# Geoffrey Heal Graduate School of Business Columbia University Howard Kunreuther Center for Risk Management.

## Presentation on theme: "Geoffrey Heal Graduate School of Business Columbia University Howard Kunreuther Center for Risk Management."— Presentation transcript:

Geoffrey Heal Graduate School of Business Columbia University gmh1@columbia.edu Howard Kunreuther (kunreuther@wharton.upenn.edu) Center for Risk Management and Decision Processes The Wharton School University of Pennsylvania You Can Only Die Once: Interdependent Security in an Uncertain World

Types of Problems Making computer systems more secure against terrorist attacks Investing in airline security Protecting against chemical and nuclear accidents Making buildings more secure against attacks Investing in sprinklers to reduce the chances of apartment fires Avoiding divisional gambles that could bring entire firm into bankruptcy: Nick Leeson, Singapore futures market, and collapse of Baring’s Arthur Andersen brought into bankruptcy by Houston branch

Characteristics of the Problem Non Additive Damages (You can only die once) E.g., theft of proprietary data, destruction of data Not minor hassles due to disinfecting from viruses Risk Faced by One Person Depends on Actions Taken by Others (Negative stochastic externalities) E.g., communication among a network of trusted people Not viruses spread from one PC to another by email

Scenario Illustrating Interdependent Security Be Careful (BC) computer system considers installing additional computer security measures for added protection Needs to balance the cost of this system with reduction in risk of damage: Not only by attacks against BC directly But also from other computers connected to BC

What Is Interdependent Security? An agent can protect itself against a risk by incurring an upfront investment cost: BC computer system can invest in protection against hackers An agent can be contaminated by others even if it is protected: BC computer system can be attacked by “trusted” computer systems that did not invest in protection

Interdependent Security Model Assumptions and Notation Consider Two Computer Systems: A 1 and A 2 Y = cost of each computer system before consideration of security Probability of direct attack on A i : p =.1 Probability of attack on A i damaging the other system: q =.2 Probability non-secure computer system damaged: p + (1 – p) p q Loss if a computer system is damaged: L = 1000 Investment cost of security system: c = 95

Interdependent Security Model Expected Costs and Decisions Expected Costs Associated with Investing (S) and Not Investing (N) in Security System SYSTEM 2 S N S Y - c, Y - c = Y - c - p q L, = Y - 95, Y - 95 Y - 295, Y - 100 SYSTEM 1 N Y - p L, Y - c - p q L = Y - p L - (1 - p) p q L = Y - 100, Y - 295Y - 280, Y - 280 Decisions If A 2 has a security system (S), then it is worth A 1 investing in one: Expected losses reduced by p L = -100 Cost of security system = 95 If A 2 does not invest in security (N), then A 1 will not want to invest in one: Expected losses reduced by p (1 - q) L - (280 - 200) = -80 Cost of security system = 95

Types of Nash Equilibriums For c < p L (1 - p q): (S, S) is the dominant strategy For p L (1 - p q)  c < p L: (S, S) and (N, N) are Nash equilibriums For c  p L: (N, N) is the dominant strategy If the agents have different costs of investing in security measures, then we may find an equilibrium at which only one invests: (N, S) will be a Nash equilibrium if c 1 > p L and c 2 < p L (1 - p q)

Impact of Contamination if There Are n Agents When is investment in security a dominant strategy with many agents, If the others have not protected themselves? Computers: No cost incentive for a computer to protect itself against hackers if the number of agents is large enough! When the number of agents is large and none invests in security, then each agent faces a certain loss of L When the number of agents is large, investing in security can never be a dominant strategy for any agent

Impact of Contamination if There Are n Agents Payoff to firm 1 from not investing in security when the other n - 1 are also not investing: Payoff from investing: For investment in security to be dominant, you need: In the limit as n , this becomes c<0!

Types of Nash Equilibriums For : An agent will want to invest even if all other n-1 agents are unprotected (S, S, …, S) is the dominant strategy For : There are two Nash equilibriums, (S, S, …, S) and (N, N, …, N) Some coordinating mechanism is necessary to ensure investment For c  p L: (N, N, …, N) is the dominant strategy

Tipping Behavior When There Is Contamination Suppose the n systems differ in the costs and/or risks they face Define E j (n, 0) as the negative externalities imposed by system j on all other systems when no other systems invest, and system j changes from investing to not investing in security Two Results: If by switching from N to S a single system j can cause all others to switch from N to S, it will be the one that has the highest E j (n,0) If by switching from N to S a group of K systems can cause all others to follow, they will be the ones with the K highest E j (n,0)

Types of Interventions (Internalizing Negative Externalities) Insurance— Not feasible under current system, because insurer of agent i does not pay for damage to agent j (j  i) Monopolistic insurer provides premium reduction to agent i for reduction in contamination to all other agents Liability— This policy tool works only if contaminating agent is held liable for damage to others if it did not invest in protection Regulations— Well-enforced codes and standards to ensure that cost-effective security measures are adopted

Types of Interventions (Internalizing Externalities) Taxation— Can levy a tax of t dollars on any agent that did not invest in protection to encourage them to adopt security measures Coordinating mechanisms— International Air Transport Association (IATA)— requires baggage security on all bags to be transferred to other airlines Coops in New York—require that all buyers of apartments invest in sprinkler system as a condition for purchase Social norms—role of friends and neighbors

Future Research Directions Differential Costs and Risks: Nash equilibrium would be mixture of (S, S, …, N, N) Do you tax some agents more because they have a greater chance of contaminating others? Role of regulations Multi-Period and Dynamic Models: Importance of time horizon and discount rate How do you get process of investing started? Importance of developing sequential models of choice

Future Research Directions (cont.) Behavioral Considerations: Misperceptions of risk Myopia (i.e., short time horizons) Importance of affect (e.g., worry, dread, anxiety) Budget constraints