1 / 19

Research Objectives

Game-Theoretic Approaches to Critical Infrastructure Protection Reducing the Risks and Consequences of Terrorism CREATE Conference November 18, 2004 Vicki Bier University of Wisconsin-Madison. Research Objectives. Objective:

malini
Télécharger la présentation

Research Objectives

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Game-Theoretic Approaches to Critical Infrastructure ProtectionReducing the Risks and Consequences of TerrorismCREATE ConferenceNovember 18, 2004Vicki Bier University of Wisconsin-Madison

  2. Research Objectives • Objective: • Study optimal allocation of resources for protection of systems against intentional attacks • Part of the risk modeling area: • With close tie to economics • (Game theory is a branch of economics) • Potentially applicable to all case studies: • Aviation • Ports • Electricity

  3. Background • Because attackers can modify their strategies in response to our defensive investment: • Defense will generally be more costly when the adversary can observe the system defenses • “Investment in defensive measures, unlike investment in safety measures, saves a lower number of lives…than the apparent direct contribution of those measures” • Ravid (2002) • Security improvements may be less cost-effective than they would initially appear

  4. Game Theory • Determine the optimal defense against an optimal attack • Game theory is a useful model for security and critical infrastructure protection: • Appropriate when protecting against intelligent and adaptable adversaries • Recognizes that defensive strategies must account for attacker behavior

  5. Game between Attackers and Defenders • Need to make assumptions about: • Attacker goals and constraints • Defender goals and constraints • System design features • Protective investment assumed to reduce success probability of attacks

  6. Game between Attackers and Defenders • Consider security of a simple series system: • Defending series systems against informed and determined attackers is a difficult challenge • If the attacker knows about the system’s defenses, the defender’s options are limited: • The defender is largely deprived of the ability to allocate defensive investments by their cost-effectiveness • Instead, defensive investments must equalize the “attractiveness” of all defended components

  7. Importance of Redundancy • Parallel systems: • Any component can perform the function • Attacker must disable all to succeed • Series systems: • Attacker has a wide choice of targets • Defender must protect all components! • Physically in series (pipelines, electric lines) • Multiple failure modes (e.g., multiple points of entry)

  8. Weakest Link Models • Defender must equalize the attractiveness of all defended components • This is generally consistent with the Brookings Institution recommendation to defend only the most valuable assets • However, terrorists also consider the probabilityof success in choice of targets: • So models should take the success probabilities of attacks against various targets into account

  9. Attacker Knowledge • The assumption that attackers know our defenses may not be unrealistic: • Due to the openness of our society • Public demands knowledge of our defense: • Even when this weakens its effectiveness! • This increases difficulty of defense: • E.g., anthrax protection • Defensive measures may not be effective if they can be easily observed

  10. System Design Features • Redundancy reduces attacker flexibility: • And increases defender flexibility • Traditional reliability design considerations: • Spatial separation • Functional diversity are also important to defensive strategy • Examples: • Defenses that do not require electricity • Use of both land lines and satellite communications • Secrecy and deception can also be valuable

  11. Extensions with Hedging • Real-world decision makers will want to hedge: • In case they guess wrong about which targets are most attractive to attackers • Recent work assumes that attackers target the most attractive component: • But defenders are uncertain about their attractiveness • Attackers will in general have different values for targets than defenders: • For example, Al-Qaeda prefers targets that are “recognizable in the Middle East” (Woo)

  12. Extensions with Hedging • Defending one target can deflect attacks to targets that are: • Less attractive to attackers (a priori) • But more damaging to defenders! • Optimal defense frequently still involves allocating zero resources to targets with a non-zero probability of successful attack, especially if: • Targets value widely in their values • Defender is highly resource-constrained

  13. Sample Application • Our results shed light on appropriate allocation of resources among targets: • Focus on the most attractive (and most vulnerable) targets • Spend less money on targets that are unlikely to be attacked • Some states may have relatively few targets worth much investment 

  14. Security versus Safety • In safety applications: • Natural hazards • Accident prevention the 80/20 rule works well: • Address the top 80% of the risks, at 20% of the cost • By contrast, in security applications: • It may not be worthwhile spending anything at all • Unless you address all serious vulnerabilities • Example: • Don’t bother searching purses and backpacks • If you don’t also search baby carriages!

  15. Extensions in Progress • More complicated system structures: • E.g., adapting past work on least-cost diagnosis to identify “least-cost” attack strategies • As a building block for optimal (or near-optimal) defenses • Non-convex functions for attack success probability as a function of investment: • If minimal levels of investment are required • If investment beyond a threshold deters attackers • Secrecy and deception: • When are these useful? • How can we quantify their benefits?

  16. Game between Defenders • Consider effects of defensive actions on the risks faced by other defenders: • And therefore the strategies they adopt • Some defenses (e.g., car alarms) increase risk to other defenders: • Payoff of investing to any one individual is greater than the net payoff to society • Typically leads to overinvestment in security • Other defenses (e.g., vaccination) decrease risk to other defenders: • “Free riders” • Typically lead to underinvestment in security

  17. Game between Defenders • Extended an earlier “static” model by Kunreuther and Heal to account for attacks over time: • Example--computerized supply chain partners • Differences in discount rates can lead some agents not to invest in security when it is otherwise in their interests: • If other agents choose not to invest • Differences in discount rates can arise due to: • Industries with different rates of return • Risk of impending bankruptcy • Myopia • This game can have multiple equilibrium solutions: • Creating a need for coordinating mechanisms

  18. Sample Application • Computer security in electronic supply chains: • Companies may be vulnerable to weaknesses in computer security on the part of their partners • This can reduce their incentives to invest in their own computer security • Coordinating mechanisms can help to address this problem: • Contract terms • Development of international standards • Loans to enable partners who are not as financially stable to improve their computer security

  19. Conclusions • Protecting against intentional attacks must account for attacker responses: • Most applications of risk analysis fail to take this into account • Most applications of game theory to security deal with individual components in isolation • Combining these approaches makes it possible to invest more cost-effectively: • Avoids wasting resources on defenses that can easily be disabled or circumvented by attackers

More Related