Week 6 Exercises: Strategic Incentives
Varian’s paper presented 3 ways that defenders can combine their effort to protect against attacks
- Weakest Link: Defense depends on the person working the least hard to protect
- Best Shot: Defense depends on the person working the hardest to protect
- Total Effort: Defense depends on the total efforts of everyone working
Let’s do a quick exercise. Which of the three descriptions best describes each of the following situations?
- Botnets: Each of us have a computer; none of us want to be in a botnet.
- Credit card fraud: You, your bank, and the people you buy stuff from all don’t want your credit card number to be stolen.
- ISACs: Companies in your industry share information with each other (through a council called an “ISAC”) when they get hacked
- Network Perimeter: A company has a firewall; computers inside the firewall can talk to each other but not the outside world (aka possible hackers)
- Softare Bugs: We all use an important piece of software, and want to make sure we find any bugs that can be exploited before the hackers do
- Criminals getting caught: A group of criminals get interviewed by the police; if one of them confesses they all go to jail.
- Security Team: A company was hacked, but they don’t know how. They bring in a team of experts to look at the logs and find the hackers
Properties of situations
Now, let’s look at what Varian said some of the properties of these three types of situations are:
| Weakest Link | Best Shot | Total Effort | |
|---|---|---|---|
| How it works | whoever works least | whoever works hardest | everyone combined |
| Who determines? | lowest benefit/cost | highest benefit/cost | highest benefit/cost |
| Who does work? | eveyrone | only champion | only champion? |
| Works best for | small groups | anyone | big groups |
| How to make it better | Negligence Rule | Liability | Liability |
| Easy to disrupt? | yes | ??? | No |
Weakest Link:
- Defense is determined by whoever works the least hard
- This will be the person with the lowest benefits or highest costs of defense
- Everyone else will do just enough work to not be the weakest link
- System becomes increasingly weak when more people are involved
- Liability doesn’t solve this; negligence rules (minimum standards) can
- Easy for adversaries to disrupt; “Battle between the slackers”
Best Shot:
- Defense is determined by whoever works the hardest
- This will be the person with the highest benefit / cost ratio of defense
- Everyone else will free ride; let that person do all the work
- Adding more people doesn’t make the system weaker or stronger
- Fines / liability for low effort can increase security (least cost avoider rule)
- Easy for adversaries to disrupt? Stop the one best effort person?
Total Effort:
- Defense is determined by the efforts of everyone involved added together
- Similar to best shot, all the work will be done by person with highest benefit or lowest cost
- Everyone else will free ride, reducing efforts
- System becomes stronger when more people are involved
- Fines / liability for low effort can increase security (least cost avoider rule)
- Hard for adversaries to disrupt; “Battle between the champions”
What are misaligned incentives generally? And how can we identify misaligned incentives?
Finally, a reminder: Please read the case study document about the Mirai botnet ahead of time, before Thursday’s class. The article is available on Canvas, under “Files”