A Local Mean Field Analysis of Security Investments in Networks

A Local Mean Field Analy sis of Security In vestments in Netw orks Marc Lelarge INRIA-ENS P aris, F rance marc.lelarge@ens.fr Jean Bolot Sprint Calif ornia, USA bolot@sprint.com ABSTRA CT Getting agen ts in the In ternet, and in netw orks in general, to inv est in and deploy securit y features and p rotocols is a c hallenge, in particular b ecause of economic reaso ns aris- ing from the p resence of netw ork externalities. Our goa l in this p ap er is to mo del and inv estig ate the impact of such externalities on security in v estmen ts in a net w ork. Sp ecifically , we study a netw ork of interconnected agen ts sub ject to epidemic risks suc h as v iruses and worms where agen ts can decide whether or not to inv est some amount to deploy securit y solutions. W e consider b oth cases when the securit y solutions are strong (they p erfectly protect the agen ts deploying them) and when they are w eak. W e make three con tributions in the paper. First, we i ntroduce a gen- eral mo del which com bines an epidemic propagation model with an economic mo del for agen ts which ca ptures netw ork effects and externalities. Second, b orrowi ng ideas and tech- niques used in statistical ph ysics, w e in troduce a Local Mean Field (LMF) model, which extends the standard mean-field approximatio n to take into acco unt the correlation structure on local neighborho o ds. Third, w e solv e the LMF model in a netw ork with externalities, and we derive analytic solutions for sparse random graphs of agents, for which w e obtain asymptotic results. W e fin d kno wn phenomena such as free riders and tippin g p oints. W e also observe counter-intuitiv e phenomena, such as increasing the quality of the security technolo gy can result in a decreased adoption of th at tech- nology in the net w ork. In general, we find th at b oth situa- tions with strong and w eak protection exhibit externalities and that the equ ilibrium is not socially optimal - therefore there is a market failure. Insurance is one mechanism to address this market failure. In related work, we hav e sho wn that insurance is a very effective mechanism [3, 4] and ar- gue that using insurance would increase th e security in a netw ork suc h as the Internet. Keyw ords Security , Game Theory , Epidemics, Economics, Price of An- to appear in NetEcon’08 [11]. This version includes proofs (giv en in Ap- pendix) of results stated in [11]. arc hy , Tipping, F ree rider problem. 1. INTR ODUCTION Users and compu ters in th e Internet face a wide range of securit y risks. Of particular concern, are epidemic risks , such as those propagated by worms and viruses. Epidemic risks depend on the behavior of oth er entities in th e n etw ork, such as whether or n ot th ose entitie s inve st in security solu- tions to minimize their lik elihoo d of b eing infected. Our goal in this pap er is to analyze the strategic b ehavior of agen ts facing such epidemic risks. The propagation of worms and viruses [16, 7], b ut also many other phenomena in the Internet such as th e propa- gation of alerts and patches [14] or of rout in g up dates [5], can b e modeled using epidemic spreads through a netw ork. As a result, there is no w a v ast b o dy of literature on epi- demic spreads ov er a n etw ork top ology from an initial set of in fected no des to susceptible no des. How ever, muc h of that wo rk has focused on m o deling and u nderstanding the propagation of t h e epidemics prop er, without considering the impact of netw ork effects and ex ternalities. Recent w ork whic h did mo del such effects h as b een lim- ited to the simple case of tw o agen ts, i.e. a tw o-nod e net- w ork. F or example, reference [9] prop oses a parametric game-theoretic mo del for such a situation. In the mo del, agen ts decide whether or n ot to inves t in security and agents face a risk of infection whic h dep ends on the state of other agen ts. The authors show the ex istence of tw o Nash equilib- ria ( all agents invest or none in vests), and suggest that tax- ation or insurance wo uld b e wa ys to p ro vide incentiv es for agen ts to inv est (and therefore reac h the ” goo d” N ash equi- librium). H o w ev er, th eir approach do es not scale to the case of N agents, and it does not handle v arious netw ork top olo- gies connecting t h ose agents. Ou r work add resses precisely those limitations. The rest of the pap er is organized as follo ws. I n Section 2, w e describ e our mo del for epidemic risks with netw ork effects and externalities. In Section 3, w e introduce our Lo cal Mean Field Model (LMF) and state asymptotic results th at can b e obtained with LMF. In Section 4, we u se the LMF mo del to examine both cases when agen ts inv est in strong securit y solutions ( whic h p erfectly p rotect th e agents deploying them against propagated risks) and in w eak solutions. W e find known p henomena such as free riders and tipping p oints [4]. W e also observe counter-in tuitiv e phenomena, such as increasing the quality of th e securit y tec hnology can result in a decreased adoption of that t echnology in the netw ork. In Section 5, w e discuss our results and conclude the paper. 2. A MODEL FOR EPIDEMIC RI SKS AND NETWORK EFFECT S 2.1 Economic model for the agents W e model agents using the cl assical exp ected utility mod el, where agen ts attempt to max imize a utility function u . W e assume that agents are rational and t hat they are risk av erse, i.e. their ut ility function is concav e (see Prop osition 2.1 in [8]). R isk a vers e agents dislike mean-preserving spreads in the distribution of their final wealth. W e denote b y w the initial w eal th of the agent. The risk pr emium π is the maximum amount of money that one is ready to pay to escape a pure risk X , where a pure risk X is a random v aria ble such that E [ X ] = 0. The risk p remium corresponds to an amount of money paid (thus decreasing the wealth of the agen t from w to w − π ) whic h cov ers the risk; hence, π is given by the follo wing equation: u [ w − π ] = E [ u [ w + X ]]. Eac h agent faces a potential loss ℓ , whic h w e take in this pap er to b e a fixed (non-random) v alue. W e denote by p the probabilit y of loss or damage. There are tw o possible final states for the agen t: a goo d state, in which the final wealth of th e agent is equal to his initial wealth w , and a bad state in which the fin al wealth is w − ℓ . If the probabilit y of loss is p > 0, the risk is clearly n ot a pu re risk. The amount of money m the agent is ready to invest t o escap e the risk is giv en by the equation: pu [ w − ℓ ] + (1 − p ) u [ w ] = u [ w − m ] . W e clearly have m > pℓ thanks to the concavit y of u . W e can actually relate m to the risk p remium defi ned abov e: m = pℓ + π [ p ] . An agent can inv est some amount in self-protection, which in practice w ould reflect an in vestmen t in antivirus or anomaly detection solutions. If an agen t decides to inve st in self- protection, w e sa y t hat the agent is in state S (as in S afe or Secure). If the agen t decides not to inv est in self-protection, it is in state N (Not safe). If th e agent do es not inve st, its probabilit y of loss is p N . If it do es inv est, for an amount whic h we assume is a fix ed amount c , then its loss probabil- it y is reduced and equal to p S < p N . In state N , the exp ected ut ility of the agent is p N u [ w − ℓ ] + (1 − p N ) u [ w ]; in state S , the ex p ected utility is p S u [ w − ℓ − c ] + (1 − p S ) u [ w − c ]. Using the definition of risk premium, we see th at these quantities are eq u al t o u [ w − p N ℓ − π [ p N ]] and u [ w − c − p S ℓ − π [ p S ]], resp ectively . Therefore, th e optimal strategy is for th e agent to inv est in self-protection only if the cost for self-protection is less than th e threshold c < ( p N − p S ) ℓ + π [ p N ] − π [ p S ] . (1) 2.2 Epidemic model W e describ e no w our model for the epidemic risk. Agents are represen ted by v ertices of a graph. W e assume that an agen t in state S has a p robabilit y p − of direct loss and an agen t in state N has a probability p + of d irect loss with p + ≥ p − . Then an y infected agent con taminates neigh- b ors indep end ently of each others with probability q − if the neighbor is in state S and q + if th e neighbor is in state N , with q + ≥ q − . Sp ecial cases of this mo del are examined in [10], where q + = q − , and in [12], where agen ts in state S are completely secure and cannot b e infected, i.e. p − = q − = 0. Let G = ( V , E ) b e a graph on a countable v ertex set V . Agents are represented by vertices of the graph. F or i, j ∈ V , w e write i ∼ j if ( i, j ) ∈ E and w e sa y that agen ts i and j are neighbors. The state of agen t i is represented by X i ; agen t i is infected ( respectively healthy) iff X i = 1 (resp ectively X i = 0). W e now describe the fundamental recursion satisfied by the vector X . W e fi rst introduce the follow ing sequences of indep endent identically d istributed (i.i.d.) random v ariables (r.v.): • ( A S , A S i , i ∈ N ) Bernoulli r.v. with parameter p − ; • ( A N , A N i , i ∈ N ) Bernoulli r.v. with parameter p + ; • ( B S i , B S j i , i, j ∈ N ) Bernoulli r.v. with parameter q − ; • ( B N i , B N j i , i, j ∈ N ) Bernoulli r.v. with parameter q + . Let D i = 1 if agen t i is in state S and D i = 0 otherwise. W e d efine φ i = D i A S i + (1 − D i ) A N i . The v ariable φ i mod els the direct loss: if φ i = 1 there is a direct loss for agent i , otherwise th ere is n o direct loss for agen t i . W e also define θ j i = D i B S j i + (1 − D i ) B N j i . The v ariable θ j i mod els the p ossible contagi on from agent j to agent i : if θ j i = 1, there is conta gion otherwise there is no contagion. Then the fundamental recursion satisfied by the vector X = ( X i , i ∈ V ) is 1 − X i = (1 − φ i ) Y j ∼ i (1 − θ j i X j ) . (2) 2.3 Epidemic risks for inte r connected agents In order to completely sp ecify our model, w e still need to define ho w to choose the vari ables D i , i.e. whether agent i inv ests in self-protection (corresp onding to D i = 1) or not ( D i = 0). First, note that the probability of loss for agent i is given, dep ending on whether or not it in vests in self protection, by p S i := E [ X i | D i = 1] , or, (3) p N i := E [ X i | D i = 0] . (4) In view of (1), the b est resp onse of agent i is given by: D i = 1 1( c i < ( p N i − p S i ) ℓ i + π i [ p N i ] − π i [ p S i ]) , (5) where p S i and p N i are given by (3) and (4). Our model is defined by the graph G (which topology is arbitrary) and the set of Equations ( 2,3,4,5). In the rest of this pap er, we will mak e a simplifying assumption: we con- sider a heterogeneous p opu lation, where agents d iffer on ly in self-protection cost and p otential loss. The cost of protec- tion should not exceed th e p ossible loss, h en ce 0 ≤ c i ≤ ℓ i . The cost c i and th e p otential loss ℓ i are k now n to agent i and v aries among the popu lation. Hence w e mod el this het- erogeneous p opulation by takin g the sequence ( c i , ℓ i i ∈ N ) as a sequ ence of i.i.d. random v ariables independ ent of ev- erything else. So far, we hav e n ot yet sp ecified the und erlying graph. W e will consider random famili es of graphs G ( n ) with n ver- tices and giv e asymptotic results as n tend s to infinity . In all cases, we assume that t h e family of graphs G ( n ) is inde- p endent of all other pro cesses. 3. LOCAL MEAN FIELD MODEL In this section, we introduce our Lo cal Mean Field (LMF) mod el. It extends the standard mean-fi eld approximation by allo wing to mod el the correlation structure on local neigh- b orhoo ds. It can b e shown t hat the LMF gives the exact asymptotic b eh avior of t he pro cess X as the num ber of ver- tices ten ds to infinity for sparse random graphs with asymp- totic given degree distribution P ( d ) (see [6] for a definition). A rigorous proof of this fact can b e found in [10] for a par- ticular case of the mod el described in S ection 2.2. W e will not attemp to give a general pro of here. The main to ol is the notion of local w eak con verg ence [2]. 3.1 Exact results f or tr ees Since t h e graphs we are considering can b e considered lo- cally to b e like trees (with high probabilit y), we first examine the case where G = T is a tree with nod es , 1 , . . . and a fixed root . F or a no de i , w e denote by gen( i ) ∈ N the generation of i , i.e. the length of t he minimal path from to i . Also we d enote i → j if i is a children of j , i.e. gen ( i ) = gen( j ) + 1 and j is on the minimal path from to i . F or an edge ( i, j ) ∈ E with i → j , we denote b y T i → j the sub -tree of T with root i when deleting edge ( i, j ) from T . W e hav e a family of trees T i → j and we run the epidemic mo del according to eq uation (2) with the same v ariables ( B S i , B N i , B S ij , B N ij , c i , ℓ i , i, j ∈ N ) on eac h tree. Hence th e epidemics on t h e v arious subtree of T are coupled t hanks to th ese random vari ables. W e sa y that nod e i is infected from T i → j if the n o de i is infected in T i → j . W e denote by Y i the corresp onding indicator function with v alue 1 if i is infected from T i → j and 0 otherwise. A simple induction show s that the recursion (2) b ecomes: 1 − Y i = (1 − φ i ) Y k → i (1 − θ ki Y k ) . (6) If the tree T is finite, w e can compute all the Y i recursive ly starting from the lea ve s with Y ℓ = φ ℓ for any leaf ℓ . As a consequence (and this is the main difference with (2) whic h makes the mo del on a tree tractable), the rand om v ariables Y k with k → i in the right-hand term of (6) are in dep endent of each others and indep en dent of the θ ki . F or an y no de i ∈ T , w e just defin ed Y i and the family ( Y i , i ∈ T ) is a tree-indexed p rocess called a Recu rsiv e T ree Process (R TP). Consider now the case where T is a Galton-W atson branch- ing pro cess with offspring distribution P ∗ . The tree T is n ow p ossibly infinite but it is still possible to define an inv ariant R TP on T . One wa y t o construct it consists in defining a R TP for eac h finite depth - d tree and then show th at these R TPs conv erge to an in v ari ant R TP as the depth d tends to infinity [1]. W e first in troduce the Recursive Distributional Equation (RDE): Y d = 1 − (1 − φ ) N ∗ Y k =1 (1 − θ k Y k ) , (7) where N ∗ has d istribution P ∗ , φ = D A S + (1 − D ) A N , θ k = DB S k + (1 − D ) B N k where D is a Bernoulli r.v. with parameter γ , Y and Y k are i.i.d. copies. W e also assume that t he random va riables D , A S , A N , B S k , B N k and Y k are indep endent of each oth ers. N ote ho w eve r that φ and the θ ’s are not indep endent of eac h others. R DE for R TP plays a similar role as the equation µ = µK for the stationary distribution of a Marko v chain with kernel K , see [1]. The follo wing result (prov ed in Ap p endix 7.1) solv es the RDE. Pr oposition 1. F or p + > 0 , the RDE (13) has a uni que solution: Y i s a Bernoul li r andom variable wi th p ar ameter h ( γ ) , the unique solution i n [0 , 1] of h = 1 − γ (1 − p − ) G N (1 − q − h ) − (1 − γ ) (1 − p + ) G N (1 − q + h ) wher e G N ∗ ( x ) = E [ x N ∗ ] is the gener ating f unction of the distribution P ∗ . Mor e ove r the function γ 7→ h ( γ ) is non- incr e asing i n γ . As a consequence, we see that it is p ossible t o construct an inv arian t versio n of the R TP on the tree T where for each k ≥ 0, the sequence ( Y i , i ∈ T , gen ( i ) = k ) is a sequence of i.i.d. Bernoulli random v ariables with parameter h , see [1]. 3.2 LMF associated to a random network Our LMF mo del is characterized by the connectivit y dis- tribution P ( d ) but the underlying tree T as to b e sligh tly mod ifi ed compare to previous section: if we start with a giv en vertex then the n umber of neigh bors (the first gener- ation in the branc hing pro cess) has distribution P but this is not true for the second generation. Let T b e a Galton- W atson b ranching pro cess with a ro ot which h as offspring distribution P and all other no des hav e offspring d istribu - tion P ∗ giv en by P ∗ ( d − 1) = dP ( d ) P dP ( d ) for all d ≥ 1. Remark 1. Note that if P is the Poisson distribution with p ar ameter λ which is the asymptotic de gr e e distribut ion for Er dos-R enyi gr aph G ( n, λ /n ) , then P ∗ is also Poisson with me an λ . W e now exp lain how to define the LMF based on th e analysis made in p revious section. Clearly , the crucial p oint in recur- sion (6) is t h e fact t h at the Y i can b e computed “b ottom-up” . How ever a node can also b e infected from its parent and Y i is NOT a go o d app ro ximation of the real process X i . In deed the only n od e for whic h previous analysis giv es an approxi- mation of the pro cess X is for the ro ot and th e Y i ’s enco de the information that the ro ot is infected by an agent in the subtree of T “below” i . Hence w e define X ( D ) d = 1 − (1 − φ ) N Y k =1 (1 − θ k Y k ) , (8) where N has distribution P , φ and θ k are the same as in (13) and the Y k ’s are i.i.d. Bernoulli r.v. with p arameter h ( γ ), i.e. satisfying th e R DE (13) with N ∗ having distribution P ∗ . 3.3 Asymptotic re sults W e now show how to get qu antitativ e results from our LMF. The goal of Section 4 is to derive such results for v ario us cases. W e consider a family of random graphs on n v ertices G ( n ) and the associated pro cess ( X ( n ) i , i ∈ { 0 , . . . , n − 1 } ) satisfy- ing the eq uations of our mo del on G ( n ) . W e assume that our family of random graphs conve rges locally to a tree as de- scribed in prev isous section. This prop erty is true for sparse random graphs [2]. It can b e shown that the pro cess X ( n ) is asymptotically eq uiv alen t to the pro cess defined on the tree, i.e. the corresp onding LMF mo del describ ed in p revious sec- tion [10]. H ence w e restict our analysis to t h e LMF model and the qu antities computed here corresp ond to the asymp- totic v alues of th e corresponding quantites for the pro cess X ( n ) for large v alues of n . Let γ b e the fraction of the p opulation inv esting in self- protection. Then by sy m etry , t h e random vari ables D i are i.i.d. Bernoulli r.v. with parameter γ . Thank s to the results of the p revious section, we can compute the la w of the X i ’s. F rom t h is law, we can compute the correspond ing probab il- it y of loss dep end ing on t h e c hoice made to inv est or not. Then one has to chec k self-consistency: the fraction of the p opulation for which the b est-resp onse consists in invest- ing in self-protection should b e γ . Hence to solv e our LMF mod el, w e need to solv e the follo wing fixed p oint equ ation: p N,γ = E [ X ( D ) | D = 0] = 1 − E " (1 − A N ) N Y i =1 (1 − B N i Y i ) # , (9) p S,γ = E [ X ( D ) | D = 1] = 1 − E " (1 − A S ) N Y i =1 (1 − B S i Y i ) # , (10) c γ = ( p N,γ − p S,γ ) ℓ + π [ p N,γ ] − π [ p S,γ ] , (11) γ = P ( c ≤ c γ ) , (12) where the distribut ion of X ( D ) is given by ( 8) or equiv a- lentl y the Y i are i.i.d. Bernoulli r.v. with p arameter h ( γ ) giv en by Prop osition 1. Let γ ∗ b e a solution of this fixed p oint equation. Then we hav e the fol lo wing interpretati ons: γ ∗ is t he fraction of t h e p opulation inv esting in self-protection, p N,γ ∗ is the prob- abilit y of loss for an agen t n ot investing in self-protection and p S,γ ∗ is the probabilit y of loss for an agen t in v esting in self-protection. Hence the av erage probabilit y of loss is E [ X ( D )] = γ ∗ p S,γ ∗ + (1 − γ ∗ ) p N,γ ∗ . The outcome of rational beh a vior by self-intere sted agents can b e inferior to a centrally designed outcome. B y h o w muc h ? The p rice of anarch y , the most p opular measure of the inefficiency of equilibria, is defined as th e ratio betw een the wo rst ob jective function v alue of an equilibrium of the game and that of an optimal outcome (p ossibly centralized in which case it will not b e described by the mo del intro- duced abov e). In our setting, the cost incurred to agent i is c i + p S i ℓ i + π i ( p S i ) if it inv ests in securit y and p N i ℓ i + π i ( p N i ) otherwise. S o for a given equilibrium, w e can compute the total cost incurred to the p opulation. The price of anarc h y is the ratio of the largest (among all eq uilibria) such cost divided by the op t imal cost. The price of anarch y is at least 1 and a v alue close t o 1 indicates th at the giv en outcome is approximatel y op t imal. W e refer to [13] for an in trodu ction to the inefficiency of equ ilibria (in particular chapter 17). W e show in the next section how to compute this price of anarc hy . 4. NETWORK EXTERNAL ITIES AND THE DEPLO YMENT OF SECURITY FEA TURES W e next use our LMF mo d el to compare t h e follo wi ng situations: • Case 1: Strong protection. If an agent inv est in self- protection, it cann ot b e harmed at all by th e actions or inactions of others: p − = q − = 0 ( t his is as in [12]) • Case 2: W eak p rotection. Investing in self-protection does not change the probability of contagion: q + = q − (as in [10]) In both cases, agents that inv est in self-protection incur some cost and in return receive some individu al b enefit th rough the reduced individu al exp ected loss. But part of the benefi t is public, namely the reduced indirect risk in t he economy from which eve ryb o dy b enefits. Hence, there is a n egativ e externality ass ociated with not investing in self-protection, namely the increased risk to others. 4.1 Erdos-Renyi graphs W e analyze our mo del on a large sp arse random graph G ( n ) = G ( n, λ/n ) on n no des { 0 , 1 , . . . , n − 1 } , where each p otentia l edge ( i, j ), 0 ≤ i < j ≤ n − 1 is present in the graph with probability λ/n , indep endently for all n ( n − 1) / 2 ed ges. Here λ > 0 is a fixed constan t independ ent of n . This cor- respond s to th e case of the Erd ¨ os-R´ enyi graph which has receiv ed considerable attention in the past [6]. As explained in S ection 3, our analysis is n ot restricted to this class of graphs, but it is simpler in this case since the degree distri- bution P is a P oisson d istribution with mean λ (see Remark 1). In this case, the fixed point equation for h ( γ ) in Prop osi- tion 1 b ecomes: h = 1 − γ (1 − p − ) e − λq − h − (1 − γ ) ( 1 − p + ) e − λq + h . Then the equations (9) and (10) are given b y: p N,γ = 1 − (1 − p + ) e − λq + h ( γ ) , p S,γ = 1 − (1 − p − ) e − λq − h ( γ ) . F or simplicity , we drop the risk adverse condition, so that π ≡ 0 and we assume that costs for the self-protection are the same for all agents and equ al to c , and t he p ossible losses are also the same and equal to ℓ . Then w e ha ve c γ = “ (1 − p − ) e − λq − h ( γ ) − (1 − p + ) e − λq + h ( γ ) ” ℓ. Recall that an agent decides to inv est in self-protection iff c < c γ . The monotonicity of c γ in γ is crucial and it dep ends on the v alue of the parameters ( p + , p − , q + , q − ). 4.2 Case 1: Str ong protec tion W e first consider Case 1 where p − = q − = 0, so that p S,γ = 0 and c γ = p N,γ ℓ = “ 1 − ( 1 − p + ) e − λq + h ( γ ) ” ℓ . Then by Prop osition 1, γ 7→ c γ is non-increasing and the fixed p oint equation (9,10,11,12) has a u nique solution. In this case, as γ the fraction of agen t s in v esting in self-protection increases, t h e incentive to inve st in self-protection decreases. In fact, it is less attractive for an agent to inve st in self- protection, should others then decide to do so. As more agen ts inv est, the exp ected b enefit of follo wing su it decreases since there is a redu ction in the negative ext ern alities whic h translates in to a low er probability of loss. Hence th ere is a unique equ ilibrium p oint which is a Nash equilibrium. How - ever, there is a wide range of parameters for which the Nash equilibrium will not b e socially optimal b ecause agents d o not take into account th e negative externalities they are cre- ating in determining whether to in v est or not. Indeed it is easily shown that at least for c > p + ℓ , th e price of anarc hy is strictly larger than one (see Figure 1). c/l 0.006 0.008 0.010 0.012 0.014 Pa 1.00 1.02 1.04 1.06 1.08 1.10 Figure 1: Price of anarch y for c/ℓ in the vicinity of p + = 0 . 01 . Pr oposition 2. The fixe d p oint e quation (9,10,11,12) r e- duc es to h = hℓ c “ 1 − ( 1 − p + ) e − λq + h ” and, 1 − γ = hℓ c . It has a unique solution. The pric e of anar chy is given by P a ( c ) = sup γ c γ c + h ( γ ) ℓ , wher e h ( γ ) is the unique solution of h = (1 − γ ) “ 1 − ( 1 − p + ) e − λq + h ” See App end ix 7.2 for a pro of. 4.3 Case 2: W eak pr otection W e now consider Case 2 where q + = q − , so t h at γ 7→ c γ is non-decreasing. The analysis of th is case is described [10] (see Proposition 5). The situation is qu ite different from the results w e derived for Case 1 ab ov e. I n p articular, we can hav e tw o Nash equ ilibria inv olving everyone or no one inv esting in security . When there are tw o Nash equilibria, the so cially opt imal solution is alwa ys for everyone to in- vest: eac h agen t will find that the cost of investi ng in self- protection will be justified if it d oes not incur an y negative externalities and so ciet y will b e b etter off as well. Pr oposition 3. We have c 0 < c 1 and • i f c < c 0 , then ther e is only one Nash e quilibrium wher e every agent invest in self-pr ote ction; • i f c > c 1 , then ther e is only one Nash e quilibrium wher e no agent invest in self-pr ote ction; • i f c 0 < c < c 1 , the n b oth Nash e quilibria ar e p ossible. The pric e of anar chy i s given by: P a ( c ) = 1 ∨ 1 1( c 0 < c ) h (0) ℓ c + h (1) ℓ . If we take p − = 0, then w e have h (1) = 0 and h (0) = h ∗ solution of h ∗ = 1 − (1 − p + ) e − λqh ∗ . So that we h a ve P a ( c ) ∼ h ∗ ℓ c . Figure 2 shows the va lue of h ∗ as a function of λq + . Note that typically c = o ( ℓ ) so that the p rice of anarc hy can be substantial ly larger than one. 9 0.8 0.6 0.4 5 0.0 10 1.0 0.9 0.7 8 0.5 0.3 6 0.2 0.1 4 3 2 1 7 0 Figure 2: Price of anarch y : h ∗ as a function of λq + , with p + = 0 . 01 and p − = 0 . 5. DISCUSSION W e hav e sho wn that b oth situations with strong or w eak protections exhibit externalities and that the equilibrium is not socially optimal: therefore, th ere is a market failure. How ever there are several imp ortant differences to un d er- stand b etw een strong and w eak p rotections b efore try ing to resolv e this market failure. In case 1, t he situation is similar to the free-rider p roblem whic h arises in the pro duction of pu b lic goo ds. If all then agen ts inv est in self-protection, th en the general securit y leve l of the netw ork is very high since the probabilit y of loss is zero. But a self-in terested agent would not contin ue to pay for self-protection since it incurs a cost c for preven ting only direct losses that hav e very lo w probabilities. When the general security level of the netw ork is high, there is n o incentiv e for in vesti ng in self-protection. This results in an under-protected netw ork. Note that in this case, if the cost for self-protection is not prohibitive, there is alwa y s a n on-negligible fraction of the agen ts investing in self-protection. In case 2, the situation is quite different since n o agen t at all inves ts in self-protection. Even if a small fraction of agents does in ve st, and so raises the general level of security of the netw ork, it is n ot sufficient for the b enefit obtained by inv esting in self -protection for a new agent to b e larger than th e cost of self -protection. These facts seem very relev an t to the situation observed in th e I nternet, where under-investmen t in security solutions and securit y control s has long b een considered an issue. Se- curity managers typically face chall enges in providing jus- tification for security inv estmen ts, and in 2003, the Presi- dent’s N ational Strategy t o Secure Cyb erspace stated that go ve rnment action is required where ” market failures result in under- inv estmen t in cybersecurity” [15]. It shows the p ow er of our basic mo del to note th at these interes ting and very relev ant phen omena emerge from our analysis. Note also that these phenomena correspond to tw o extreme va lues of the parameter q − , namely case 1 cor- respond s to q − = 0 and case 2 corresp onds to q − = q + . Hence taking p − = 0 and fixing all other p arameters, w e hav e a family of m o dels indexed b y q − , denoted simply q in what follo ws, which v aries ’contin uously’ b etw een th e tw o cases. Recall that q is the probability of contagio n when the agen t in v ests in self-protection. If q = 0, the age nt is com- pletely secure whereas for q = q − , agen ts ha ve the same probabilit y of contagi on whatev er their c hoices to inv est or not in self-protection. H ence q can b e interpreted as the in- verse of the quality of t he technolo gy used for self-protection. First note that when q = 0, t he tec hnology is ’p erfect’ q=0.15 q=0.1 q=0.05 q=0 c 0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 g 0 0.2 0.4 0.6 0.8 1.0 Figure 3: Adoption curves since there is no p ossible loss. W e are in t he situation of case 1 an d w e see th at due to purely economic reasons, the technolo gy is u nder-deploy ed in the netw ork because p eople ’free-ride’ the b enefi t of the tec hnology . Consider now the case of an arbitrary q . Figure 3 sho ws the adoption curves for d ifferent va lues of q . This curve sho ws t h e fraction of the p opulation inves ting in securit y technology as a func- tion of its cost (normalized by the loss). O ther p arameters are p + = 0 . 01 , q + = 0 . 5 and λ = 10. W e observe some counter-intuitiv e phenomena. First for a fixed p rice, increasing the qu alit y of th e security tec hnology can lead to a d ecrease of its ad op t ion in the p opu lation! Here is a qu alitativ e in terpretation of how this arises: when the technolo gy is not very goo d, propagation of t h e epidemic is p ossible even if the agent uses the technology . Then agents hav e to p ool their efforts in order to comp ensate for the w eakness of th e tec hnology . In other w ords, a large number must invest in self-protection in order to hav e an acceptable leve l of security . But when the tec hnology b ecomes b etter, then agents that did in ves t in it start to step d o wn from the group of inv estors and choose t o free-ride. Second there is a barrier for choosing self-protection (ex- cept when q = 0). Namely for a fi xed q , w e see that there is a ran ge for the p arameter c (close to c 0 ) such that the p opu- lation is ’trapp ed’ in state N whereas for the same v alues of the parameters, the situation where a large fraction of the p opulation is inves ting would b e a sustainable equilibrium p oint. There is a p ossibility of tipping or cascading: induc- ing some agents t o in v est in self-protection wil l lead oth ers to follo w suit. The curves of Figure 3 allo w us to q uantify the min imal number of agen ts to induce in order to trigger a large cascade of adoption. 6. REFERENCES [1] D. Aldous and A . Bandyo padhy a y . A survey of max-type recursive distributional equations. The Ann als of Applie d Pr ob ability , vol. 15, pp. 1047-11 10, 2005. [2] D. A ldous and J.M. Steeele. The ob jective metho d: probabilistic com binatorial optimization and local w eak conv ergence. Pr ob ability on di scr ete structur es , Springer, vo l. 110, pp. 1-72, 2004. [3] J. Bolot and M. Lelarge. A New Pe rsp ective on Internet Security using I nsurance. Pr o c. IEEE Info c om 2008 . [4] J. Bolot and M. Lelarge. Cyb er-insurance as an incentiv e for IT security . Pr o c. Workshop Ec onomics of I nformation Se curity (WEIS) , 2008. [5] E.G. Coffman Jr., Z. Ge, V. Misra. Net w ork resilience: exploring cascading failures within BGP . Pr o c. 40th Ann ual Al l erton Confer enc e on Comm unic ations, Computing and Contr ol, Octob er 2002. [6] R. Durrett Random graph Dynamics Cambridge U. Pr ess , 2006. [7] A. Ganesh, L. Massouli e, D. T ows ley . The effect of netw ork top ology on t h e spread of epidemics. Pr o c. IEEE I nfo c om 2005 , Miami, FL, March 2005. [8] C. Golli er. The Ec onomics of R isk and Time . MIT Press, 2004. [9] H. Kunreuther and G. Heal. Interdependent security: the case of identical agents. Journal of Risk and Unc ertainty , 26(2):231–249, 2003 . [10] M. Lelarge and J. Bolo t. Netw ork externalities and the deploymen t of security features and protocols in th e Internet. Pr o c. A CM Sigmetrics , Annap olis, MD, Jun. 2008. [11] M. Lelarge and J. Bolot. A Lo cal Mean Field Analysis of Security Investmen ts in Netw orks. N etEc on ’08 , Seattle, Aug. 2008. [12] T. Moscibro da, Stefan Sc hmid and Roger W attenhofer. When selfish meets evil: byzanti ne p la ye rs in a virus inocu lation game. PODC ’06: Pr o c e e dings of the twenty-fifth annual ACM symp osium on Principles of distribute d c om puting , 35–44, 2006 . [13] N . Nisan, T. Roughgarden, E. T ardos and V.V. V azirani (ed s). Algorithmic game theory . Cambridge University Pr ess , 2007. [14] M. V o jnovic and A . Ganesh. On the race of wo rms, alerts and patches. Pr o c. ACM Workshop on R apid Malc o de W ORM05 , F airfax, V A, No v. 2005. [15] Wh ite House. ” National Strategy to Secure Cyb erspace” , 2003. Av ail able at whitehouse.gov/pcipb. [16] C. Zou, W. Gong, D . T owsley . Code R ed w orm propagation mod eling and an alysis. Pr o c. 9th ACM Conf. Computer Comm. Se curity CCS’02. , W ashington, D C, Nov 2002. 7. APPENDIX 7.1 Proof of Pr o position 1 Recall that the RDE is given by: Y d = 1 − (1 − φ ) N ∗ Y k =1 (1 − θ k Y k ) , where N ∗ has d istribution P ∗ , φ = D A S + (1 − D ) A N , θ k = DB S k + (1 − D ) B N k where D is a Bernoulli r.v. with parameter γ , Y and Y k are i.i.d. copies. Let h = P ( Y = 1), then we have h = P D = 1 , (1 − A S ) N ∗ Y k =1 (1 − B S k Y k ) = 0 ! + P D = 0 , (1 − A N ) N ∗ Y k =1 (1 − B N k Y k ) = 0 ! = γ (1 − P ( A S = 0)) E h P ( B S k Y k = 0) N ∗ i +(1 − γ )(1 − P ( A N = 0)) E h P ( B N k Y k = 0) N ∗ i , and the first part of Prop osition 1 follo ws. W e define: f ( x, γ ) = 1 − γ (1 − p − ) G N ∗ (1 − q − x ) − (1 − γ )(1 − p + ) G N ∗ (1 − q + x ) , so t hat h is solution of the fix ed p oint equation h = f ( h, γ ) . By taking the deriv ate of f in x , we see t hat x 7→ f ( x , γ ) is a non-d ecreasing concave function. Note that f (0 , γ ) = γ p − + ( 1 − γ ) p + ≥ (1 − γ ) p + and f (1 , γ ) ≤ 1. So th at for γ < 1, there exists a uniqu e solution to the fixed p oint equation h = f ( h, γ ). If γ = 1, we hav e f (0 , 1) = p − and f (1 , 1) < 1. Then if p − = 0, the fix ed p oint equation h as a unique solution h = 0 and if p − > 0, then f (0 , 1) > 0 and the fixed p oint equ ation has still an unique solution. W e n o w p ro ve that the function γ 7→ h ( γ ) is non-increasing. By taking the deriv ate of the function γ 7→ f ( x , γ ), we see that th is function is non- increasing in γ (while x is fi xed). Then for u ≤ v , w e get f ( h ( u ) , u ) = h ( u ) ≥ f ( h ( u ) , v ) ≥ f ( f ( h ( u ) , v ) , v ) ≥ h ( v ) , and the claimed monotonicity of h follow s. 7.2 Proof of Pr o position 2 Recall that the fixed p oint equ ation for h ( γ ) is: h = (1 − γ ) “ 1 − ( 1 − p + ) e − λq + h ” . Consider now that the cost c and loss ℓ are random v ariables such that the function t 7→ P ( c/ℓ ≤ t ) is con tinuous, then Equation (12) is γ = P “ c ≤ ℓ “ 1 − ( 1 − p + ) e − λq + h ( γ ) ”” = P „ c ℓ ≤ h ( γ ) 1 − γ « . Since the fun ct ion h is non-increasing, we see that the right- hand side of the fi rst line is a non- increasing function in γ , hence there exists a un ique solution γ ∗ to t his fixed p oint equation. If we take a sequ en ce of d istributions such c/ℓ tends to a constant, we see th at the solution γ ∗ is such that c ℓ = h ( γ ∗ ) 1 − γ ∗ , and the first part of Prop osition 2 follo ws. Note that w e have p N,γ = h ( γ ) / (1 − γ ). So for a fixed γ , the av erage cost incured to the p opu lation is γ c + (1 − γ ) p N,γ ℓ = γ c + h ( γ ) ℓ . Now for γ = γ ∗ , we ha v e h ( γ ∗ ) ℓ = (1 − γ ∗ ) c , so that the av erage cost is just c and the last part of Proposition 2 foll o ws.