Section: New Results
Economics of Networks
Participant : Marc Lelarge.
Analysis of Security Investments in Networks
Malicious softwares or malwares for short have become a major security threat. While originating in criminal behavior, their impact are also influenced by the decisions of legitimate end users. Getting agents in the Internet, and in networks in general, to invest in and deploy security features and protocols is a challenge, in particular because of economic reasons arising from the presence of network externalities. Our goal in this paper is to model and quantify the impact of such externalities on the investment in security features in a network. In  , we study a network of interconnected agents, which are subject to epidemic risks such as those caused by propagating viruses and worms. Each agent can decide whether or not to invest some amount to self-protect and deploy security solutions which decreases the probability of contagion. Borrowing ideas from random graphs theory, we solve explicitly this "micro"-model and compute the fulfilled expectations equilibria. We are able to compute the network externalities as a function of the parameters of the epidemic. We show that the network externalities have a public part and a private one. As a result of this separation, some counter-intuitive phenomena can occur: there are situations where the incentive to invest in self-protection decreases as the fraction of the population investing in self-protection increases. In a situation where the protection is strong and ensures that the protected agent cannot be harmed by the decision of others, we show that the situation is similar to a free-rider problem. In a situation where the protection is weaker, then we show that the network can exhibit critical mass. We also look at interaction with the security supplier. In the case where security is provided by a monopolist, we show that the monopolist is taking advantage of these positive network externalities by providing a low quality protection.
Cyber Insurance as an Incentive for Internet Security
Entities in the Internet, ranging from individuals and enterprises to service providers, face a broad range of epidemic risks such as worms, viruses, and botnet-driven attacks. Those risks are interdependent risks, which means that the decision by an entity to invest in security and self-protect affects the risk faced by others (for example, the risk faced by an individual decreases when its providers increases its investments in security). As a result of this, entities tend to invest too little in self-protection, relative to the socially efficient level, by ignoring benefits conferred on by others.
In a joint work with Jean Bolot [Sprint ATL, USA]  , we consider the problem of designing incentives to entities in the Internet so that they invest at a socially efficient level. In particular, we find that insurance is a powerful incentive mechanism which pushes agents to invest in self-protection. Thus, insurance increases the level of self-protection, and therefore the level of security, in the Internet. As a result, we believe that insurance should be considered as an important component of risk management in the Internet.