Examining the popularity and congestion effects associated with security products | Lucideus

Introduction:
A lot of security products are available in the market that includes a mixture of renowned security products and not so popular ones. Products that are renowned enough are carrying a factor of negative externality with it. Valuation of a company’s data depends upon the type of security product it has been using. More renowned security product implies a higher valuation of the data secured. And if we assume an attacker to be rational, then he will minimise his cost by targeting a popular product.


In this blog, I am going to describe the idea that is presented in the research article titled “Interplay between Security Providers, Consumers, and Attackers: A Weighted Congestion Game Approach”, and my take on the same. It examines the impact of the popularity of a security product on chances of it getting attacked. In order to perform the analysis, nonatomic weighted congestion game is considered here. 

Model:

Notation:
I: set of security providers. Defining I := |I |
F(v): the proportion of users with valuation lower than or equal to v
vu: user’s valuation for his data
Vi: total value of protected data 
pi: price charged for the security product chosen

User Data Valuation: 
In this game heterogeneous consumers are considered, that is, each individual is having a different valuation attached to its data. When an attack is successful, the user is assumed to experience a financial loss represented by vu. Distribution of valuation overpopulation is given by cumulative distribution function F(v). Since the users without data valuation are not important for the analysis, therefore, F(0) = 0. It is assumed that the overall valuation of the data is finite. 

Security System Performance:
Here, only a specific type of attack is considered in which some specific machines are directly attacked. The attacker will have to exploit a specific vulnerability of that system. So, if an attack is launched to a system i ∈ I  , then we can consider other machines to be safe. But, there is a success probability attached to the attack, πi, that also depicts the security level of the product. 

Attacker Point of View:  
As mentioned before, if attacker’s point of view is also considered in the analysis then the results are more effective and precise. There is a direct relation between attacker’s gain and valuation of the data protected by security product. More the valuation of data(full account details) secured by-product, more is the gain to the attacker in terms of damage caused or after resale. 

The total valuation of the product is the sum of individual data valuations that product i is securing. Let Fi be the distribution of valuation of users associated with provider i. For each provider i, the total value of protected data is given by: 
https://lh4.googleusercontent.com/TvB7JG_lT-BEaljFeIc-0dyjei9ssXTFsmW0tjH2KzDg-q5TK-AtdsLklbuzKPLQhL9W3nyptXA9hXaxxhiucshdqqwvNcIqwPP4lhYSyuAPVzB-zkhqiBIxcl7xrpeDyNU7FjY

For the attacker, the benefit of executing an attack is on the system is proportional to πiVi. The likeliness of occurrence of an attack is given by Ri(πiVi). Defining the risk to the user for having her data compromised when going for a particular security product is given by Ti(Vi) and this can be further written as: 
https://lh5.googleusercontent.com/d42iptunZ7lGC9fpIz2WTuvCiox95MUZI74g1iDy9Ef67rdkMFZ1OavdAb-st2RmOVI9WKHXOdv6DpkaFx7kFD0bqgvPfDUwb0WEJhpBi5Jo1PPCagY18EvvQop2DUWZ2dG7lVA
User Preference:
For any user u with data valuation vu, cost depends upon the risk attached to security product he is choosing and the price paid for that. So, the total expected cost to the user is given by: 
https://lh4.googleusercontent.com/yNbE7twb5Fwn-s-AtNZ5-5tZlxo_kZFouDtZLTx0SkSycSO39daJiTTMSXteMfXKmCeA0IYRd_yIQg93FhcfxhadRP06VnaAeDP-cO7oJN_Sz5a0m5GqzV0_8ZBhStLxBLH_TpY


A free service is always a valuable option:  
Basic business model of security providers is subscription based. They provide software for free and if additional features are required then the user is required to pay for it depending upon dimensions they choose. Let us consider free avast antivirus software. In this case pi = 0, which implies that expected cost to the user is vuTi(Vi). It is a linear combination of probability multiplied by valuation which is greater than the total valuation to the user. Under such scenarios, the free service is always beneficial for the user. 

User Equilibrium:
As per the model, a rational user should choose the security product which depicts data valuation properly and thereby avoid congestion on a particular product. The decision should not be based on the popularity of the security product entirely. 

Users should behave in self-interest manner, demand for a particular product should be such that expected cost of choosing a product is minimised. Product ‘i’  is chosen in such a way that expected cost is minimum.
https://lh5.googleusercontent.com/VnV4SggR-SoGKrU1wNf3Nh0bVdE7IQ4TgFxBGKXbmdm3Izmo_Rkwo-L4HS13L_tZMhpIToPxsWrNIWsLNtpqWAzuPT8i2RW38e6Q6l1swuicy4g7QZmfKcsURazRx4QQYmK_iFA

Price of Anarchy for user game: In this situation, the price of anarchy is defined as the ratio of total cost in the user equilibrium to the minimum feasible cost. It can take three values: Smaller than 1: It implies that user equilibrium is more efficient as compared to minimum feasible cost. Equal to 1: It implies that efficiency is same for both the cases. Greater than 1: It implies that the user equilibrium is inefficient. Higher the ratio, higher is the inefficiency.


Considering this game, the price of anarchy is found to be 4/3. It implies a moderate level of inefficiency exists in the system due to user’s self-interest. 

Game: Pricing decision of security providers

In this section, prices chosen by the security providers are taken into consideration. The game thus formulated, is a Stackelberg game. While fixing price, providers are able to anticipate user’s reaction. 

We have a two-stage game, wherein stage one providers compete in order to fix prices and in stage two users selfishly select their provider's given prices. The utility of provider ‘i’ is given by ri : =piθi, where θi is the market share of provider ‘i’. Two situations are provided here:

1. Licensed versus Free Security Provider: A simple situation of two security providers is considered here: one provider has set prices equal to 0 and other is a profit maximiser setting a subscription model. Denoting those providers by 0 and 1 where 0 denotes a freeware provider and 1 denotes licensed provider. Since, there is a negative externality emerging due to congestion, after a point benefits derived out of freeware provider becomes less than the cost attached to it. Due to this phenomenon, the licensed provider will experience positive demand and will have the leverage to set the price of his product greater than 0. 

2. Competition among Providers:  This stage considers three providers, two of which have a subscription model and one provides product for free. When there are two providers with a subscription model, in order to attract customers they tend to lower their prices. This might lead to a price war. Due to congestion effect not all of the demand goes to a single provider with the lowest price. So, prices will be set by taking all these effects into consideration. 

Below is presented a numerical illustration of this model in terms of the graph representing a trend in price and revenue of provider as several other factors change. 
https://lh4.googleusercontent.com/6JQPOJ0mczLfvlRjDpXV81AekJDCT12LIkOutwBPagRkcft0izf1rO8e7iTDPxTcjA6RQTOoJYUzelf95qJc1d-cfeqSSGClkZ6FAnSa9r1CD47oK3iPKMmUvd6qyskhyypsT1s

Conclusion:
While formulating a model, consideration of attacker’s possible actions can optimise the overall outcome of the game. Extra congestion created by users which attracts attackers to a pool of valuable data can be reduced if users are allocated properly as per valuation of their data. 

No comments:

Powered by Blogger.