The Impacts of Behavioral Probability Weighting on Security Investments in Interdependent Systems

Abstract

We consider a system consisting of multiple interdependent assets, and a set of defenders, each responsible for securing a subset of the assets against an attacker. The interdependencies between assets are captured by an attack graph, where an edge from one asset to another indicates that if the former asset is compromised, an attack can be launched on the latter asset. Each edge has an associated probability of successful attack, which can be reduced via security investments by the defender responsible for that edge. While prior work has studied the security investments in such scenarios, in this work we consider what happens when the defenders exhibit characteristics of boundedly-rational human decision-making that have been identified by behavioral economics. In particular, humans have been shown to perceive probabilities in a nonlinear manner, typically overweighting low probabilities and underweighting high probabilities. We show that such nonlinear probability weighting can affect the security investments in interdependent systems, and suboptimal investments can arise under such weighting in certain network topologies. We also show that the presence of a defender who exhibits behavioral probability weighting can be beneficial for the other defenders in the network, in terms of making their assets more secure.