You Can Only Die Once:
Interdependent Security in an Uncertain World
Howard Kunreuther
Center for Risk Management and Decision Processes
The Wharton School
University of Pennsylvania
(kunreuther@wharton.upenn.edu)
CIS620/OPIM952
February 11, 2003
1
Characteristics of the Problem
 Risk faced by one person depends
on actions of others (negative stochastic
externalities)
 Non-additive damages (You can only die
once – two events no worse than one)
2
What is Interdependent Security?
Protect against a risk by making an investment
Airline can invest in baggage security system to
reduce chance of bomb explosions
Investment in computer protection against viruses
and hackers
BUT can be contaminated by others even after
investing
Airline can be contaminated by bags transferred
from other airlines that did not invest
Computer can be attacked by viruses from other
computers on the network
3
Types of Problems
 Investing in airline security
 Securing computer systems against attacks.
 Avoiding divisional gambles that could bring bankrupt entire firm.
 Nick Leeson & collapse of Baring’s
 Arthur Andersen brought into bankruptcy by Houston branch.
 Investing in Research and Development (R&D)
 Vaccination Against Diseases
4
Scenario Illustrating IDS
Be Careful (BC) Airlines considers installing
baggage checking system for added protection.
Needs to balance the cost of this system with
reduction in risk of explosion of luggage not
only checked in with BC but also from bags of
passengers checked in on other airlines &
transferred to BC.
5
Game Theory Framework
Identical Agents
Airlines A1 and A2.
 Y = income of airline before expenditure on security
 Probability contaminated bag is accepted & explodes in A i : p
 Probability contaminated bag accepted by Ai is transferred to
another airline where it explodes : q
Loss if a bag explodes : L.
 Investment Cost of Baggage Security System: c
 Threats respond to security measures
6
Payoffs & Contamination
Investing (S) & Not Investing (N) in Security System
AIRLINE 2
S
N
S
Y -c, Y -c
Y- c - qL, Y - pL
AIRLINE 1
N
Y - pL, Y – c - qL
Y–pL– (1-p)qL, Y–pL– (1-p)qL
If c < pL(1-q) then each will invest.
Alone would invest if c < pL.
Tighter inequality reflects reduced incentive to invest
because of interdependence & risk of contamination.
Investment no longer buys complete security
7
A Simple Numerical Example
Expected Costs Associated with Investing (S) and
Not Investing (N) in Baggage Security System
AIRLINE 2
S
S
Y -95, Y -95
N
Y -100, Y -295
N
Y-295, Y -100
AIRLINE 1
Y -280, Y -280
Decisions
If A2 has a security system (S) then it is worthwhile for A1 to invest in one
Expected losses reduced by pL= - 100
Cost of baggage security system. = 95
If A2 does not invest in security (N) then A1 will not want to invest in one
Expected losses reduced by p(1-q)L - (280-200) = -80
Cost of baggage security system. = 95
8
Types of Nash Equilibria for Different c Values
If
c > pL
then (N,N) is a dominant strategy
If
c < pL(1-q) then (S, S) is dominant strategy
If
pL(1-q) < c < pL then (S,S) & (N,N) are Nash equilibria
Illustrative Example: p=.1 q=.2
L=1000
If
c > 100
then (N, N) is a dominant strategy
If
c < 80
then (S, S) is dominant strategy
If
80 < c <100 then (S,S) & (N,N) are Nash equilibria
9
Impact of Contamination on Nash Equilibria
if there are n Agents
Define Xi(n,0) to be the negative externalities to Agent i if it invests
in security and none of the other agents do.
What is expected cost to Agent i from investing in security if none
of the other agents invest in security?
E(Cost from Investing) = Y - c – Xi(n,0)
What is expected cost to Agent i from not investing in security if
none of the other agents invest in security?
E(Cost from Not Investing ) = Y- pL - (1-p) Xi(n,0)
Agent i will only want to invest in security if
Y- c – Xi(n,0) > Y- pL- (1-p) Xi(n,0)
This implies that
c < p [L- Xi(n,0)]
10
Impact of Contamination for n Agents:
Airline Security Problem
One can show that the negative externalities to airline i if it
invests in security and none of the others do is:
n-2
Xi(n,0) = [q/(n-1)]  [ [1-q /(n-1)] t] L= {1- [1-q/(n-1)] n-1} L
t=0
What is the expected loss [E(L)] to Airline i if it does not invest in
security and none of the others invest in security?
E (L) = pL + (1-p) Xi(n,0)
In the limit as n  then Xi(n,0) = (1 - e-q) L
We know that if c < p[ L –Xi(n,0)] then Airline i will not invest in
security
Hence if c < p [e-q L] then Airline i will not invest in security
11
Impact of Contamination on Computer Security
One unprotected computer can infect all the others in the network
Expected negative externalities imposed by all other agents on i = Xi(n,0))
n-2
Xi(n,0) = q L  [ (1-q) t]= [1-(1-q)
t=0
n-1]
L
What is the expected loss [E(L)] to Computer i if it invests in security
and none of the others do?
E (L) = pL + (1-p) Xi(n,0)
In the limit as n  then Xi(n,0) = L so that E(L)=L
Note: c < p [ L –Xi(n,0) ] for Computer i to want to invest in security
Hence in the limit c < 0 so there is no cost incentive to invest in
protecting any machine against viruses or hackers if none of the other
machines are protected.
12
More is worse – much!
 Bottom line – one unprotected firm/individual poses a
contamination problem for others
 Link many of them so that security of each depends
on what others do and problem gets worse as
number of unprotected agents increases
 Some individuals/firms offer vast policy leverage
because of their linkages & positions in the network
(Have tipping power: Can lead everyone to protect)
13
Game Theory Framework
Heterogeneous Agents
Airlines A1 and A2.
 Y = income of airline before expenditure on security
 Probability contaminated bag is accepted & explodes in A i : pi
 Probability contaminated bag accepted by Ai is transferred to
another airline where it explodes : qi
Loss if a bag explodes : L.
 Investment Cost of Baggage Security System for Ai : ci
14
Payoffs & Contamination
Investing (S) & Not Investing (N) in Security System
AIRLINE 2
S
N
S
Y –c1 Y –c2
Y- c2 – q1 L, Y – p2 L
AIRLINE 1
N
Y – p1 L, Y – c2 – q1 L
Y – p1 L – (1-p1 )q 2L,
Y – p2 L – (1-p2 )q 1L
If ci < pi L(1-qj ) then each will invest.
Alone would invest if ci < pi L.
Tighter inequality reflects reduced incentive to invest
because of interdependence & risk of contamination.
Investment no longer buys complete security
15
c2
N,N is Nash
NN is
Nash and
dominant
S,N
p 2L
S,S is Nash
equilibrium
p
N,N is Nash
Either N,N or S,S
is Nash equilibrium
2L(1-q 1)
S,S is dominant strategy
& Nash equilibrium
S,S is Nash
equilibrium
N,S
c1
p1L(1-q 2)
p1L
16
Tipping & contamination when airlines
have different costs and risks
Ei (n,0) - negative externalities imposed by airline i on all other
airlines when no other airlines invest and airline i changes from
investing to not investing
Note Ei (n,0) is externality imposed by airline i on other airlines
while Xi (n,0) is externality imposed on airline i when no other
airlines invest in security
 If by switching from N to S a single airline i can cause all others to
switch from N to S it will be the one with the highest Ei (n,0). This
turns out to be the same as the airline with the highest qi.
 If by switching from N to S a group of K airlines can cause all
others to follow they will be the ones having the K highest Ei (n,0).
17
Illustrative Example of Tipping
Consider 3 airlines
 Airlines 1 and 2 are identical
(p1 = p2 =0.1; q1 = q2 =0.1; c1 = c2 =90
 Airline 3 has risks and costs so that the Nash
Equilibrium is where no airline invests in security
( q3 =0.5 and c3 is high enough so A3 doesn’t
want to invest)
If A3 is taxed so it decides to invest in security it will
tip the equilibrium so both A1 and A2 will also want
to invest in security
18
100, 100
c2
Equilibrium in DS is (N,N)
90, 90
75, 75
Actual costs (85, 85)
in (N,N) region
71.25, 71.25
Equilibrium in DS is
(S,S)
c1
Figure 2
19
Equilibrium in DS is (N,N)
c2
100, 100
90, 90
71.25, 71.25
75, 75
Actual costs (85, 85)
in (S,S) region
Equilibrium in DS is
(S,S)
c1
Figure 3
20
Investing in R&D
Same structure as airline security problem with the
following key differences


airline security---investment by one airline encourages
others to also invest and can lead to tipping behavior
R&D—investment by one firm discourages others from
following suit and can lead to free riding
Nash Equilibrium for R&D Problem



If no firms are investing then E(return) is at its highest level
In all firms are investing then E(return) is at its lowest level
If there are gains to being first, there is a wider range where
investment by all firms can be a dominant strategy
21
c2
N,N only
I,N only
p 2G
Both I,N & N,I
p2{1-q1}G
N,I only
I,I only
p1{1-q2}G
p1G
c1
Figure 4
22
Bioterrorism & Vaccination
 What should public policy be on smallpox


vaccination? (e.g. requiring it for certain
groups; voluntary decision)
Interdependent security models relevant –
 You only catch smallpox once
 My risk depends on whether you are
vaccinated
Applying IDS models to analyze public policy
here
23
Bioterrorism & Vaccination
 Analyze Nash equilibrium of individual
choices over vaccination
 Each person’s choice depends on
probability of infection, severity, and
costs of vaccination
 And probability of infection depends on
what choices others make
24
Bioterrorism & Vaccination
 Epidemiological models assume either
all or none vaccinated
 Modeling individual choice an important
advance as this can make or break
public policies
 Show that a wide range of outcomes is
possible and how to influence the
outcome
25
Patterns of vaccination
3 person case




c < pL:
V,V,V
pL < c < pL + (1-p)qL:
V,V,NV
pL + (1-p)qL < c < TR(3,0)L: V,NV,NV
TR(3,0)L < c:
NV,NV,NV
TR(3,0) = total risk of infection to 1 of 3
individuals when noone is vaccinated
26
Types of Interventions
(Internalizing Negative Externalities)
Insurance
 Not feasible under current system because insurer of agent i
does not pay for damage to agent j j i
 Social insurance provides premium reduction to agent i for
reduction in contamination to all other agents
Liability---This policy tool only works if
contaminating agent is
held liable for damage to others if it did not invest in protection
Regulations
Importance of well-enforced codes and standards
to ensure that cost-effective security measures are adopted
27
Types of Interventions
(Internalizing Externalities)
Taxation—Can levy a tax of t dollars on any agent that did not
invest in protection to encourage them to adopt security measures
Coordinating mechanisms
 International Air Transport Association (IATA)---require
baggage security on all bags to be transferred to other
airlines
 Coops in NYC—Require that all buyers of apartments invest
in sprinkler system as a condition for purchase
 Social norms—role of friends and neighbors
28
Future Research Directions
Prescriptive Questions
 Do you tax some agents more because they
have a greater chance of contaminating others?
 Role of regulations (e.g. building codes,
required baggage check-in)
Multi-Period and Dynamic Models
 Importance of time horizon and discount rate
 How do you get process of investing in security
started?
 Importance of developing sequential models of
choice which incorporates learning
29
Future Research Directions
Behavioral Considerations
Impact of ambiguity
Misperceptions of risk
Myopia (i.e. short time horizons)
Importance of affect
(e.g. worry, dread, anxiety)
30
Future Research: Risk Management Strategies
Collecting information on risk and costs (e.g. constructing scenarios so that
one can estimate pi qi Li and ci with greater accuracy)
Designing incentive systems (e.g. subsidies or taxes) to encourage
investment by agents in protective measures.
Developing insurance programs for encouraging investment in protective
measures when firms are faced with contamination.
Designing well-enforced standards (e.g. building codes for high-rises to
withstand future terrorist attacks) using third-party inspections.
Federal reinsurance or state-operated pools providing protection against
future losses from terrorist attacks to supplement private insurance
I
31
Future Empirical Studies
Why do some agents and organizations invest in protection
and others do not when there is an IDS problem?
What actions can the public sector take to encourage property
owners and organizations to invest in protective and
security measures and constrain others from doing so?
What role can private sector mechanisms such as subsidies,
fines, insurance, bank loans and potential liability play?
What are the appropriate roles of taxation, regulations and
standards to supplement private sector mechanisms?
32
Future Empirical Studies
What institutional mechanisms would aid the decision
process of agents in adopting protective measures given
that there are interdependent security problems?
Can industry associations (e.g. IATA for the airlines) play an
important role in facilitating actions by individual
companies?
What types of property rights would encourage agents to
undertake security measures?


Turkey requires unanimity for apartments to change rules
NYC Coops has government board (majority rule)
33
Conclusions
IDS structure – non-additive damages &
interdependent risks – characterizes wide
range of problems
Airlines, computers, vaccination, R&D, …
Bankruptcy of an organization
Need new computational techniques to take
advantage of special problem structure such
as ones covered in this course
Need for public-private partnerships
34