Economics of Information Security @ UC Berkeley

Economics of Information Security

Are we investing too little or too much in security?
Is security of a system only as strong as its weakest link?
Is security a public good or a private good?
How can incentives be designed to improve security?

Information security is as much about economic incentives as it is about technological mechanisms. The proliferation of email spam, botnets, and distributed denial-of-service attacks can all be blamed on the misalignment of incentives among the defenders, and consequently the deft exploitation by the attackers.

Leveraging tools from game theory, behavioral economics, and risk management, our research has produced important insights into the incentive dynamics of interdependent information security, including:

the tradeoffs of investing in protection (which exhibits public goods characteristics) versus insurance (with private goods characteristics), and the effects on security;
the strategic uncertainty that arises in a novel weakest target game, and the outcomes that are different from those of canonical games such as weakest link, best shot, or total effort ;
the role of experts and intermediaries in the coordination of security investments

People

Nicolas Christin
John Chuang
Jens Grossklags
Benjamin Johnson

We have also enjoyed fruitful collaborations with: Alvaro Cardenas, Neal Fultz, Chris Hoofnagle, and Svetlana Radosavac.

Publications

N. Christin, J. Grossklags, J. Chuang. Near Rationality and Competitive Equilibria in Networked Systems. Proceedings of ACM SIGCOMM Workshop on Practice and Theory of Incentives in Networked Systems (PINS), August 2004. [pdf]

J. Grossklags, N. Christin, J. Chuang. Secure or Insure? A Game-Theoretic Analysis of Information Security Games. Proceedings of the 17th International World Wide Web Conference (WWW'08), April 2008. [pdf]

J. Grossklags, N. Christin, J. Chuang. Predicted and Observed User Behavior in the Weakest-Link Security Game. Proceedings of the 2008 USENIX Workshop on Usability, Psychology, and Security (UPSEC'08), April 2008. [pdf]

J. Grossklags, N. Christin, J. Chuang. Security and Insurance Management in Networks with Heterogeneous Agents. Proceedings of ACM E-Commerce Conference (EC'08), July 2008. [pdf]

J. Grossklags, N. Christin, J. Chuang. Security Investment (Failures) in Five Economic Environments: A Comparison of Homogeneous and Heterogeneous User Agents. 7th Workshop on the Economics of Information Security (WEIS'08), June 2008.

N. Fultz, J. Grossklags. Blue versus Red: Towards a Model of Distributed Security Attacks. Proceedings of the Thirteenth International Conference Financial Cryptography and Data Security (FC'09), February 2009. [pdf]

J. Grossklags, B. Johnson. Uncertainty in the Weakest-Link Security Game. Proceedings of the International Conference on Game Theory for Networks (GameNets'09), May 2009. [pdf]

J. Grossklags, B. Johnson, N. Christin. The Price of Uncertainty in Security Games. Eighth Workshop on the Economics of Information Security (WEIS'09), June 2009. [pdf]

A. Cardenas, S. Radosavac, J. Grossklags, J. Chuang, C. Hoofnagle. An Economic Map of Cybercrime. Presentation at the 37th Research Conference on Communication, Information and Internet Policy (TPRC'09), September 2009.

J. Grossklags, B. Johnson, N. Christin. When Information Improves Information Security. Proceedings of the Fourteenth International Conference Financial Cryptography and Data Security (FC'10), January 2010. Extended version available as CyLab Technical Report, CMU, No. CMU-CyLab-09-004. [pdf]

J. Grossklags, S. Radosavac, A. Cardenas, J. Chuang. Nudge: Intermediaries' Role in Interdependent Network Security. Proceedings of 3rd International Conference on Trust and Trustworthy Computing (Trust'10), June 2010.

B. Johnson, J. Grossklags, N. Christin, J. Chuang. Are Security Experts Useful? Bayesian Nash Equilibria for Network Security Games with Limited Information. Proceedings of 15th European Symposium on Research in Computer Security (ESORICS'10), September 2010. [pdf]

B. Johnson, J. Grossklags, N. Christin, J. Chuang. Uncertainty in Interdependent Security Games. Proceedings of the 1st Conference on Decision and Game Theory for Security (GameSec 2010), November 2010. [pdf]

B. Johnson, J. Grossklags, N. Christin, J. Chuang. Nash Equilibria for Weakest Target Security Games with Heterogeneous Agents. Proceedings of the 2nd International Conference on Game Theory for Networks (GameNets 2011), April 2011. [pdf]

P. Chia, J. Chuang. Colonel Blotto in the Phishing War. Proceedings of the Conference on Decision and Game Theory for Security (GameSec 2011), November 2011. [pdf]

P. Chia, J. Chuang. Community-Based Web Security: Complementary Roles of the Serious and Casual Contributors. Proceedings of ACM CSCW, February 2012. [pdf]

Funding Support