IDEAS home Printed from https://ideas.repec.org/a/spr/annopr/v320y2023i1d10.1007_s10479-022-04958-z.html
   My bibliography  Save this article

A Tullock-contest-based approach for cyber security investments

Author

Listed:
  • David Iliaev

    (Ben-Gurion University of the Negev)

  • Sigal Oren

    (Ben-Gurion University of the Negev)

  • Ella Segev

    (Ben-Gurion University of the Negev)

Abstract

We study a cyber security game between a defender who wishes to defend her information assets and an attacker who tries to attack them. In this game the attacker and the defender choose how to distribute their resources in attacking or defending the different information assets. Given these investments the probability that an attack on a given asset is successful is an increasing function of the attacker’s investment and a decreasing function of the defender’s investment. The defender tries to minimize the expected damage from the attacks plus the cost of the defense while the attacker tries to maximize the expected damage from attacks minus his attacks’ expenses. The attacker is constrained by a budget. We compare two scenarios: a sequential move game and a simultaneous game. In the sequential game the defender moves first by deciding how much resources to allocate to the defense of each information asset and the attacker observes these investments and responds by allocating his resources in a manner that maximizes his expected utility. In the simultaneous game the attacker does not observe the defender’s decision before making his own. We analyze the best response strategies of the players and the equilibria of each of these games. Based on this analysis, we provide a tight upper bound on the reduction in defender’s costs that can be achieved by moving from the simultaneous to the sequential game.

Suggested Citation

  • David Iliaev & Sigal Oren & Ella Segev, 2023. "A Tullock-contest-based approach for cyber security investments," Annals of Operations Research, Springer, vol. 320(1), pages 61-84, January.
    • Handle: RePEc:spr:annopr:v:320:y:2023:i:1:d:10.1007_s10479-022-04958-z
    DOI: 10.1007/s10479-022-04958-z
    as

    Download full text from publisher

    File URL: http://link.springer.com/10.1007/s10479-022-04958-z
    File Function: Abstract
    Download Restriction: Access to the full text of the articles in this series is restricted.
    File URL: https://libkey.io/10.1007/s10479-022-04958-z?utm_source=ideas
    LibKey link: if access is restricted and if your library uses this service, LibKey will redirect you to where you can use your library subscription to access this item
    ---><---

    As the access to this document is restricted, you may want to search for a different version of it.

    References listed on IDEAS

    as
    1. Subhasish M Chowdhury & Dan Kovenock & David Rojo Arjona & Nathaniel T Wilcox, 2021. "Focality and Asymmetry in Multi-Battle Contests," The Economic Journal, Royal Economic Society, vol. 131(636), pages 1593-1619.
    2. Kjell Hausken, 2012. "On The Impossibility Of Deterrence In Sequential Colonel Blotto Games," International Game Theory Review (IGTR), World Scientific Publishing Co. Pte. Ltd., vol. 14(02), pages 1-13.
    3. Brian Roberson & Dmitriy Kvasov, 2012. "The non-constant-sum Colonel Blotto game," Economic Theory, Springer;Society for the Advancement of Economic Theory (SAET), vol. 51(2), pages 397-433, October.
    4. Vicki Bier & Santiago Oliveros & Larry Samuelson, 2007. "Choosing What to Protect: Strategic Defensive Allocation against an Unknown Attacker," Journal of Public Economic Theory, Association for Public Economic Theory, vol. 9(4), pages 563-587, August.
    5. Duffy, John & Matros, Alexander, 2015. "Stochastic asymmetric Blotto games: Some new results," Economics Letters, Elsevier, vol. 134(C), pages 4-8.
    6. Derrick Huang, C. & Hu, Qing & Behara, Ravi S., 2008. "An economic analysis of the optimal information security investment in the case of a risk-averse firm," International Journal of Production Economics, Elsevier, vol. 114(2), pages 793-804, August.
    7. Kim, Geofferey Jiyun & Kim, Jerim & Kim, Bara, 2018. "A lottery Blotto game with heterogeneous items of asymmetric valuations," Economics Letters, Elsevier, vol. 173(C), pages 1-5.
    8. Kjell Hausken, 2006. "Returns to information security investment: The effect of alternative information security breach functions on optimal investment and sensitivity to vulnerability," Information Systems Frontiers, Springer, vol. 8(5), pages 338-349, December.
    9. Tanaka, Hideyuki & Matsuura, Kanta & Sudoh, Osamu, 2005. "Vulnerability and information security investment: An empirical analysis of e-local government in Japan," Journal of Accounting and Public Policy, Elsevier, vol. 24(1), pages 37-59.
    10. Jun Zhuang & Vicki M. Bier, 2007. "Balancing Terrorism and Natural Disasters---Defensive Strategy with Endogenous Attacker Effort," Operations Research, INFORMS, vol. 55(5), pages 976-991, October.
    11. Kjell Hausken, 2014. "Returns to information security investment: Endogenizing the expected loss," Information Systems Frontiers, Springer, vol. 16(2), pages 329-336, April.
    12. Kjell Hausken & Vicki M. Bier & Jun Zhuang, 2009. "Defending Against Terrorism, Natural Disaster, and All Hazards," International Series in Operations Research & Management Science, in: Vicki M. M. Bier & M. Naceur Azaiez (ed.), Game Theoretic Risk Analysis of Security Threats, chapter 4, pages 65-97, Springer.
    13. Kovenock, Dan & Rojo Arjona, David, 2019. "A full characterization of best-response functions in the lottery Colonel Blotto game," Economics Letters, Elsevier, vol. 182(C), pages 33-36.
    14. Xing Gao & Weijun Zhong, 2015. "Information security investment for competitive firms with hacker behavior and security requirements," Annals of Operations Research, Springer, vol. 235(1), pages 277-300, December.
    Full references (including those not matched with items on IDEAS)

    Most related items

    These are the items that most often cite the same works as this one and are cited by the same works as this one.
    1. Yong Wu & Gengzhong Feng & Richard Y. K. Fung, 2018. "Comparison of information security decisions under different security and business environments," Journal of the Operational Research Society, Taylor & Francis Journals, vol. 69(5), pages 747-761, May.
    2. Li, Xinmi & Zheng, Jie, 2022. "Pure strategy Nash Equilibrium in 2-contestant generalized lottery Colonel Blotto games," Journal of Mathematical Economics, Elsevier, vol. 103(C).
    3. Mohammad E. Nikoofal & Mehmet Gümüs, 2015. "On the value of terrorist’s private information in a government’s defensive resource allocation problem," IISE Transactions, Taylor & Francis Journals, vol. 47(6), pages 533-555, June.
    4. Dan Kovenock & Brian Roberson & Roman M. Sheremeta, 2019. "The attack and defense of weakest-link networks," Public Choice, Springer, vol. 179(3), pages 175-194, June.
    5. Peiqiu Guan & Meilin He & Jun Zhuang & Stephen C. Hora, 2017. "Modeling a Multitarget Attacker–Defender Game with Budget Constraints," Decision Analysis, INFORMS, vol. 14(2), pages 87-107, June.
    6. Alessandro Fedele & Cristian Roner, 2022. "Dangerous games: A literature review on cybersecurity investments," Journal of Economic Surveys, Wiley Blackwell, vol. 36(1), pages 157-187, February.
    7. Peiqiu Guan & Jun Zhuang, 2016. "Modeling Resources Allocation in Attacker‐Defender Games with “Warm Up” CSF," Risk Analysis, John Wiley & Sons, vol. 36(4), pages 776-791, April.
    8. Qingqing Zhai & Rui Peng & Jun Zhuang, 2020. "Defender–Attacker Games with Asymmetric Player Utilities," Risk Analysis, John Wiley & Sons, vol. 40(2), pages 408-420, February.
    9. Liao, Chun-Hsiung & Chen, Chun-Wei, 2014. "Network externality and incentive to invest in network security," Economic Modelling, Elsevier, vol. 36(C), pages 398-404.
    10. Yong Wu & Mengyao Xu & Dong Cheng & Tao Dai, 2022. "Information Security Strategies for Information-Sharing Firms Considering a Strategic Hacker," Decision Analysis, INFORMS, vol. 19(2), pages 99-122, June.
    11. Simon, Jay & Omar, Ayman, 2020. "Cybersecurity investments in the supply chain: Coordination and a strategic attacker," European Journal of Operational Research, Elsevier, vol. 282(1), pages 161-171.
    12. Abhra Roy & Jomon Paul, 2013. "Terrorism deterrence in a two country framework: strategic interactions between R&D, defense and pre-emption," Annals of Operations Research, Springer, vol. 211(1), pages 399-432, December.
    13. Nakao, Keisuke, 2017. "Denial vs. Punishment: Strategies Shape War, but War Itself Affects Strategies," MPRA Paper 81418, University Library of Munich, Germany.
    14. Xing Gao & Weijun Zhong & Shue Mei, 2013. "Information Security Investment When Hackers Disseminate Knowledge," Decision Analysis, INFORMS, vol. 10(4), pages 352-368, December.
    15. Xing Gao & Weijun Zhong, 2015. "Information security investment for competitive firms with hacker behavior and security requirements," Annals of Operations Research, Springer, vol. 235(1), pages 277-300, December.
    16. Kjell Hausken, 2014. "Choosing what to protect when attacker resources and asset valuations are uncertain," Operations Research and Decisions, Wroclaw University of Science and Technology, Faculty of Management, vol. 24(3), pages 23-44.
    17. Anbarci, Nejat & Cingiz, Kutay & Ismail, Mehmet S., 2023. "Proportional resource allocation in dynamic n-player Blotto games," Mathematical Social Sciences, Elsevier, vol. 125(C), pages 94-100.
    18. Mathews, Timothy & Paul, Jomon A., 2022. "Natural disasters and their impact on cooperation against a common enemy," European Journal of Operational Research, Elsevier, vol. 303(3), pages 1417-1428.
    19. Yosra Miaoui & Noureddine Boudriga, 2019. "Enterprise security investment through time when facing different types of vulnerabilities," Information Systems Frontiers, Springer, vol. 21(2), pages 261-300, April.
    20. Mohammad Ebrahim Nikoofal & Morteza Pourakbar & Mehmet Gumus, 2023. "Securing containerized supply chain through public and private partnership," Production and Operations Management, Production and Operations Management Society, vol. 32(7), pages 2341-2361, July.

    Corrections

    All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:spr:annopr:v:320:y:2023:i:1:d:10.1007_s10479-022-04958-z. See general information about how to correct material in RePEc.

    If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.

    If CitEc recognized a bibliographic reference but did not link an item in RePEc to it, you can help with this form .

    If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.

    For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: Sonal Shukla or Springer Nature Abstracting and Indexing (email available below). General contact details of provider: http://www.springer.com .

    Please note that corrections may take a couple of weeks to filter through the various RePEc services.

    IDEAS is a RePEc service. RePEc uses bibliographic data supplied by the respective publishers.