Game-Theoretic Approaches to

Critical Infrastructure Protection

Workshop on Statistics and CounterterrorismNovember 20, 2004

Vicki Bier University of Wisconsin-Madison

Research ObjectivesResearch Objectives

Objective:– Study optimal allocation of resources

for protection of systems against intentional attacks

Related to risk analysis:– With close tie to economics – (Game theory is a branch of

economics) Potentially applicable in many areas

BackgroundBackground

Because attackers can modify their strategies in response to our defensive investment: – Defense will generally be more costly when the

adversary can observe the system defenses “Investment in defensive measures, unlike

investment in safety measures, saves a lower number of lives…than the apparent direct contribution of those measures” – Ravid (2002)

Security improvements may be less cost-effective than they would initially appear

Game TheoryGame Theory

Determine the optimal defense against an optimal attack

Game theory is a useful model for security and critical infrastructure protection:– Appropriate when protecting against intelligent

and adaptable adversaries– Recognizes that defensive strategies must

account for attacker behavior

Game between Game between Attackers and Attackers and DefendersDefenders Need to make assumptions about:

– Attacker goals and constraints– Defender goals and constraints– System design features

Protective investment assumed to reduce success probability of attacks

Game between Game between Attackers and Attackers and DefendersDefenders Consider security of a simple series system:

– Defending series systems against informed and determined attackers is a difficult challenge

If the attacker knows about the system’s defenses, the defender’s options are limited:– The defender is largely deprived of the ability to

allocate defensive investments by their cost-effectiveness

– Instead, defensive investments must equalize the “attractiveness” of all defended components

Importance of Importance of RedundancyRedundancy Parallel systems:

– Any component can perform the function

– Attacker must disable all to succeed

Series systems:– Attacker has a wide

choice of targets– Defender must

protect all components!

Physically in series (pipelines, electric lines) Multiple failure modes (e.g., multiple points of entry)

Weakest Link ModelsWeakest Link Models

Defender must equalize the attractiveness of all defended components

This is generally consistent with the Brookings Institution recommendation to defend only the most valuable assets

However, terrorists also consider the probability of success in choice of targets:– So models should take the success probabilities

of attacks against various targets into account

Attacker KnowledgeAttacker Knowledge

The assumption that attackers know our defenses may not be unrealistic:– Due to the openness of our society

Public demands knowledge of our defense:– Even when this weakens its effectiveness!

This increases difficulty of defense:– E.g., anthrax protection

Defensive measures may not be effective if they can be easily observed

System Design System Design FeaturesFeatures

Redundancy reduces attacker flexibility:– And increases defender flexibility

Traditional reliability design considerations:– Spatial separation– Functional diversity

are also important to defensive strategy Examples:

– Defenses that do not require electricity– Use of both land lines and satellite communications

Secrecy and deception can also be valuable

Extensions with Extensions with HedgingHedging Real-world decision makers will want to

hedge: – In case they guess wrong about which targets

are most attractive to attackers Recent work assumes that attackers target

the most attractive component:– But defenders are uncertain about their

attractiveness Attackers will in general have different

values for targets than defenders:– For example, Al-Qaeda prefers targets that are

“recognizable in the Middle East” (Woo)

Defending one target can deflect attacks to targets that are: – Less attractive to attackers (a priori)– But more damaging to defenders!

Optimal defense frequently still involves allocating zero resources to targets with a non-zero probability of successful attack, especially if:– Targets value widely in their values– Defender is highly resource-constrained

Extensions with Extensions with HedgingHedging

Sample ApplicationSample Application

Our results shed light on appropriate Our results shed light on appropriate allocation of resources among allocation of resources among targets:targets:– Focus on the most attractive (and most Focus on the most attractive (and most

vulnerable) targetsvulnerable) targets– Spend less money on targets that are Spend less money on targets that are

unlikely to be attackedunlikely to be attacked Some states may have relatively few Some states may have relatively few

targets worth much investment  targets worth much investment 

Security versus SafetySecurity versus Safety

In safety applications:In safety applications:– Natural hazardsNatural hazards– Accident preventionAccident prevention

the 80/20 rule works well:the 80/20 rule works well:– Address the top 80% of the risks, at 20% of the Address the top 80% of the risks, at 20% of the

costcost By contrast, in security applications:By contrast, in security applications:

– It may not be worthwhile spending anything at all It may not be worthwhile spending anything at all – Unless you addressUnless you address all all serious vulnerabilities serious vulnerabilities

Example:Example:– Don’t bother searching purses and backpacks Don’t bother searching purses and backpacks – If you don’t also search baby carriages!If you don’t also search baby carriages!

Extensions in Extensions in ProgressProgress

More complicated system structures: – E.g., adapting past work on least-cost diagnosis to

identify “least-cost” attack strategies– As a building block for optimal (or near-optimal)

defenses Non-convex functions for attack success

probability as a function of investment: – If minimal levels of investment are required– If investment beyond a threshold deters attackers

Secrecy and deception:– When are these useful?– How can we quantify their benefits?

Game between Game between DefendersDefenders Consider effects of defensive actions on the

risks faced by other defenders:– And therefore the strategies they adopt

Some defenses (e.g., car alarms) increase risk to other defenders: – Payoff of investing to any one individual is greater

than the net payoff to society– Typically leads to overinvestment in security

Other defenses (e.g., vaccination) decrease risk to other defenders:– “Free riders”– Typically lead to underinvestment in security

Extended an earlier “static” model by Kunreuther and Heal to account for attacks over time:– Example--computerized supply chain partners

Differences in discount rates can lead some agents not to invest in security when it is otherwise in their interests:– If other agents choose not to invest

Differences in discount rates can arise due to:– Industries with different rates of return– Risk of impending bankruptcy– Myopia

This game can have multiple equilibrium solutions:– Creating a need for coordinating mechanisms

Game between Game between DefendersDefenders

Sample ApplicationSample Application

Computer security in electronic supply chains:– Companies may be vulnerable to weaknesses in

computer security on the part of their partners– This can reduce their incentives to invest in their

own computer security Coordinating mechanisms can help to

address this problem:– Contract terms– Government regulation– Development of international standards– Loans to enable partners who are not as

financially stable to improve their computer security

ConclusionsConclusions

Protecting against intentional attacks must account for attacker responses:– Most applications of risk analysis fail to take

this into account– Most applications of game theory to security

deal with individual components in isolation Combining these approaches makes it

possible to invest more cost-effectively:– Avoids wasting resources on defenses that

can easily be disabled or circumvented by attackers