Game-Theoretic Approaches to Critical Infrastructure Protection Workshop on Statistics and Counterterrorism November 20, 2004 Vicki Bier University of Wisconsin-Madison

Research Objectives Objective: – –Study optimal allocation of resources for protection of systems against intentional attacks Related to risk analysis: – –With close tie to economics – –(Game theory is a branch of economics) Potentially applicable in many areas

Background Because attackers can modify their strategies in response to our defensive investment: – –Defense will generally be more costly when the adversary can observe the system defenses “Investment in defensive measures, unlike investment in safety measures, saves a lower number of lives…than the apparent direct contribution of those measures” – –Ravid (2002) Security improvements may be less cost-effective than they would initially appear

Game Theory Determine the optimal defense against an optimal attack Game theory is a useful model for security and critical infrastructure protection: – –Appropriate when protecting against intelligent and adaptable adversaries – –Recognizes that defensive strategies must account for attacker behavior

Game between Attackers and Defenders Need to make assumptions about: – –Attacker goals and constraints – –Defender goals and constraints – –System design features Protective investment assumed to reduce success probability of attacks

Game between Attackers and Defenders Consider security of a simple series system: – –Defending series systems against informed and determined attackers is a difficult challenge If the attacker knows about the system’s defenses, the defender’s options are limited: – –The defender is largely deprived of the ability to allocate defensive investments by their cost-effectiveness – –Instead, defensive investments must equalize the “attractiveness” of all defended components

Importance of Redundancy Parallel systems: – –Any component can perform the function – –Attacker must disable all to succeed Series systems: – –Attacker has a wide choice of targets – –Defender must protect all components!   Physically in series (pipelines, electric lines)  Multiple failure modes (e.g., multiple points of entry)

Weakest Link Models Defender must equalize the attractiveness of all defended components This is generally consistent with the Brookings Institution recommendation to defend only the most valuable assets However, terrorists also consider the probability of success in choice of targets: – –So models should take the success probabilities of attacks against various targets into account

Attacker Knowledge The assumption that attackers know our defenses may not be unrealistic: – –Due to the openness of our society Public demands knowledge of our defense: – –Even when this weakens its effectiveness! This increases difficulty of defense: – –E.g., anthrax protection Defensive measures may not be effective if they can be easily observed

System Design Features Redundancy reduces attacker flexibility: – –And increases defender flexibility Traditional reliability design considerations: – –Spatial separation – –Functional diversity are also important to defensive strategy Examples: – –Defenses that do not require electricity – –Use of both land lines and satellite communications Secrecy and deception can also be valuable

Extensions with Hedging Real-world decision makers will want to hedge: – –In case they guess wrong about which targets are most attractive to attackers Recent work assumes that attackers target the most attractive component: – –But defenders are uncertain about their attractiveness Attackers will in general have different values for targets than defenders: – –For example, Al-Qaeda prefers targets that are “recognizable in the Middle East” (Woo)

Defending one target can deflect attacks to targets that are: – –Less attractive to attackers (a priori) – –But more damaging to defenders! Optimal defense frequently still involves allocating zero resources to targets with a non-zero probability of successful attack, especially if: – –Targets value widely in their values – –Defender is highly resource-constrained Extensions with Hedging

Sample Application Our results shed light on appropriate allocation of resources among targets: Our results shed light on appropriate allocation of resources among targets: –Focus on the most attractive (and most vulnerable) targets –Spend less money on targets that are unlikely to be attacked Some states may have relatively few targets worth much investment Some states may have relatively few targets worth much investment

Security versus Safety In safety applications: In safety applications: –Natural hazards –Accident prevention the 80/20 rule works well: –Address the top 80% of the risks, at 20% of the cost By contrast, in security applications: By contrast, in security applications: –It may not be worthwhile spending anything at all –Unless you address all serious vulnerabilities Example: Example: –Don’t bother searching purses and backpacks –If you don’t also search baby carriages!

Extensions in Progress More complicated system structures: – –E.g., adapting past work on least-cost diagnosis to identify “least-cost” attack strategies – –As a building block for optimal (or near-optimal) defenses Non-convex functions for attack success probability as a function of investment: – –If minimal levels of investment are required – –If investment beyond a threshold deters attackers Secrecy and deception: – –When are these useful? – –How can we quantify their benefits?

Game between Defenders Consider effects of defensive actions on the risks faced by other defenders: – –And therefore the strategies they adopt Some defenses (e.g., car alarms) increase risk to other defenders: – –Payoff of investing to any one individual is greater than the net payoff to society – –Typically leads to overinvestment in security Other defenses (e.g., vaccination) decrease risk to other defenders: – –“Free riders” – –Typically lead to underinvestment in security

Extended an earlier “static” model by Kunreuther and Heal to account for attacks over time: – –Example--computerized supply chain partners Differences in discount rates can lead some agents not to invest in security when it is otherwise in their interests: – –If other agents choose not to invest Differences in discount rates can arise due to: – –Industries with different rates of return – –Risk of impending bankruptcy – –Myopia This game can have multiple equilibrium solutions: – –Creating a need for coordinating mechanisms Game between Defenders

Sample Application Computer security in electronic supply chains: – –Companies may be vulnerable to weaknesses in computer security on the part of their partners – –This can reduce their incentives to invest in their own computer security Coordinating mechanisms can help to address this problem: – –Contract terms – –Government regulation – –Development of international standards – –Loans to enable partners who are not as financially stable to improve their computer security

Conclusions Protecting against intentional attacks must account for attacker responses: – –Most applications of risk analysis fail to take this into account – –Most applications of game theory to security deal with individual components in isolation Combining these approaches makes it possible to invest more cost-effectively: – –Avoids wasting resources on defenses that can easily be disabled or circumvented by attackers