The Center for Education and Research in Information Assurance and Security (CERIAS)

The Center for Education and Research in
Information Assurance and Security (CERIAS)

Behavioral and Game-Theoretic Security Investments in Interdependent Systems

Principal Investigator: Saurabh Bagchi

Modern cyber-physical systems (CPS) are increasingly facing attacks by sophisticated adversaries. These attackers are able to identify the susceptibility of different targets in the system and strategically allocate their efforts to compromise the security of the network. In response to such intelligent adversaries, the operators (or defenders) of these systems also need to allocate their often limited security budget across many assets to best mitigate their vulnerabilities. This has led to significant research in understanding how to better secure these systems, with game-theoretical models receiving increasing attention due to their ability to systematically capture the interactions of strategic attackers and defenders.

In the context of large-scale interdependent systems, adversaries often use stepping-stone attacks to exploit vulnerabilities within the network in order to compromise a particular target. Such threats can be captured via the notion of attack graphs that represent all possible paths that attackers may have to reach their targets within the CPS. The defenders in such systems are each responsible for defending some subset of the assets with their limited resources. In much of the existing literature, the defenders and attackers are modeled as fully rational decision-makers who choose their actions to maximize their expected utilities. However, a large body of work in behavioral economics has shown that humans consistently deviate from such classical models of decision-making seminal model capturing such deviations is prospect theory (introduced by Kahneman and Tversky in 1979), which shows that humans perceive gains, losses, and probabilities in a skewed (nonlinear) manner, typically overweighting low probabilities and underweighting high probabilities.

We model the behavioral biases of human decision-making in securing interdependent systems and show that such behavioral decision-making leads to a suboptimal pattern of resource allocation compared to non-behavioral (rational) decision-making. We provide empirical evidence for the existence of such behavioral bias model through a controlled subject study with 145 participants. We then propose three learning techniques for enhancing decision-making in multi-round setups. We illustrate the benefits of our decision-making model through multiple interdependent real-world systems and quantify the level of gain compared to the case in which the defenders are behavioral. We also show the benefit of our learning techniques against different attack models.


Other PIs: Shreyas Sundaram Timothy Cason

Representative Publications

Keywords: cyber-physical system security, game-theoretic security, interdependent systems