Hostname: page-component-7b9c58cd5d-sk4tg Total loading time: 0 Render date: 2025-03-14T18:22:51.778Z Has data issue: false hasContentIssue false
  • English
  • Français

Network defense and behavioral biases: an experimental study

Published online by Cambridge University Press:  14 March 2025

Daniel Woods ,
Mustafa Abdallah ,
Saurabh Bagchi ,
Shreyas Sundaram  and
Timothy Cason Open the ORCID record for Timothy Cason [Opens in a new window]
Daniel Woods
Affiliation:
Economics Department in the Krannert School of Management at Purdue University, Purdue University, West Lafayette, IN, USA
Mustafa Abdallah
Affiliation:
School of Electrical and Computer Engineering at Purdue University, Purdue University, West Lafayette, IN, USA
Saurabh Bagchi
Affiliation:
School of Electrical and Computer Engineering at Purdue University, Purdue University, West Lafayette, IN, USA
Shreyas Sundaram
Affiliation:
School of Electrical and Computer Engineering at Purdue University, Purdue University, West Lafayette, IN, USA
Timothy Cason*
Affiliation:
Economics Department in the Krannert School of Management at Purdue University, Purdue University, West Lafayette, IN, USA
*
cason@purdue.edu
Get access Rights & Permissions [Opens in a new window]

Abstract

How do people distribute defenses over a directed network attack graph, where they must defend a critical node? This question is of interest to computer scientists, information technology and security professionals. Decision-makers are often subject to behavioral biases that cause them to make sub-optimal defense decisions, which can prove especially costly if the critical node is an essential infrastructure. We posit that non-linear probability weighting is one bias that may lead to sub-optimal decision-making in this environment, and provide an experimental test. We find support for this conjecture, and also identify other empirically important forms of biases such as naive diversification and preferences over the spatial timing of the revelation of an overall successful defense. The latter preference is related to the concept of anticipatory feelings induced by the timing of the resolution of uncertainty.

Keywords

Laboratory experimentProbability weightingNaive diversificationNetwork security
Type
Original Paper
Information
Experimental Economics , Volume 25 , Issue 1 , February 2022 , pp. 254 - 286
Copyright
Copyright © 2021 Economic Science Association

Access options

Get access to the full version of this content by using one of the access options below. (Log in options will check for institutional or personal access. Content may require purchase if you do not have access.)

Footnotes

Supplementary Information The online version supplementary material available at https://doi.org/10.1007/s10683-021-09714-x.

This research was supported by grant CNS-1718637 from the National Science Foundation. We thank the editor, two anonymous referees, and participants at the Economic Science Association and Jordan-Wabash conferences for valuable comments.

References

Abdallah, M., Naghizadeh, P., Hota, A. R., Cason, T., Bagchi, S., & Sundaram, S. (2019). Protecting assets with heterogeneous valuations under behavioral probability weighting. In 2019 IEEE conference on decision and control (CDC) (pp. 53745379).CrossRefGoogle Scholar
Abdallah, M., Naghizadeh, P., Hota, A. R., Cason, T., Bagchi, S., & Sundaram, S. (2019). The impacts of behavioral probability weighting on security investments in interdependent systems. In 2019 American control conference (ACC), Philadelphia (pp. 52605265).CrossRefGoogle Scholar
Acemoglu, D, Malekian, A, & Ozdaglar, A (2016). Network security and contagion. Journal of Economic Theory, 166, 536585. 10.1016/j.jet.2016.09.009 ISSN 10957235CrossRefGoogle Scholar
Acquisti, A., & Grossklags, J. (2007). What can behavioral economics teach us about privacy. In Acquisti, A., Gritzalis, S., Lambrinoudakis, C. Vimercati, S. di (Eds.), Digital privacy: Theory, technologies and practices, Chapter 18 (pp. 363377). Auerbach Publications.Google Scholar
Alaba, FA, Othman, M, Targio, H, Ibrahim, A, & Alotaibi, F (2017). Internet of things security: A survey. Journal of Network and Computer Applications, 88, 1028. 10.1016/J.JNCA.2017.04.002 ISSN 1084-8045CrossRefGoogle Scholar
An, B., Brown, M., Vorobeychik, Y., & Tambe, M. (2013). Security games with surveillance cost and optimal timing of attack execution. In Proceedings of the 12th international conference on autonomous agents and multiagent systems (AAMAS) (pp. 223230).Google Scholar
Benartzi, S., & Thaler, R. H. (2001). Naive diversification strategies in defined contribution savings plans. The American Economic Review, 91(1), 7998. https://www.jstor.org/stable/2677899.CrossRefGoogle Scholar
Bier, V, Oliveros, S, & Samuelson, L (2007). Choosing what to protect: Strategic defensive allocation against an unknown attacker. Journal of Public Economic Theory, 9(4), 563587. 10.1111/j.1467-9779.2007.00320.xCrossRefGoogle Scholar
Bleichrodt, H, & Pinto, JL (2000). A parameter-free elicitation of the probability weighting function in medical decision analysis. Management Science, 46(11), 14851496. 10.1287/mnsc.46.11.1485.12086 ISSN 0025-1909CrossRefGoogle Scholar
Bloch, F., Dutta, B., & Dziubinski, M. (2020). A game of hide and seek in networks. arXiv: abs/2001.03132.Google Scholar
Boche, H, Naik, S, & Alpcan, T (2011). Characterization of convex and concave resource allocation problems in interference coupled wireless systems. IEEE Transactions on Signal Processing, 59(5), 23822394. 10.1109/TSP.2011.2112652CrossRefGoogle Scholar
Bruhin, A, Fehr-Duda, H, & Epper, T (2010). Risk and rationality: Uncovering heterogeneity in probability distortion. Econometrica, 78(4), 13751412. 10.3982/ECTA7139 ISSN 0012-9682Google Scholar
Caplin, A, & Leahy, J (2001). Psychological expected utility theory and anticipatory feelings. The Quarterly Journal of Economics, 116(1), 5579. 10.1162/003355301556347CrossRefGoogle Scholar
Caplin, A, & Leahy, J (2004). The supply of information by a concerned expert. The Economic Journal, 114(497), 487505. 10.1111/j.0013-0133.2004.0228a.xCrossRefGoogle Scholar
Chapman, J., Snowberg, E., Wang, S., & Camerer, C. (2018). Loss attitudes in the U.S. population: Evidence from dynamically optimized sequential experimentation (DOSE). Technical report, National Bureau of Economic Research. http://www.nber.org/papers/w25072.pdf.Google Scholar
Chen, DL, Schonger, M, & Wickens, C (2016). oTree—An open-source platform for laboratory, online, and field experiments. Journal of Behavioral and Experimental Finance, 9, 8897. 10.1016/J.JBEF.2015.12.001 ISSN 2214-6350CrossRefGoogle Scholar
Choi, S., Kim, J., Lee, E., & Lee, J. (2018). Probability weighting and cognitive ability. SIER Working Paper Series 121, Institute of Economic Research, Seoul National University.Google Scholar
Chowdhury, SM (2019). The attack and defense mechanisms-Perspectives from behavioral economics and game theory. Behavioral and Brain Sciences, 42, e121 10.1017/S0140525X19000815CrossRefGoogle ScholarPubMed
Chowdhury, S. M., Kovenock, D., Rojo Arjona, D., & Wilcox, N. T. (2016). Focality and asymmetry in multi-battle contests. https://digitalcommons.chapman.edu/esi_working_papers/194/.Google Scholar
Chowdhury, SM, Kovenock, D, & Sheremeta, RM (2013). An experimental investigation of Colonel Blotto games. Economic Theory, 52(3), 833861. 10.1007/s00199-011-0670-2 ISSN 09382259CrossRefGoogle Scholar
Clark, DJ, & Konrad, KA (2007). Asymmetric conflict: Weakest link against best shot. Journal of Conflict Resolution, 51(3), 457469. 10.1177/0022002707300320CrossRefGoogle Scholar
Curley, SP, Yates, JF, & Abrams, RA (1986). Psychological sources of ambiguity avoidance. Organizational Behavior and Human Decision Processes, 38(2), 230256. 10.1016/0749-5978(86)90018-XCrossRefGoogle Scholar
Deck, C, & Sheremeta, RM (2012). Fight or flight?: Defending against sequential attacks in the game of siege. Journal of Conflict Resolution, 56(6), 10691088. 10.1177/0022002712438355CrossRefGoogle Scholar
Dighe, NS, Zhuang, J, & Bier, VM (2009). Secrecy in defensive allocations as a strategy for achieving more cost-effective attacker detterrence. International Journal of Performability Engineering, 5(1), 3143.Google Scholar
Djawadi, BM, Endres, A, Hoyer, B, & Recker, S (2019). Network formation and disruption–An experiment are equilibrium networks too complex?. Journal of Economic Behavior and Organization, 157, 708734. 10.1016/j.jebo.2018.11.004 ISSN 01672681CrossRefGoogle Scholar
Dziubiński, M, & Goyal, S (2013). Network design and defence. Games and Economic Behavior, 79(1), 3043. 10.1016/j.geb.2012.12.007CrossRefGoogle Scholar
Dziubiński, M, & Goyal, S (2017). How do you defend a network?. Theoretical Economics, 12(1), 331376. 10.3982/te2088 ISSN 1555-7561CrossRefGoogle Scholar
Epper, T., & Fehr-Duda, H. (2018). Unifying risk taking and time discounting: The missing link. Economics Working Paper Series 1812, University of St. Gallen, School of Economics and Political Science.Google Scholar
Fehr-Duda, H, Epper, T, Bruhin, A, & Schubert, R (2011). Risk and rationality: The effects of mood and decision rules on probability weighting. Journal of Economic Behavior & Organization, 78(1–2), 1424. 10.1016/J.JEBO.2010.12.004 ISSN 0167-2681CrossRefGoogle Scholar
Fehr-Duda, H, de Gennaro, M, & Schubert, R (2006). Gender, financial risk, and probability weights. Theory and Decision, 60(2–3), 283313. 10.1007/s11238-005-4590-0CrossRefGoogle Scholar
Feng, S., Xiong, Z., Niyato, D., Wang, P., Wang, S. S., & Shen, X. S. (forthcoming). Joint pricing and security investment in cloud security service market with user interdependency. IEEE Transactions on Services Computing. https://www.computer.org/csdl/journal/sc/5555/01/09098048/1k0KZ73ZPmU.Google Scholar
Fielder, A., Panaousis, E., Malacaria, P., Hankin, C., & Smeraldi, F. (2014). Game theory meets information security management. In International information security conference (IFIP) (pp. 1529).CrossRefGoogle Scholar
Fréchette, G. R. (2015). Experiments: professionals versus students. In Frechette, G. & Schotter, A. (Eds.), Handbook of experimental economic methodology, Chapter 17 (pp. 360390). Oxford University Press.Google Scholar
Frey, B. J. & Dueck, D. (2007). Clustering by passing messages between data points. Science, 315, 972976. https://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.121.3145.CrossRefGoogle ScholarPubMed
Gartner. (2018). Gartner forecasts worldwide information security spending to exceed $124 Billion in 2019. https://www.gartner.com/en/newsroom/press-releases/2018-08-15-gartner-forecasts-worldwide-information-security-spending-to-exceed-124-billion-in-2019.Google Scholar
Goyal, S, & Vigier, A (2014). Attack, defence, and contagion in networks. The Review of Economic Studies, 81(4), 15181542. 10.1093/restud/rdu013CrossRefGoogle Scholar
Greiner, B (2015). Subject pool recruitment procedures: Organizing experiments with ORSEE. Journal of the Economic Science Association, 1(1), 114125. 10.1007/s40881-015-0004-4 ISSN 2199-6776CrossRefGoogle Scholar
Guan, P, He, M, Zhuang, J, & Hora, SC (2017). Modeling a multitarget attacker-defender game with budget constraints. Decision Analysis, 14(2), 87107. 10.1287/deca.2017.0346CrossRefGoogle Scholar
Homer, J, Zhang, S, Ou, X, Schmidt, D, Du, Y, Rajagopalan, SR et al., (2013). Aggregating vulnerability metrics in enterprise networks using attack graphs. Journal of Computer Security, 21(4), 561597. 10.3233/JCS-130475CrossRefGoogle Scholar
Hota, A. R., Clements, A. A., Sundaram, S., & Bagchi, S. (2016). Optimal and game-theoretic deployment of security investments in interdependent assets (pp. 101113). Springer. https://doi.org/10.1007/978-3-319-47413-7_6.CrossRefGoogle Scholar
Hota, A. R., Clements, A. A., Bagchi, S. Sundaram, S. (2018). A game-theoretic framework for securing interdependent assets in networks. In Rass, S. & Schauer, S. (Eds.), Game theory for security and risk management: From theory to practice (pp. 157184). Springer. https://doi.org/10.1007/978-3-319-75268-6_7.Google Scholar
Hoyer, B, & Rosenkranz, S (2018). Determinants of equilibrium selection in network formation: An experiment. Games, 9(4), 89 10.3390/g9040089 ISSN 2073-4336CrossRefGoogle Scholar
Humayed, A, Lin, J, Li, F, & Luo, B (2017). Cyber-physical systems security–A survey. IEEE Internet of Things Journal, 4(6), 18021831. 10.1109/JIOT.2017.2703172 ISSN 2327-4662CrossRefGoogle Scholar
Jauhar, S., Chen, B., Temple, W. G., Dong, X., Kalbarczyk, Z., Sanders, W. H., & Nicol, D. M. (2015). Model-based cybersecurity assessment with NESCOR smart grid failure scenarios. In 2015 IEEE 21st Pacific Rim international symposium on dependable computing (PRDC). IEEE. https://doi.org/10.1109/PRDC.2015.37. ISBN 978-1-4673-9376-8.Google Scholar
Kosfeld, M. (2004). Economic networks in the laboratory: A survey. Review of Network Economics, 3(1), 2042.CrossRefGoogle Scholar
Kovenock, D, & Roberson, B (2018). The optimal defense of networks of targets. Economic Inquiry, 56(4), 21952211. 10.1111/ecin.12565CrossRefGoogle Scholar
Kovenock, D, Roberson, B, & Sheremeta, RM (2019). The attack and defense of weakest-link networks. Public Choice, 179(3–4), 175194. 10.1007/s11127-018-0618-1 ISSN 15737101CrossRefGoogle Scholar
Lee, E (2015). The past, present and future of cyber-physical systems: A focus on models. Sensors, 15(3), 48374869. 10.3390/s150304837 ISSN 1424-8220CrossRefGoogle ScholarPubMed
Leibowitz, H., Piotrowska, A. M., Danezis, G., & Herzberg, A. (2019). No right to remain silent: Isolating malicious mixes. In 28th USENIX security symposium (USENIX security 19) (pp. 18411858). USENIX Association. ISBN 978-1-939133-06-9.Google Scholar
George, L (1987). Anticipation and the valuation of delayed consumption. The Economic Journal, 97(387), 666 10.2307/2232929Google Scholar
Logg, JM, Minson, JA, & Moore, DA (2019). Algorithm appreciation: People prefer algorithmic to human judgment. Organizational Behavior and Human Decision Processes, 151, 90103. 10.1016/j.obhdp.2018.12.005 ISSN 07495978CrossRefGoogle Scholar
McBride, M, & Hewitt, D (2013). The enemy you can’t see: An investigation of the disruption of dark networks. Journal of Economic Behavior & Organization, 93, 3250. 10.1016/j.jebo.2013.07.004 ISSN 01672681CrossRefGoogle Scholar
McKelvey, RD, & Palfrey, TR (1995). Quantal response equilibria for normal form games. Games and Economic Behavior, 10(1), 638. 10.1006/GAME.1995.1023CrossRefGoogle Scholar
Mersinas, K, Hartig, B, Martin, KM, & Seltzer, A (2016). Are information security professionals expected value maximizers?: An experiment and survey based test. Journal of Cybersecurity, 2(1), 5770. 10.1093/cybsec/tyw009CrossRefGoogle Scholar
Modelo-Howard, G., Bagchi, S., & Lebanon, G. (2008). Determining placement of intrusion detectors for a distributed application through Bayesian network modeling. In 11th international symposium on research in attacks, intrusions and defenses (RAID) (pp. 271290).CrossRefGoogle Scholar
Nguyen, K. C., Alpcan, T., & Basar, T. (2010). Stochastic games for security in networks with interdependent nodes. arXiv: abs/1003.2440.Google Scholar
Nikoofal, ME, & Zhuang, J (2012). Robust allocation of a defensive budget considering an attacker’s private information. Risk Analysis: An International Journal, 32(5), 930943. 10.1111/j.1539-6924.2011.01702.xCrossRefGoogle ScholarPubMed
Nithyanand, R., Starov, O., Zair, A., Gill, P., & Schapira, M. (2016). Measuring and mitigating AS-level adversaries against Tor. In Network & Distributed System Security Symposium (NDSS).CrossRefGoogle Scholar
Pal, R., & Golubchik, L. (2010). Analyzing self-defense investments in internet security under cyber-insurance coverage. In 2010 IEEE 30th international conference on distributed computing systems (pp. 339347). IEEE.CrossRefGoogle Scholar
Paté-Cornell, ME, Kuypers, M, Smith, M, & Keller, P (2018). Cyber risk management for critical infrastructure: A risk analysis model and three case studies. Risk Analysis, 38(2), 226241. 10.1111/risa.12844 ISSN 15396924CrossRefGoogle ScholarPubMed
Prelec, D (1998). The probability weighting function. Econometrica, 66(3), 497 10.2307/2998573 ISSN 00129682CrossRefGoogle Scholar
Quiggin, J (1982). A theory of anticipated utility. Journal of Economic Behavior & Organization, 3(4), 323343. 10.1016/0167-2681(82)90008-7 ISSN 0167-2681CrossRefGoogle Scholar
Sheremeta, RM (2019). The attack and defense games. Behavioral and Brain Sciences, 42, e140 10.1017/S0140525X19000931 ISSN 0140-525XCrossRefGoogle ScholarPubMed
Sheyner, O., & Wing, J. (2003). Tools for generating and analyzing attack graphs. In International symposium on formal methods for components and objects (FMCO) (pp. 344371). Springer. https://doi.org/10.1007/978-3-540-30101-1_17.Google Scholar
Sun, X., Shen, C., Chang, T.-H., & Zhong, Z. (2018). Joint resource allocation and trajectory design for UAV-aided wireless physical layer security. In 2018 IEEE Globecom workshops (GC Wkshps) (pp. 16). IEEE.Google Scholar
Tanaka, T, Camerer, CF, & Nguyen, Q (2010). Risk and time preferences: Linking experimental and household survey data from Vietnam. American Economic Review, 100(1), 557571. 10.1257/aer.100.1.557 ISSN 0002-8282CrossRefGoogle Scholar
Tversky, A, & Kahneman, D (1992). Advances in prospect theory: Cumulative representation of uncertainty. Journal of Risk and Uncertainty, 5(4), 297323. 10.1007/BF00122574 ISSN 0895-5646CrossRefGoogle Scholar
Wu, D, Xiao, H, & Peng, R (2018). Object defense with preventive strike and false targets. Reliability Engineering & System Safety, 169, 7680. 10.1016/j.ress.2017.08.006CrossRefGoogle Scholar
Xie, P., Li, J. H., Xinming, O., Liu, P., & Levy, R. (2010). Using Bayesian networks for cyber security analysis. In Proceedings of the international conference on dependable systems and networks (DNS) (pp. 211220). https://doi.org/10.1109/DSN.2010.5544924. ISBN 9781424475018.CrossRefGoogle Scholar
Yang, R., Kiekintveld, C., Ordonez, F., Tambe, M., & John, R. (2011). Improving resource allocation strategy against human adversaries in security games. In 22nd international joint conference on artificial intelligence (IJCAI).Google Scholar
Supplementary material: File

Woods et al. supplementary material

Woods et al. supplementary material 1
Download Woods et al. supplementary material(File)
File 1.2 MB
Supplementary material: File

Woods et al. supplementary material

7 Appendices
Download Woods et al. supplementary material(File)
File 7.6 MB