Working Paper: NBER ID: w19174
Authors: Daron Acemoglu; Azarakhsh Malekian; Asuman Ozdaglar
Abstract: We develop a theoretical model of security investments in a network of interconnected agents. Network connections introduce the possibility of cascading failures due to an exogenous or endogenous attack depending on the profile of security investments by the agents. The general presumption in the literature, based on intuitive arguments or analysis of symmetric networks, is that because security investments create positive externalities on other agents, there will be underinvestment in security. We show that this reasoning is incomplete because of a first-order economic force: security investments are also strategic substitutes. In a general (non-symmetric) network, this implies that underinvestment by some agents will encourage overinvestment by others. We demonstrate by means of examples that there can be overinvestment by some agents and also that aggregate probabilities of infection can be lower in equilibrium compared to the social optimum. We then provide sufficient conditions for underinvestment. This requires both sufficiently convex cost functions (convexity alone is not enough) and networks that are either symmetric or locally tree-like. We also characterize the impact of network structure on equilibrium and optimal investments. Finally, we show that when the attack location is endogenized (by assuming that the attacker chooses a probability distribution over the location of the attack in order to maximize damage), there is an additional incentive for overinvestment: greater investment by an agent shifts the attack to other parts of the network.
Keywords: Network Security; Contagion; Security Investments; Nonsymmetric Networks
JEL Codes: D62; D63
Edges that are evidenced by causal inference methods are in orange, and the rest are in light blue.
| Cause | Effect |
|---|---|
| Security investments (G12) | Positive externalities (D62) |
| Agent's failure to invest properly (G24) | Increased risk of infection for self (I12) |
| Agent's failure to invest properly (G24) | Increased risk of infection for others (I12) |
| Underinvestment by some agents (E22) | Overinvestment by others (G31) |
| Aggregate infection probabilities can be lower in equilibrium (D00) | Social optimum (D61) |
| Convex cost functions and specific network structures (D85) | Equilibrium underinvestment (D52) |
| Increased investment (E22) | Shift of attack to less secure parts of the network (D85) |