Benjamin Johnson

Uncertainty in interdependent security games

Even the most well-motivated models of information security have application limitations due to the inherent uncertainties involving risk. This paper exemplifies a formal mechanism for resolving this kind of uncertainty in interdependent security (IDS) scenarios. We focus on a single IDS model involving a computer network, and adapt the model to capture a notion that players have only a very rough idea of security threats and underlying structural ramifications. We formally resolve uncertainty by means of a probability distribution on risk parameters that is common knowledge to all players. To illustrate how this approach might yield fruitful applications, we postulate a well-motivated distribution, compute Bayesian Nash equilibria and tipping conditions for the derived model, and compare these with the analogous conditions for the original IDS model.

The Price of Uncertainty in Security Games

In the realm of information security, lack of information about other users incentives in a network can lead to inefficient security choices and reductions in individuals payoffs. We propose, contrast and compare three metrics for measuring the price of uncertainty due to the departure from the payoff-optimal security outcomes under complete information. Per the analogy with other efficiency metrics, such as the price of anarchy, we define the price of uncertainty as the maximum discrepancy in expected payoff in a complete information environment versus the payoff in an incomplete information environment. We consider difference, payoffratio, and cost-ratio metrics as canonical nontrivial measurements of the price of uncertainty. We conduct an algebraic, numerical, and graphical analysis of these metrics applied to different well-studied security scenarios proposed in prior work (i.e., best shot, weakest-link, and total effort). In these scenarios, we study how a fully rational expert agent could utilize the metrics to decide whether to gather information about the economic incentives of multiple nearsighted and naive agents. We find substantial differences between the various metrics and evaluate the appropriateness for security choices in networked systems.

Uncertainty in the weakest-link security game

Individuals in computer networks not only have to invest to secure their private resources from potential attackers, but have to be aware of the existing interdependencies that exist with other network participants. Indeed, a users security is frequently negatively impacted by protection failures of even just one other individual, the weakest link.

When information improves information security

This paper presents a formal, quantitative evaluation of the impact of bounded-rational security decision-making subject to limited information and externalities. We investigate a mixed economy of an individual rational expert and several naive near-sighted agents. We further model three canonical types of negative externalities (weakest-link, best shot and total effort), and study the impact of two information regimes on the threat level agents are facing.

When Bitcoin Mining Pools Run Dry

Bitcoin has established itself as the most successful cryptocurrency with adoption seen in many commercial scenarios. While most stakeholders have jointly benefited from the growing importance of Bitcoin, conflicting interests continue to negatively impact the ecosystem. In particular, incentives to derive short-term profits from attacks on mining pools threaten the long-term viability of Bitcoin.

Are security experts useful? Bayesian Nash equilibria for network security games with limited information

A common assumption in security research is that more individual expertise unambiguously leads to a more secure overall network. We present a game-theoretic model in which this common assumption does not hold. Our findings indicate that expert users can be not only invaluable contributors, but also free-riders, defectors, and narcissistic opportunists. A direct application is that user education needs to highlight the cooperative nature of security, and foster the community sense, in particular, of higher skilled computer users. n nAs a technical contribution, this paper represents, to our knowledge, the first formal study to quantitatively assess the impact of different degrees of information security expertise on the overall security of a network.

My thoughts are not your thoughts

Authenticating users of computer systems based on their brainwave signals is now a realistic possibility, made possible by the increasing availability of EEG (electroencephalography) sensors in wireless headsets and wearable devices. This possibility is especially interesting because brainwave-based authentication naturally meets the criteria for two-factor authentication. To pass an authentication test using brainwave signals, a user must have both an inherence factor (his or her brain) and a knowledge factor (a chosen passthought). In this study, we investigate the extent to which both factors are truly necessary. In particular, we address the question of whether an attacker may gain advantage from information about a given targets secret thoughts.

A dice game in third person augmented reality

We describe a prototype entertainment application of the augmented-reality toolkit based on a fantasy dice game. Two players roll dice bearing glyphs that are interpreted by a computer, which provides graphical and auditory feedback. Our prototype uses entirely consumer-grade equipment: a USB Webcam, a projector, and a 2 GHz desktop with 5.1 surround speakers. Unlike many AR-Toolkit applications, our players are not encumbered by head-mounted displays. Face-to-face gameplay, integrated with the physicality of a traditional dice game, display results on a shared projection screen from a third-person point-of-view. This combination of elements provides a unique application of AR-Toolkit for merging the spectacle of modern video games with a tangible interface.

Nash Equilibria for Weakest Target Security Games with Heterogeneous Agents

Motivated attackers cannot always be blocked or deterred. In the physical-world security context, examples include suicide bombers and sexual predators. In computer networks, zero-day exploits unpredictably threaten the information economy and end users. In this paper, we study the conflicting incentives of individuals to act in the light of such threats.

Games of Timing for Security in Dynamic Environments

Increasing concern about insider threats, cyber-espionage, and other types of attacks which involve a high degree of stealthiness has renewed the desire to better understand the timing of actions to audit, clean, or otherwise mitigate such attacks. However, to the best of our knowledge, the modern literature on games shares a common limitation: the assumption that the cost and effectiveness of the players’ actions are time-independent. In practice, however, the cost and success probability of attacks typically vary with time, and adversaries may only attack when an opportunity is present (e.g., when a vulnerability has been discovered).