Computer users express a strong desire to prevent attacks and to reduce the losses from computer and information security breaches. However, security compromises are common and widespread and highly damaging. Next to attackers' increased sophistication, a root cause for the harm inflicted is that users often fail to optimally protect their resources or to recover gracefully from a security breach.

We argue that users often underestimate the strong mutual dependence between their security strategies and the economic environment (e.g., threat model) in which these choices are made and evaluated. This misunderstanding weakens the effectiveness of users' security investments, and is compounded by heterogeneity within the user population, in some cases further reducing incentives for cooperation and coordination.

We study how economic agents invest into security in five different economic environments, that are characteristic of different threat models. We consider generalized models of traditional public goods games (e.g., total effort and weakest link) and two recently proposed games (e.g., weakest target game). Agents may split their contributions between a public good (protection) and a private good (self-insurance).

Our analysis centers on how agents respond to incentives when important parameters of the game (i.e., loss probability, loss magnitude, and cost of technology) are heterogeneous in the agent population. We also highlight key differences to the case of homogeneous decision makers. For example, security investments may become substantially more sensitive to the size of the network. We extend our results to discuss important modes of intervention.

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	Alessandro Acquisti , Jens Grossklags, Privacy and Rationality in Individual Decision Making, IEEE Security and Privacy, v.3 n.1, p.26-33, January 2005  [doi>10.1109/MSP.2005.22]
	2	R. Anderson, Why Information Security is Hard-An Economic Perspective, Proceedings of the 17th Annual Computer Security Applications Conference, p.358, December 10-14, 2001
	3	R. Anderson and T. Moore. The economics of information security. Science, 314(5799):610--613, October 1998.
	4	AOL/NSCA. Online safety study, October 2004. Available at: http://www.security.iia.net.au/~downloads/safety_study_v04.pdf.
	5	Terrence August , Tunay I. Tunca, Network Software Security and User Incentives, Management Science, v.52 n.11, p.1703-1720, November 2006  [doi>10.1287/mnsc.1060.0568]
	6	J. Brandts and W. MacLeod. Equilibrium selection in experimental games with recommended play. Games and Economic Behavior, 11(1):36--63, October 1995.
	7	Bruskin Research. Nearly one in four computer users have lost content to blackouts, viruses and hackers according to new national survey, 2001. Condensed results available at: http://www.corporate-ir.net/ireye/ir_site.zhtml?ticker=iom&script=410&layout=-6&item_id=163653.
	8	John A. Bull , Li Gong , Karen R. Sollins, Towards Security in an Open Systems Federation, Proceedings of the Second European Symposium on Research in Computer Security, p.3-20, November 23-25, 1992
	9	C. Camerer. Behavioral Game Theory: Experiments in Strategic Interaction. Princeton University Press, Princeton, NJ, 2003.
	10	P. Chen, G. Kataria, and R. Krishnan. On software diversification, correlated failures and risk management, April 2006. Available at SSRN: http://ssrn.com/abstract=906481.
	11	Nicolas Christin , Jens Grossklags , John Chuang, Near rationality and competitive equilibria in networked systems, Proceedings of the ACM SIGCOMM workshop on Practice and theory of incentives in networked systems, September 03-03, 2004, Portland, Oregon, USA  [doi>10.1145/1016527.1016536]
	12	David D. Clark , John Wroclawski , Karen R. Sollins , Robert Braden, Tussle in cyberspace: defining tomorrow's internet, Proceedings of the 2002 conference on Applications, technologies, architectures, and protocols for computer communications, August 19-23, 2002, Pittsburgh, Pennsylvania, USA
	13	George Danezis , Ross Anderson, The Economics of Resisting Censorship, IEEE Security and Privacy, v.3 n.1, p.45-50, January 2005  [doi>10.1109/MSP.2005.29]
	14	I. Ehrlich and G.S. Becker. Market insurance, self-insurance, and self-protection. Journal of Political Economy, 80(4):623--648, July 1972.
	15	An inquiry into the nature and causes of the wealth of internet miscreants, Proceedings of the 14th ACM conference on Computer and communications security, October 28-31, 2007, Alexandria, Virginia, USA  [doi>10.1145/1315245.1315292]
	16	E. Friedman, M. Shor, S. Shenker, and B. Sopher. An experiment on learning with limited information: nonconvergence, experimentation cascades, and the advantage of being slow. Games and Economic Behavior, 47(2):325--352, May 2004.
	17	D. Geer, C. Pfleeger, B. Schneier, J. Quarterman, P. Metzger, R. Bace, and P. Gutmann. Cyberinsecurity: The cost of monopoly. How the dominance of Microsoft's products poses a risk to society, 2003. Available from Computer & Communications Industry Association at http://www.ccianet.org/papers/cyberinsecurity.pdf.
	18	Lawrence A. Gordon , Martin P. Loeb, The economics of information security investment, ACM Transactions on Information and System Security (TISSEC), v.5 n.4, p.438-457, November 2002  [doi>10.1145/581271.581274]
	19	Jens Grossklags , Nicolas Christin , John Chuang, Secure or insure?: a game-theoretic analysis of information security games, Proceeding of the 17th international conference on World Wide Web, April 21-25, 2008, Beijing, China  [doi>10.1145/1367497.1367526]
	20	J. Hartley. Retrospectives: The origins of the representative agent. The Journal of Economic Perspectives, 10(2):169--177, Spring 1996.
	21	Kjell Hausken, Returns to information security investment: The effect of alternative information security breach functions on optimal investment and sensitivity to vulnerability, Information Systems Frontiers, v.8 n.5, p.338-349, December 2006  [doi>10.1007/s10796-006-9011-6]
	22	J. Hirshleifer. From weakest-link to best-shot: the voluntary provision of public goods. Public Choice, 41(3):371--386, January 1983.
	23	D. Kahneman and A. Tversky. Choices, values and frames. Cambridge University Press, Cambridge, UK, 2000.
	24	Srikanth Kandula , Dina Katabi , Matthias Jacob , Arthur Berger, Botz-4-sale: surviving organized DDoS attacks that mimic flash crowds, Proceedings of the 2nd conference on Symposium on Networked Systems Design & Implementation, p.287-300, May 02-04, 2005
	25	S. Karau and K. Williams. Social loafing: A meta-analytic review and theoretical integration. Journal of Personality and Social Psychology, 65(4):681--706, October 1993.
	26	Soon Hin Khor , Nicolas Christin , Tina Wong , Akihiro Nakao, Power to the people: securing the internet one edge at a time, Proceedings of the 2007 workshop on Large scale attack defense, August 27-27, 2007, Kyoto, Japan  [doi>10.1145/1352664.1352666]
	27	J. Kuang, R. Weber, and J. Dana. How effective is advice from interested parties?: An experimental test using a pure coordination game. Journal of Economic Behavior and Organization, 62(4):591--604, April 2007.
	28	S. Malphrus. The "I Love You" computer virus and the financial services industry, May 2000. Testimony before the Subcommittee on Financial Institutions of the Committee on Banking, Housing, and Urban Affairs, U.S. Senate. http://www.federalreserve.gov/BoardDocs/ testimony/2000/20000518.htm.
	29	David Moore , Vern Paxson , Stefan Savage , Colleen Shannon , Stuart Staniford , Nicholas Weaver, Inside the Slammer Worm, IEEE Security and Privacy, v.1 n.4, p.33-39, July 2003  [doi>10.1109/MSECP.2003.1219056]
	30	David Moore , Colleen Shannon , k claffy, Code-Red: a case study on the spread and victims of an internet worm, Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment, November 06-08, 2002, Marseille, France  [doi>10.1145/637201.637244]
	31	Adam J. O'Donnell , Harish Sethu, On achieving software diversity for improved network security using distributed coloring algorithms, Proceedings of the 11th ACM conference on Computer and communications security, October 25-29, 2004, Washington DC, USA  [doi>10.1145/1030083.1030101]
	32	Niels Provos , Dean McNamee , Panayiotis Mavrommatis , Ke Wang , Nagendra Modadugu, The ghost in the browser analysis of web-based malware, Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets, p.4-4, April 10, 2007, Cambridge, MA
	33	M. Rabin. Psychology and economics. Journal of Economic Literature, 36(1):11--46, March 1998.
	34	Eric Rescorla, Security holes... who cares?, Proceedings of the 12th conference on USENIX Security Symposium, p.6-6, August 04-08, 2003, Washington, DC
	35	T. Sandler and K. Hartley. Economics of alliances: The lessons for collective action. Journal of Economic Literature, XXXIX(3):869--896, September 2001.
	36	Stefan Saroiu , Steven D. Gribble , Henry M. Levy, Measurement and analysis of spywave in a university environment, Proceedings of the 1st conference on Symposium on Networked Systems Design and Implementation, p.11-11, March 29-31, 2004, San Francisco, California
	37	J. Shachat and J.T. Swarthout. Do we detect and exploit mixed strategy play by opponents? Mathematical Methods of Operations Research, 59(3):359--373, July 2004.
	38	The Honeynet Project. Know your enemy: the tools and methodologies of the script-kiddie, July 2000. Available online at http: //project.honeynet.org/papers/enemy/.
	39	H.R. Varian. System reliability and free riding. In L.J. Camp and S. Lewis, editors, Economics of Information Security (Advances in Information Security, Volume 12), pages 1--15. Kluwer Academic Publishers, Dordrecht, The Netherlands, 2004.
	40	N. Weaver , D. Ellis , S. Staniford , V. Paxson, Worms vs. perimeters: the case for hard-LANs, Proceedings of the High Performance Interconnects, 2004. on Proceedings. 12th Annual IEEE Symposium, p.70-76, August 05-07, 2004  [doi>10.1109/CONECT.2004.1375206]
	41	N. Weaver and V. Paxson. A worst-case worm. In Proceedings (online) of the Third Annual Workshop on Economics and Information Security (WEIS'04), Minneapolis, MN, May 2004. Available at http: //www.dtc.umn.edu/weis2004/weaver.pdf.
	42	L. Zhuang, J. D. Tygar, and R. Dhamija. Injecting heterogeneity through protocol randomization. International Journal of Network Security, 4(1):45--58, January 2007.