Computer users express a strong desire to prevent attacks, and to reduce the losses from computer and information security breaches. However, despite the widespread availability of various technologies, actual investments in security remain highly variable across the Internet population. As a result, attacks such as distributed denial-of-service and spam distribution continue to spread unabated.
Users may struggle to respond vigorously because the effectiveness of security decisions is subject to strong interdependencies in a network, and different types of threats. In this talk, Jens addresses this complexity by analyzing investment decision-making in a unified framework of established (i.e., weakest-link, best-shot, and total effort) and novel games (e.g., weakest-target).
He examines how incentives shift between investment opportunities in a cooperative good (protection) and a private good (self-insurance), subject to factors such as network size, type of attack, loss probability, loss magnitude, and cost of technology. The findings highlight circumstances where poorly aligned incentives lead to security failures, and how interventions may be helpful.