Selfish or Malicious: Price of malice in human-centric security decision-making for attack graph-based interdependent systems

Interdependent systems are increasingly vulnerable to rapidly growing cybersecurity threats. In this work, we investigate security decision-making in such systems, which are managed by multiple defenders. Each defender is tasked with protecting a specific subset of assets against potential attackers. The interdependencies among these assets are modeled using an attack graph, where edges between assets indicate that compromising one asset can enable an attack on another. Each edge is associated with a probability of successful attack, which can be mitigated through strategic security investments by the defenders. We employ game-theoretic models to analyze these systems and incorporate the effects of behavioral probability weighting bias, a well-documented phenomenon in human decision-making under risk. Additionally, we introduce malicious players into the framework, whose objective is to maximize the total social cost of the interdependent system. We demonstrate that malicious security games possess an equilibrium, providing a foundation for analyzing such systems. We then present examples to highlight the differences between the socially optimal solution and the equilibrium solutions under both selfish and malicious players. We then analyze the inefficiencies introduced by malicious players and behavioral probability weighting on the system’s social cost. We adapt widely-used metrics to quantify these inefficiencies, derive bounds, and show that the inefficiency grows exponentially with increases in the security budget. We evaluate our models using four representative real-world interdependent systems, comparing game-theoretic optimal investments with socially optimal investments. Furthermore, we benchmark our approach against four popular security resource allocation methods on attack graphs. This work provides a comprehensive framework for understanding and mitigating cybersecurity risks in interdependent systems, accounting for both behavioral biases and the presence of internal malicious actors.