest- externalities”. ment (as also done in [7]), but in fact results in socially We make the following assumptions about the users: optimal investments in security. Assumption 3: All users i are strategic, and choose their The rest of this paper is organized as follows. In Section investment xi in order to maximize their own utility function II, we present a model for the IDS game. We introduce the (1). concept of price of anarchy in Section III, and highlight the Assumption 4: The cost ci and the functional form of fi(·) inefficiency of Nash equilibria in an unregulated IDS game are user i’s private information. through a simple example. We discuss the decentralized mechanism and its optimality in Section IV. Section V illustrates The Interdependent Security (IDS) game induced among that such optimal mechanism may fail to be individually these N strategic players is defined as the strategic game rational, typically a trivial requirement in many other settings. ({1,...,N}, {xi ≥ 0}, {ui(·)}). The socially optimal vector x∗ Section VI concludes the paper with directions for future of security investments in this N user system is the vector work. maximizing the social welfare, as determined by the solution to the following centralized problem: II. MODEL AND PRELIMINARIES N max ui(x) Consider a collection of N users; this collection will also (x,t) Xi=1 be referred to as the system. Each user i can choose a level N xi ≥ 0 of effort/investment in security, incurring a cost ci > s.t. t =0 , x 0 . x i 0 per unit of investment. Let = {x1, x2,...,xN } denote Xi=1 the vector of investments. A user i’s security risk function N is denoted by fi(x). The security risk function models the x ≡ minx gi( ) expected losses of an individual in case of a security breach. Xi=1 These functions vary among users depending on both their s.t. x 0 . (2) In other words, socially optimal solutions minimize the social Consider N interconnected users, and a total effort model x N x cost G( ) := i=1 gi( ). By Assumption 2, there is a unique for users’ risk function, such that x∗ socially optimalP investment profile for Problem (2). Also, N due to Assumptions 3 and 4, there is no individual/user in the fi(x)= f( xj ), ∀i. x∗ system with enough information to determine . Xj=1 Accordingly, our goal is to find a mechanism, run by a Furthermore, without loss of generality, assume c < c < manager/regulator, such that the induced interdependent secu- 1 2 ··· < c . At the Nash equilibrium of this game, each user rity game has as its equilibrium the solution to the centralized N will choose a level of investment x ≥ 0 to minimize its own problem (2) (also referred to as “implementing” the solution i cost. Therefore, at the Nash equilibrium ¯x we must have: to (2)). To determine the effort that users exert in an IDS game, ∂f(¯xi, ¯x−i) x¯i =0 if + ci > 0 , with or without regulation (i.e., ti =0, ∀i), we will consider ∂xi the vector of investments x in a Nash equilibrium (NE) ∂f(¯xi, ¯x−i) x¯i > 0 if + ci =0 . of the game ({1,...,N}, {xi ≥ 0}, {ui(·)}). Theoretically, ∂xi Nash equilibria describe users’ actions in a game of complete We conclude that only the user with the lowest cost will be information. However, due to Assumption 4, the model studied exerting a non-zero effort at the Nash equilibrium ¯x. Thus: herein is one of incomplete information. The Nash equilibrium in this game can be interpreted as the convergence point of an ∂f(¯x1, 0)/∂x1 = −c1, and x¯j =0, ∀j > 1 . iterative process, in which each user adjusts its action at each At the socially optimal equilibrium x∗ on the other hand, round based on its observations of other users’ actions, until the levels of investment are determined by: unilateral deviations are no longer profitable [12], [7].2 ∗ x∗ A pure strategy Nash equilibrium of the IDS game is a ∗ ∂f(xi , −i) xi =0 if N + ci > 0 , vector of investments ¯x, for which, ∂xi ∗ x∗ ¯x ¯x ∗ ∂f(xi , −i) ui(¯xi, −i) ≥ ui(xi, −i), ∀xi ≥ 0, ∀i . (3) xi > 0 if N + ci =0 . ∂xi We first ensure that the game studied indeed has a Nash Again the user with the lowest cost will be exerting all equilibrium in the following result. The proof can be found in the effort at the equilibrium x∗, however at a higher level, the Appendix. determined by: Proposition 1: There always exists a pure strategy Nash ∗ 0 ∗ equilibrium in an unregulated (i.e. ti = 0, ∀i) IDS game ∂f(x1, )/∂x1 = −c1/N, and xj =0, ∀j > 1 . modeled in this section. The price of anarchy will therefore be given by: III. PRICE OF ANARCHY IN AN UNREGULATED IDS GAME N f(¯x1, 0)+ c1x¯1 Existence notwithstanding, the Nash equilibria of an unreg- ρ = ∗ 0 ∗ . N f(x1, )+ c1x1 ulated IDS game are often inefficient. A common metric for quantifying the inefficiency of such equilibria is the Price of By the strict convexity of f(·), we have: Anarchy (PoA), defined as the largest possible ratio between ∗ 0 0 ∗ 0 ∂f(x1, ) ∗ ¯x f(¯x1, ) − f(x1, ) > (¯x1 − x1) . the worst possible social cost at a Nash equilibrium and at ∂x1 the social optimum x∗. Formally, PoA is defined as: ρ Hence, ρ > 1. Figure 1 illustrates the levels of investment ρ = max ρ(¯x) , in both the socially optimal and the Nash equilibrium of ¯x this game. Based on fig. 1, it is easy to observe the under- N G(¯x) gi(¯x) ρ(¯x) := = i=1 . (4) investment in security in the Nash equilibrium of an unregu- G(x∗) PN x∗ lated game. i=1 gi( ) In [7], the authors characterize theP price of anarchy in an In the next section, we present a mechanism under which unregulated IDS game, i.e., the game in which no external all Nash equilibria of the induced IDS game coincide with the socially optimal solution, i.e., we will have , closing the mechanism is implemented. The NE of this game is defined ρ =1 price of anarchy gap. in the same way as in (3), with ui(·) replaced by −gi(·). This means that without regulation, users selfishly pick effort levels IV. A POSITIVE EXTERNALITY SECURITY INVESTMENT that minimize their own cost. As a result, ρ > 1 for several MECHANISM (PESIM) plausible risk function models ([7, Lemma 1, Propositions 2, In this section, we present a mechanism that implements 3], reflecting under-investment in security. Below we present the socially optimal solution to (2) in an informationally such an example, different from the aforementioned results decentralized setting. This mechanism is adapted from [12], presented in [7], and chosen for its simplicity. [13]. 2Alternatively, one may relax Assumption 4 and study a game of complete A decentralized mechanism is specified by a game form information, as is done in the majority of the current literature on IDS games. (M,h). Nash equilibrium vs. socially optimal investments make sure that all investment profile proposals xi are the same at equilibrium, and are equal to the socially optimal security investments. The tax term for user i itself consists of three different c ∂f π π T ˆx m 1 − terms. The first term ( i+1 − i+2) ( ) is independent of ∂x1 user i’s proposal for prices, and depends only on the investment profile4. The second term determines the penalties for the discrepancy between user i’s proposal xi and user (i + 1)’s

c1 proposal. This term will ensure eventual agreement between N x¯ x∗ investment proposals put forward by different users. The third 1 1 term does not depend on user i’s message, and is used only as a balancing term. In fact, at equilibrium, both the second and Fig. 1. Under-investment in security in an unregulated IDS game. third terms will be equal to zero. Nevertheless, their inclusion is necessary to ensure convergence to the optimal security N investment profile, and also for budget balance (i.e., the sum • The message space M := Π M specifies the set of i=1 i of all taxes equal zero) on and off the equilibrium. Note that permissible messages M for each user i. i having budget balance off equilibrium is an important property • The outcome function h : M → A determines the of the proposed mechanism, in order to prevent complications outcome of the game based on the users’ messages. Here, in an iterative message exchange process that leads to the A is the space of all security investment profiles and tax desired Nash equilibrium. profiles, i.e., (x, t). We would also like to highlight the close relation between The game form, together with the utility functions, define a the tax term proposed in (7) and the positive externalities game, represented by (M,h(·), {ui(·)}). This will also be of users’ actions. As illustrated later, at an equilibrium of referred to as the regulated IDS game. the PESIM mechanism, the second and third terms in (7) We say the message profile m∗ is a Nash equilibrium of ˆt ˆt l∗T ˆx disappear, so that the tax i for user i reduces to i = i , this game, if l∗ π∗ π∗ where i := i+1 − i+2 is known as the Lindhal price for ∗ ∗ ∗ user i. Furthermore, when users’ monetary taxes are assessed ui(h(m , m −i)) ≥ ui(h(mi, m −i)), ∀mi, ∀i . (5) i according to Lindhal prices, the socially optimal investments The components of the proposed decentralized PESIM x∗ will be individually optimal as well, i.e.,5 mechanism are specified as follows. x∗ x l∗T x = arg min gi( )+ i . (8) The Message Space: Each user i reports a message mi := x0 (π , x ) to the regulator, with π ∈ RN and x ∈ RN . i i i + i As a result, it is easy to show that for all i, and all j for which The component xi is user i’s proposal regarding the public xˆj 6=0, good, i.e., the security investment profile, while πi is user i’s 3 x suggestion regarding the private good, i.e., the price profile . ∂gi(ˆ) l∗ l∗ ∗ < 0 ⇒ i j > 0 ⇒ i j xˆj > 0 . (9) The Outcome Function: The outcome function h takes ∂xj the message profile m as input and determines the security The interpretation of this observation is that by implementing investment profile ˆx and the tax profile ˆt as follows: the PESIM mechanism, user i will be paying a monetary tax N 1 to user j, which is proportional to the positive externality of ˆx(m) = xi , (6) ’s investment on user ’s costs (9). N j i Xi=1 It should be pointed out that for the time being, we have ˆ T ti(m) = (πi+1 − πi+2) ˆx(m) assumed users’ participation in the mechanism is ensured, T + (xi − xi+1) diag(πi)(xi − xi+1) either through policy mandate (e.g., the government may T require users to participate in the mechanism as a prerequi- − (xi − xi ) diag(πi )(xi − xi ), ∀i. (7) +1 +2 +1 +1 +2 site for conducting business with it), or secondary financial In (7), for simplicity N +1 and N +2 are treated as 1 and 2, incentive (e.g., product discount for joining the collection of respectively. That is, N +1 denotes the modulo (N mod 1), users interested in the mechanism), such that the incentive and so on. for participation is separate from the mechanism itself. In This outcome function is interpreted as follows: first, (6) Section V, we present a counter-example to illustrate why the states that the contribution xî of each user i to the public individual rationality constraint, i.e., the condition that a user good vector of investments ˆx is determined by the average is better off by participating than staying out, may fail to hold, of all users’ proposals. The taxation term (7) is then used to and discuss some implications of this observation.

4 3Note the use of the term price profile for the vectors πi. As illustrated πi+1 − πi+2 is interpreted as the Lindhal price for the public good [13]. later, these terms are closely related to Lindhal prices, and will in turn be 5See proof of Theorem 1 presented later in this section for the derivation used to determine a tax profile t. of this result. We close this section by presenting the theorems that Therefore, ˆx(m∗) is the optimal investment profile minimizing establish the optimality of the proposed game form. Note that the social cost in problem (2). Furthermore, any tax profile t to prove this optimality, we first need to show that a profile satisfying the budget balance condition can be chosen as the (ˆx(m∗),ˆt(m∗)), derived at the NE m∗ of the induced game, tax profile in the optimal solution. Since the tax terms (12) are is an optimal solution to the centralized problem (2), and balanced, we conclude that (ˆx(m∗),ˆt(m∗)) solves (2) and is therefore socially optimal. Furthermore, as the procedure for therefore socially optimal. Finally, since our choice of the NE convergence to NE is not specified, we need to verify that m∗ has been arbitrary, the same proof holds for any other the optimality property holds for all Nash equilibrium of the NE, and thus all NE of the mechanism result in the optimal message exchange process. This guarantees that the outcome solution to problem (2). will converge to the socially optimal solution regardless of Finally, we establish the converse of this statement in the realized NE. These two requirements are established in Theorem 2, i.e., given an optimal investment profile, there Theorem 1 below. exists an NE of the proposed game which implements this Theorem 1: Let (ˆx(m∗),ˆt(m∗)) be the investment and tax solution. profiles obtained at the Nash equilibrium m∗ of the game Theorem 2: Let x∗ be the optimal investment profile in the ˆ (M,h(·), {ui(·)}). Then, (ˆx, t) is an optimal solution to the solution to the centralized problem (2). Then, there exists at ¯m ∗ centralized problem (2). Furthermore, if is any other Nash least one Nash equilibrium m of the game (M,h(·), {ui(·)}) equilibrium of the proposed game, then ˆx( ¯m)= ˆx(m∗). such that ˆx(m∗)= x∗. Proof: Let m∗ be a Nash equilibrium of the message ex- The proof of this theorem is given in the appendix. change process, resulting in an allocation (ˆx,ˆt). Assume user ∗ π∗ x∗ π x∗ i updates its message from mi = ( i , i ) to mi = ( i, i ), V. ON INDIVIDUAL RATIONALITY that is, it only updates the price vector proposal. Therefore, according to (6), ˆx will remain fixed, while based on (7), the Thus far, we have assumed user participation in the message ∗ second term in tî will change. Since m is an NE, unilateral exchange process is ensured using external incentive mech- deviations are not profitable. Mathematically, anisms. Alternatively, one could try to guarantee voluntary participation of strategic users by establishing that the so- x∗ x∗ T π∗ x∗ x∗ ( i − i+1) diag( i )( i − i+1) called individual rationality condition is satisfied, i.e., users x∗ x∗ T π x∗ x∗ π ≤ ( i − i+1) diag( i)( i − i+1), ∀ i 0 . (10) gain when participating in the mechanism as opposed to staying out. Hence, from (10) we conclude that for all i: Whether a mechanism is individually rational depends on x∗ x∗ π∗ 0 the structure of the game form, as well as the actions available i = i+1 or i = . (11) to users when opting out. A common assumption in the Using (11) together with (7) we conclude that at equilibrium, majority of public good and resource allocation problems, the second and third terms of a user’s tax vanish. Denoting including the prior work on the decentralized mechanism l∗ π∗ π∗ i := i+1 − i+2, we get: presented in Section IV ([13], [14], [12]), is that users will ˆ ∗ ∗T ∗ get a zero share (of the public good or allotted resources) ti m l ˆx m (12) ( )= i ( ) . when staying out. Following this assumption, [13], [14], [12] Now consider the utility function of the users at the Nash establish the individual rationality of the presented mechanism. equilibrium m∗. Since unilateral deviations are not profitable, However, a similar line of reasoning is not applicable to the a user’s utility (1) should be maximized at the NE, i.e., for current problem. any choice of xi and πi 0: The different nature of individual rationality in an IDS game can be intuitively explained as follows. By implementing a ˆx m∗ l∗T ˆx m∗ gi( ( )) + i ( ) socially optimal equilibrium, (some) users will be required to x x∗ x x∗ i + j i + j increase their level of investment in security. In turn, the mech- ≤ g ( j=6 i )+ l∗T j=6 i i PN i PN anism should either guarantee that these users enjoy a higher x x∗ T π x x∗ +( i − i+1) diag( i)( i − i+1) (13) level of protection due to higher equilibrium investments from other participants, and/or are adequately compensated for their π 0 x x x∗ x If we choose i = and let i = N · − j=6 i j , where contribution by a monetary reward (negative taxation). On the is any vector of security investments, we get:P other hand, by staying out, a user can still enjoy the positive ˆx m∗ l∗T ˆx m∗ x l∗T x x externalities of other users’ investments (although these may gi( ( )) + i ( ) ≤ gi( )+ i , ∀ . (14) be lower when the mechanism has partial coverage), choose its To show that the Nash equilibrium m∗ results in a socially optimal action accordingly, and possibly avoid taxation. Thus optimal allocation, we sum up (14) over all i, and use the fact to establish individual rationality in such an IDS game is not l∗ 0 that i i = to get: nearly as trivial as in previous studies. P N N Indeed, the following counter-example shows that the bene- ∗ fits of staying out can overthrow that of participation, making gi(ˆx(m )) ≤ gi(x), ∀x . (15) Xi=1 Xi=1 a user better off when acting as a “loner”. Specifically, a loner is a user who refuses to participate Let us focus on this latter case. It is interesting to note that in the mechanism, and later best-responds to the socially the overall level of security in the sequential game is lower optimal strategy of the remaining N − 1 users who did than the coordinated socially optimal equilibrium. participate. Arguably, these N − 1 users could also revise We compare user 1’s utility under the two scenarios. their strategy (investments) in response to this loner’s best- IN ∗ ∗ ∗ 1 ∗ response, leading to a sequential game. In this example we u (x ) = − exp(−x ) − c1x + (1 − )c1x . 1 1 1 N 1 will compare the loner’s utility in the socially optimal solution uOUT (ˆx) = − exp(−xˆ ) − c xˆ . when participating in the mechanism, versus the utility at the 1 1 1 1 outcome of the sequential game described above. Therefore, Consider a collection of users. Without loss of gen- N IN OUT ∗ u − u = −(exp (−x ) − exp(−xˆ1)) erality, assume c1 < c2 < ... < cN . Assume user 1 is 1 1 1 contemplating whether to participate or remain a free agent. ∗ 1 ∗ −c1(x1 − xˆ1)+(1 − )c1x1 We further assume all users have the same risk function N x N c1 c1 fi( ) = exp(− i=1 xi) (an instance of the total effort model = −( − c1) − c1(− ln + ln c1) [2]). N N P 1 c1 It is easy to show that at the socially optimal solution x∗ +(1 − )c (− ln ) N 1 N to the -player game, the user with the smallest cost would N c exert all the effort (see e.g. Section III, or [2]), such that: = 1 (N − 1)(1 − ln c ) − ln N .(16) N 1 ∗ ∗ exp(−x1)= c1/N, xj =0, ∀j > 1 . Based on (16), with any cost c1 ≥ exp(1), user 1’s utility will By (12) in the proof of Theorem 1, the tax for user 1 is given decrease when participating, indicating that in this case the by: decentralized mechanism fails to satisfy individual rationality. ∗ l∗T x∗ ∗ ∗ In light of the above observation, we conclude that although t1 = 1 = l11x1 . the proposed mechanism is incentive compatible and imple- Re-writing (14) in the proof of Theorem 1 as ments the socially optimal levels of investment in a Nash equilibrium, it fails to satisfy individual rationality in general. x∗ x l∗T x It remains an interesting question whether there are other = arg min g1( )+ 1 , x0 mechanisms which would satisfy all requirements simultane- and applying the KKT conditions, we conclude that: ously, or alternatively whether this is a more fundamental challenge in designing mechanisms for resource allocation ∗ ∂g1 x∗ ∗ ∗ l11 + ( )= l11 − exp(−x1)+ c1 =0 with positive externalities. The answer should shed light on ∂x1 questions such as whether security policies should be man- 1 1 dated (or alternatively incentivized), rather than being left to ⇒ l∗ = −(1 − )c ⇒ t∗ = −(1 − )c x∗ . 11 N 1 1 N 1 1 users’ free will. As expected, user 1 is getting a reward in this mechanism. VI. CONCLUSION Now assume user 1 opts out of the decentralized mechanism. The remaining N − 1 users choose their strategies In this paper, we have presented a decentralized mecha- assuming user 1 exerts an effort of x1. Then, by the nature of nism, through which we can find and implement the socially the total effort game, the user with the smallest cost among optimal levels of investment in security in an interdependent these N − 1 players will exert all the effort (if any) such that: security game. This mechanism is especially attractive as it is applicable to a wide range of user preferences, operates exp(−x1 − xˆ2)= c2/(N − 1), xˆj =0, ∀j > 2 . without the need for collecting information about these pref- On the other hand, if user 1 is best responding to a choice of erences, and does not need to centrally dictate the socially optimal outcome. We further consider the issue of individual x2, it chooses an effort according to: rationality, often a trivial condition to satisfy in many resource exp(−xˆ1 − x2)= c1 . allocation problems. We provide a counter example under the proposed mechanism, and argue that with positive externality, Combining the last two equations, at an equilibrium xˆ of the the incentive to stay out and free-ride on others’ investment can sequential game we have: make individual rationality much harder to satisfy in designing c2 xˆ1 = arg min exp(−x1 −max{− ln −x1, 0})+c1x1 . a mechanism. x1≥0 N − 1 The study of IDS games in the current framework can be c2 From the above, we conclude that if − ln N−1 is large enough, further continued in several directions. First, the procedure that is, if without user 1’s participation, user 2 will exert and conditions under which the message exchange process a sufficiently high effort, user 1 will choose to free-ride. converges to a Nash equilibrium remains an open problem, Otherwise, it may again exert all the effort, in which case and is an interesting direction of future study. Alternatively, exp(−xˆ1)= c1. one could switch focus to Bayesian Nash equilibrium as the RN solution concept for games of incomplete information, to + , ∀i: better capture the uncertainty of users about their environ- N ment, including other users’ valuations of security and the ∗ T (∇gi(x ) − λ )= 0 , resources available to them. It is also interesting to study i Xi=1 how the information obtained from alternative resources, e.g. λT x∗ =0 ∀i . (20) IP blacklists, can help users attain a better understanding i l∗ x∗ λT of their security risks and consequently make more effective Choose i = −∇gi( )+ i . Then, investment decisions. l∗ x∗ λT 0 i + ∇gi( ) − i = . (21) APPENDIX Equations (20) and (21) together are the KKT conditions for In this appendix, we present the proofs to Proposition 1 and the convex optimization problem: Theorem 2. The proof for Theorem 2 is technically similar to x l∗T x min gi( )+ i . (22) that presented in [12], [13], and the proof of Proposition 1 x0 follows from [7, Proposition 1]. The KKT conditions are necessary and sufficient for finding the optimal solution to the convex optimization problem (22), Proof of Proposition 1 and thus we have found the personalized prices satisfying (19). ∗ We first show that the strategy space xi ∈ [0, ∞) of a user We now proceed to finding a Nash equilibrium m im- i can be effectively reduced to a convex and compact set. plementing the socially optimal solution x∗. Consider the x m∗ π∗ x∗ x∗ x∗ Let BRi( −i) represent user i’s best response to the strate- message profiles i = ( i , i ), for which i = , and fi(0)+ǫ ∗ gies x−i 0 of all the other users. Define xî = , for the price vector proposals π are found from the recursive ci i some ǫ> 0. By assumption 2, the functions fi(·) are convex, equations: and thus: π∗ − π∗ = l∗, ∀i . (23) x i+1 i+2 i x x ∂fi(ˆxi, −i) fi(0, −i) − fi(ˆxi, −i) ≥ −xî Here, l∗ are the personalized prices defined at the beginning of ∂xi i f (0)+ ǫ ∂f (ˆx , x ) the proof. The set of equations (23) always has a non-negative i i i −i π∗ = − (17). set of solutions i 0, ∀i. This is because starting with a ci ∂xi π∗ π∗ 6 large enough 1, the remaining i can be determined using: By assumption 1, f (ˆx , x ) ≥ 0, and f (0, x ) ≤ f (0). i i −i i −i i π∗ π∗ l∗ Therefore, (17) reduces to: i = i−1 − i−2, ∀i ≥ 2 . (24) 0 x Now, first note that by (22), for all choices of x 0, and 0 fi( )+ ǫ ∂fi(ˆxi, −i) fi( ) ≥ − . (18) all users i, we have: ci ∂xi x∗ l∗T x∗ x l∗T x ∂fi(ˆxi,x−i) gi( )+ i ≤ gi( )+ i . (25) Equation (18) in turn implies that + ci > 0. There- ∂xi x +P x∗ fore, since user i’s cost is increasing at xî, a best response to x i j6=i j Particularly, if we pick = N , minimize the cost should be such that BRi(x−i) ∈ [0, xî]. Let x∗ l∗T x∗ xmax := maxi xî. We conclude that for all i, the strategy sets gi( )+ i x x∗ x x∗ can be effectively reduced to xi ∈ [0, xmax]. i + j i + j ≤ g ( j=6 i )+ l∗T j=6 i . (26) Since the strategy sets are non-empty, compact, and convex, i PN i PN and as the utility functions (1) are continuous and concave in x∗ x∗ Also, since by construction i = i+1, ∀i, the inequality is xi, the unregulated IDS game will always have at least one preserved for any choice of π 0, when the two additional i Nash equilibrium ([11, Proposition 8.D.3]). tax terms are added in as follows: x∗ l∗T x∗ x∗ x∗ T π∗ x∗ x∗ Proof of Theorem 2 gi( )+ i + ( i − i+1) diag( i )( i − i+1) x∗ x∗ x∗ T π∗ x∗ x∗ Consider the optimal security investment profile in the − ( i+1 − i+2) diag( i+1)( i+1 − i+2) solution to the centralized problem (2). Our goal is to show that x x∗ x x∗ i + j6 i j i + j6 i j m∗ ≤ g ( = )+ l∗T = there indeed exists a Nash equilibrium of the mechanism i P i P ∗ ∗ N N for which ˆx(m )= x . ∗ T ∗ + (xi − x ) diag(πi)(xi − x ) We start by showing that given the investment profile x∗, i+1 i+1 x∗ x∗ T π∗ x∗ x∗ it is possible to find a vector of personalized (Lindhal) prices − ( i+1 − i+2) diag( i+1)( i+1 − i+2) . (27) l∗ i , for each i, such that, Equation (27) can be more concisely written as: x l∗T x x∗ ∗ m∗ m∗ arg min gi( )+ i = . (19) ui(h(mi , −i)) ≥ ui(h(mi, −i)) , x0 ∀mi = (πi, xi), ∀i . (28) First, we know that since x∗ is the solution to problem (2), λ 6 l∗ l∗ it should satisfy the following KKT conditions, where i ∈ In (24), 0 is interpreted as N . m∗ π∗ x∗ We conclude that the messages i = ( i , ) constitute an NE of the proposed mechanism. In other words, the message exchange process will indeed have an NE which implements the socially optimal solution of problem (2).

REFERENCES [1] H. Kunreuther and G. Heal, “Interdependent security,” Journal of Risk and Uncertainty, vol. 26, no. 2-3, pp. 231–249, 2003. [2] H. Varian, “System reliability and free riding,” Economics of information security, pp. 1–15, 2004. [3] M. Parameswaran, X. Zhao, A. B. Whinston, and F. Fang, “Reengineer- ing the internet for better security,” Computer, vol. 40, no. 1, pp. 40–44, 2007. [4] J. Grossklags, N. Christin, and J. Chuang, “Secure or insure?: a game- theoretic analysis of information security games,” in Proceedings of the 17th international conference on World Wide Web. ACM, 2008, pp. 209–218. [5] J. Grossklags, S. Radosavac, A. A. Cárdenas, and J. Chuang, “Nudge: Intermediaries role in interdependent network security,” in Trust and Trustworthy Computing. Springer, 2010, pp. 323–336. [6] M. Lelarge, “Economics of malware: Epidemic risks model, network externalities and incentives,” in 47th Annual Allerton Conference on Communication, Control, and Computing. IEEE, 2009, pp. 1353–1360. [7] L. Jiang, V. Anantharam, and J. Walrand, “How bad are selfish investments in network security?” IEEE/ACM Transactions on Networking, vol. 19, no. 2, pp. 549–560, 2011. [8] A. Laszka, M. Felegyhazi, and L. Buttyán, “A survey of interdependent security games,” CRYSYS, vol. 2, 2012. [9] R. Pal and L. Golubchik, “Analyzing self-defense investments in internet security under cyber-insurance coverage,” in IEEE 30th International Conference on Distributed Computing Systems (ICDCS). IEEE, 2010, pp. 339–347. [10] (2012, October) Strategies to mitigate tar- geted cyber intrusions. [Online]. Available: http://www.dsd.gov.au/infosec/top-mitigations/top35mitigationstrategies-list.htm [11] A. Mas-Colell, M. D. Whinston, J. R. Green et al., Microeconomic theory. Oxford university press New York, 1995, vol. 1. [12] S. Sharma and D. Teneketzis, “A game-theoretic approach to decentralized optimal power allocation for cellular networks,” Telecommunication Systems, vol. 47, no. 1-2, pp. 65–80, 2011. [13] L. Hurwicz, “Outcome functions yielding walrasian and lindahl allo- cations at nash equilibrium points,” The Review of Economic Studies, vol. 46, no. 2, pp. 217–225, 1979. [14] S. Sharma and D. Teneketzis, “A game-theoretic approach to decentralized optimal power allocation for cellular networks,” in Proceedings of the 3rd International Conference on Performance Evaluation Method- ologies and Tools.