How loss profiles reveal behavioural biases in interdependent security decisions

Alan Nochenson; Jens Grossklags; C. F.Larry Heimann

doi:10.1504/IJITST.2014.064511

How loss profiles reveal behavioural biases in interdependent security decisions

Alan Nochenson, Jens Grossklags, C. F.Larry Heimann

Penn State University Park

Research output: Contribution to journal › Article › peer-review

1 Scopus citations

Abstract

Most current models of interdependent security decision-making do not explicitly account for the concept of variable loss. In these models, entities either incur some fixed loss when infected or they do not - There is no in-between. Contrary to this, there are a large number of scenarios where the eventual harm caused by a successful attack might vary substantially (e.g., if a web server is attacked, it could be taken offline, it could be used to host illegal content, or it could be used as part of a botnet). This paper introduces the concept of a loss profile in order to capture the notion of variable loss. We exemplify our approach by modelling a simple interdependent network security scenario. We further show how behavioural biases such as ignorance to low probability events, can be effectively modelled with the concept of loss profiles.

Original language	English (US)
Pages (from-to)	105-116
Number of pages	12
Journal	International Journal of Internet Technology and Secured Transactions
Volume	5
Issue number	2
DOIs	https://doi.org/10.1504/IJITST.2014.064511
State	Published - 2014

All Science Journal Classification (ASJC) codes

Computer Science Applications
Computer Networks and Communications

Access to Document

10.1504/IJITST.2014.064511

Cite this

@article{69a69b0ed87c4093b2e3abd4361c5435,

title = "How loss profiles reveal behavioural biases in interdependent security decisions",

abstract = "Most current models of interdependent security decision-making do not explicitly account for the concept of variable loss. In these models, entities either incur some fixed loss when infected or they do not - There is no in-between. Contrary to this, there are a large number of scenarios where the eventual harm caused by a successful attack might vary substantially (e.g., if a web server is attacked, it could be taken offline, it could be used to host illegal content, or it could be used as part of a botnet). This paper introduces the concept of a loss profile in order to capture the notion of variable loss. We exemplify our approach by modelling a simple interdependent network security scenario. We further show how behavioural biases such as ignorance to low probability events, can be effectively modelled with the concept of loss profiles.",

author = "Alan Nochenson and Jens Grossklags and Heimann, {C. F.Larry}",

year = "2014",

doi = "10.1504/IJITST.2014.064511",

language = "English (US)",

volume = "5",

pages = "105--116",

journal = "International Journal of Internet Technology and Secured Transactions",

issn = "1748-569X",

publisher = "Inderscience",

number = "2",

}

TY - JOUR

T1 - How loss profiles reveal behavioural biases in interdependent security decisions

AU - Nochenson, Alan

AU - Grossklags, Jens

AU - Heimann, C. F.Larry

PY - 2014

Y1 - 2014

N2 - Most current models of interdependent security decision-making do not explicitly account for the concept of variable loss. In these models, entities either incur some fixed loss when infected or they do not - There is no in-between. Contrary to this, there are a large number of scenarios where the eventual harm caused by a successful attack might vary substantially (e.g., if a web server is attacked, it could be taken offline, it could be used to host illegal content, or it could be used as part of a botnet). This paper introduces the concept of a loss profile in order to capture the notion of variable loss. We exemplify our approach by modelling a simple interdependent network security scenario. We further show how behavioural biases such as ignorance to low probability events, can be effectively modelled with the concept of loss profiles.

AB - Most current models of interdependent security decision-making do not explicitly account for the concept of variable loss. In these models, entities either incur some fixed loss when infected or they do not - There is no in-between. Contrary to this, there are a large number of scenarios where the eventual harm caused by a successful attack might vary substantially (e.g., if a web server is attacked, it could be taken offline, it could be used to host illegal content, or it could be used as part of a botnet). This paper introduces the concept of a loss profile in order to capture the notion of variable loss. We exemplify our approach by modelling a simple interdependent network security scenario. We further show how behavioural biases such as ignorance to low probability events, can be effectively modelled with the concept of loss profiles.

UR - http://www.scopus.com/inward/record.url?scp=84906878055&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84906878055&partnerID=8YFLogxK

U2 - 10.1504/IJITST.2014.064511

DO - 10.1504/IJITST.2014.064511

M3 - Article

AN - SCOPUS:84906878055

SN - 1748-569X

VL - 5

SP - 105

EP - 116

JO - International Journal of Internet Technology and Secured Transactions

JF - International Journal of Internet Technology and Secured Transactions

IS - 2

ER -

How loss profiles reveal behavioural biases in interdependent security decisions

Abstract

All Science Journal Classification (ASJC) codes

Access to Document

Other files and links

Fingerprint

Cite this