Effects of Behavioral Decision-Making in Game-theoretic Frameworks for Security Resource Allocation in Networked Systems

Facing increasingly sophisticated attacks from external adversaries, interdependent systems owners have to judiciously allocate their (often limited) security budget in order to reduce their cyber risks. However, when modeling human decision-making, behavioral economics has shown that humans consistently deviate from classical models of decision-making. Most notably, prospect theory, for which Kahneman won the 2002 Nobel memorial prize in economics, argues that humans perceive gains, losses and probabilities in a skewed manner. While there is a rich literature on prospect theory in economics and psychology, most of the existing work studying the security of interdependent systems does not take into account the aforementioned biases.

In this thesis, we propose novel mathematical behavioral security game models for the study of human decision-making in interdependent systems modeled by directed attack graphs. We show that behavioral biases lead to suboptimal resource allocation patterns. We also analyze the outcomes of protecting multiple isolated assets with heterogeneous valuations via decision- and game-theoretic frameworks, including simultaneous and sequential games. We show that behavioral defenders over-invest in higher-valued assets compared to rational defenders. We then propose different learning-based techniques and adapt two different tax-based mechanisms for guiding behavioral decision-makers towards optimal security investment decisions. In particular, we show the outcomes of such learning and mechanisms on four realistic interdependent systems. In total, our research establishes rigorous frameworks to analyze the security of both large-scale interdependent systems and heterogeneous isolated assets managed by human decision makers, and provides new and important insights into security vulnerabilities that arise in such settings.