Title: How loss profiles reveal behavioural biases in interdependent security decisions

Authors: Alan Nochenson; Jens Grossklags; C.F. Larry Heimann

Addresses: College of Information Sciences and Technology, The Pennsylvania State University, University Park, PA 16802, USA ' College of Information Sciences and Technology, The Pennsylvania State University, University Park, PA 16802, USA ' Information Systems Program, Carnegie Mellon University, Pittsburgh, PA 15213, USA

Abstract: Most current models of interdependent security decision-making do not explicitly account for the concept of variable loss. In these models, entities either incur some fixed loss when infected or they do not - there is no in-between. Contrary to this, there are a large number of scenarios where the eventual harm caused by a successful attack might vary substantially (e.g., if a web server is attacked, it could be taken offline, it could be used to host illegal content, or it could be used as part of a botnet). This paper introduces the concept of a loss profile in order to capture the notion of variable loss. We exemplify our approach by modelling a simple interdependent network security scenario. We further show how behavioural biases such as ignorance to low probability events, can be effectively modelled with the concept of loss profiles.

Keywords: loss profiles; behavioural bias; interdependent decisions; security decisions; interdependencies; variable loss; networks; low probability events; decision making; modelling; network security.

DOI: 10.1504/IJITST.2014.064511

International Journal of Internet Technology and Secured Transactions, 2014 Vol.5 No.2, pp.105 - 116

Received: 03 Oct 2012
Accepted: 17 Feb 2013
Published online: 10 Sep 2014 *

Full-text access for editors Full-text access for subscribers Purchase this article Comment on this article