Upload
stavanger
View
1
Download
0
Embed Size (px)
Citation preview
PLEASE SCROLL DOWN FOR ARTICLE
This article was downloaded by: [Mundy, Gillian][informa internal users]On: 30 November 2010Access details: Access Details: [subscription number 755239602]Publisher Taylor & FrancisInforma Ltd Registered in England and Wales Registered Number: 1072954 Registered office: Mortimer House, 37-41 Mortimer Street, London W1T 3JH, UK
International Journal of Systems SciencePublication details, including instructions for authors and subscription information: http://www-intra.informaworld.com/smpp/title~content=t713697751
Protecting complex infrastructures against multiple strategic attackersKjell Hauskena
a Faculty of Social Sciences, University of Stavanger, N-4036 Stavanger, Norway
First published on: 23 July 2010
To cite this Article Hausken, Kjell(2011) 'Protecting complex infrastructures against multiple strategic attackers',International Journal of Systems Science, 42: 1, 11 — 29, First published on: 23 July 2010 (iFirst)To link to this Article: DOI: 10.1080/00207720903434789URL: http://dx.doi.org/10.1080/00207720903434789
Full terms and conditions of use: http://www-intra.informaworld.com/terms-and-conditions-of-access.pdf
This article may be used for research, teaching and private study purposes. Any substantial orsystematic reproduction, re-distribution, re-selling, loan or sub-licensing, systematic supply ordistribution in any form to anyone is expressly forbidden.
The publisher does not give any warranty express or implied or make any representation that the contentswill be complete or accurate or up to date. The accuracy of any instructions, formulae and drug dosesshould be independently verified with primary sources. The publisher shall not be liable for any loss,actions, claims, proceedings, demand or costs or damages whatsoever or howsoever caused arising directlyor indirectly in connection with or arising out of the use of this material.
International Journal of Systems ScienceVol. 42, No. 1, January 2011, 11–29
Protecting complex infrastructures against multiple strategic attackers
Kjell Hausken*
Faculty of Social Sciences, University of Stavanger, N-4036 Stavanger, Norway
(Received 31 July 2008; final version received 20 October 2009)
Infrastructures are analysed subject to defence by a strategic defender and attack by multiple strategic attackers.A framework is developed where each agent determines how much to invest in defending versus attacking each ofmultiple targets. A target can have economic, human and symbolic values, which generally vary across agents.Investment expenditure functions for each agent can be linear in the investment effort, concave, convex, logistic,can increase incrementally, or can be subject to budget constraints. Contest success functions (e.g., ratio anddifference forms) determine the probability of a successful attack on each target, dependent on the relativeinvestments of the defender and attackers on each target, and on characteristics of the contest. Targets can be inparallel, in series, interlinked, interdependent or independent. The defender minimises the expected damage plusthe defence expenditures. Each attacker maximises the expected damage minus the attack expenditures. Thenumber of free choice variables equals the number of agents times the number of targets, or lower if there arebudget constraints. Each agent is interested in how his investments vary across the targets, and the impact on hisutilities. Alternative optimisation programmes are discussed, together with repeated games, dynamic games andincomplete information. An example is provided for illustration.
Keywords: complex infrastructures; game theory; reliability theory; OR in military; utility theory; defence;attack; contest success function; parallel system; series system; interlinked systems; interdependent systems;independent systems; protection; terrorism; war; conflict
1. Introduction
Our infrastructures are threatened by humans, tech-
nology and nature. Population growth and increasing
complexity make protection challenging. The
September 11, 2001 attack showed that no targets
and no methods of operation are out of bounds.
Strategic attackers attack targets (assets, components)
with economic, human and symbolic value. Strategic
decisions for defenders and attackers are as follows:
how much to allocate to defence and attack, how to
allocate investments across targets and what kinds of
defence and attack are appropriate.Operations research and reliability theory have
traditionally been used to solve the defender’s optimi-
sation problem. Assuming static external threats or
fixed probabilities of attack, objectives have been to
increase the probability of system survival. The
literature can be divided into two parts: one part
where one defender protects one target within a multi-
target system, and the other part where one defender
protects an entire system of multiple targets. This
article contributes to the latter literature which is
relevant for the defence of infrastructures of various
kinds at the global, continental, national, regional and
local levels.
This article introduces a conceptually new way of
thinking. One strategic defender and arbitrarily many
fully strategic attackers are considered. The external
threat is neither static, fixed nor immutable. An
arbitrarily complex system or infrastructure is analysed
with targets that are in parallel, in series, interlinked,
interdependent and independent. The defender and
attackers adapt to each other optimally choosing
defensive and offensive investments for each target.
The functionality or successful operation of each target
depends on the relative investments in defence versus
attack. Whether a system functions depends on the
agents’ resource allocation across targets, and how the
targets are linked together. The defender invests to
ensure that the system functions, whereas the attacker
invests to ensure that the system does not function.In contrast to much of earlier research, we analyse
the phenomenon from both the defender’s and attack-
ers’ viewpoints. There is a need to account fully for the
strategic dimensions associated with the defender and
attackers, for the time dimension, and for the ever
changing dynamic of the interaction between agents.
The proposed framework consists in a model for
valuing the targets of the attack for both the defender
and the attackers, multiple models for determining the
*Email: [email protected]
ISSN 0020–7721 print/ISSN 1464–5319 online
� 2011 Taylor & Francis
DOI: 10.1080/00207720903434789
http://www.informaworld.com
Downloaded By: [Mundy, Gillian][informa internal users] At: 09:21 30 November 2010
investment effort of the defender and the attackers,multiple models to compute the probability of asuccessful attack and multiple models for the utilityof the agents that take into account how the targets areconfigured into a system. The article thus implicitlylays out a research agenda.
We consider one single defender and multipleindependent attackers which is a realistic scenarioand provides policy advise for a single governmentfacing threats from many sources. There are currently45 proscribed terrorist groups1 under the TerrorismAct 2000. In addition come unknown groups, rougestates, loose constellations, single individuals andagents who may attack infrastructures without beinglabelled terrorist groups. Attackers have a broad rangeof different objectives and apply different methods.Considering the attackers as independent makes theanalysis tractable. For attackers with overlappingobjectives or coordinated efforts we apply Simon’s(1969) principle of ‘near decomposability’, whichmeans that sufficiently similar attackers are joined toone attacker, and sufficiently different attackers areassumed independent. Considering one defender isrealistic since a target is usually owned or controlledby one defender. For multiple owners we join these toone since they usually have a common objective ofprotecting the target. For targets without owners, thecontest success function applied in the formal appara-tus allows for interpreting the one defender as anattacker.
Section 2 describes the state-of-the-art literature.Section 3 defines the problem. Section 4 discusses howto value targets, which may have economic, humanand symbolic values. Section 5 considers investmentexpenditure functions for defence and attack. Section 6evaluates contest success functions. Section 7 describessystems with targets that are in parallel, in series,interlinked, interdependent, independent and multi-use. Section 8 analyses an example. Section 9 suggestsmethods for validating the models. Section 10concludes.
2. The state-of-the-art literature
Cost-effective risk reduction strategies applying relia-bility theory have been developed by Levitin (2002,2003a,b), Levitin and Lisnianski (2000, 2001, 2003)and Levitin, Dai, Xie, and Poh (2003). Objectives havebeen to increase the probability of system survival, andharden targets optimally. A main limitation is that theliterature has traditionally considered the externalthreat to be static, fixed and immutable, for example,by assuming a fixed probability and magnitude ofattack. Some research applying game theory considers
isolated targets (see, e.g. Major 2002; O’Hanlon et al.2002; Woo 2002, 2003).
For multiple targets, one strand of literatureassociates one defender with each target. Conflictsthen arise in series, parallel and summation systemsover which player(s) prefer(s) to incur the cost of riskreduction. Individual strategies at the subsystem levelgenerally conflict with collective desires at the systemlevel. Hausken (2002) lets each agent dichotomouslychoose a strategy which for his component causeseither reliability zero with no cost of effort or reliabilityone for a fixed cost of effort. He finds that the series,parallel and summation systems frequently correspondto the coordination game, the battle of the sexes andthe chicken game, and prisoner’s dilemma, respec-tively. Kunreuther and Heal (2003), Zhuang et al.(2007), and Hausken (2006a) analyse interdependentsystems. Enders and Sandler (2003) and Hausken(2006a) analyse the substitution effect which causes astrategic attacker to substitute into the most optimalattack allocation across multiple targets, and theincome effect which eliminates parts of the attacker’sresource base. Within cyber security Gordon and Loeb(2002) and Gordon, Loeb, and Lucyshyn (2003)determine the optimal investment for informationprotection, and Gal-Or and Ghose (2005) analysehow market characteristics affect security investment.
Another strand of literature, to which this articleadds new dimensions, lets one defender defend anentire system. Earlier promising research by Bier andAbhichandani (2002) and Bier, Nagaraj, andAbhichandani (2005) for series and parallel systemswith independent targets have assumed that thedefender minimises the success probability andexpected damage, respectively, of an attack. Thesuccess probability is assumed to depend on theresources expended by the defender to strengtheneach target. The probability of an attack is exogen-ously given. Bier et al. (2005, p. 322) show that ‘if onecomponent is more valuable than another, but has alower probability of being attacked, then the morevulnerable but less valuable component may be morelikely to be attacked, and hence merit greater invest-ment.’ Bier, Oliveros, and Samuelson (2006) analysethe optimal allocation of defensive resources in the faceof uncertainty about attacker goals, motivations andvaluations of potential targets. The defender allocatesdefence to a collection of locations whereas an attackerchooses a location to attack. They show that thedefender allocates resources in a centralised, ratherthan decentralised, manner, that the optimal allocationof resources can be non-monotonic in the value of theattacker’s outside option. Furthermore, the defenderprefers its defence to be public rather than secret. Also,the defender sometimes leaves a location undefended
12 K. Hausken
Downloaded By: [Mundy, Gillian][informa internal users] At: 09:21 30 November 2010
and sometimes prefers a higher vulnerability at aparticular location even if a lower risk could beachieved at zero cost. Azaiez and Bier (2007) assumethat the success probability of an attack on each targetis constant, and that the defender attempts to deterattacks by making them as costly as possible to theattacker. This enables them to find closed-form resultsfor systems with moderately general structures withboth parallel and series subsystems. Dighe, Zhuang,and Bier (2008) consider secrecy in defensive alloca-tions as a strategy for achieving more cost-effectiveattacker deterrence. See Carayon, Kraemer, and Bier(2005) for the role of human factors in computer ande-business security, Phimister, Bier, and Kunreuther(2004) for reducing technological risk through dili-gence, accident precursor analysis and management,and Hausken (2008a) for defence and attack of seriesand parallel systems.
Some research, for example, Brown, Carlyle,Salmeron, and Wood (2006), has focused on interdic-tion models, attacker–defender models, and relateddefender–attacker–defender models. These assume ahierarchical structure for decision making. In adefender–attacker–defender model, the defender firstinvests in protecting infrastructure, subject to a budgetconstraint. Then, a resource-constrained attack iscarried out. Finally, the defender operates the residualsystem as best possible. Brown et al. (2006) exemplifywith border control, the US strategic petroleum reserveand electric power grids. Patterson and Apostolakis(2007) rank geographic regions to allow decisionmakers to determine critical locations susceptible toterrorist attacks. Levitin (2007) considers optimaldefence strategy against intentional attacks, andHausken and Levitin (2009) consider minmax defencestrategy for complex multi-state systems. Hausken andLevitin (2008) analyse how to separate elements whenthe decisiveness (intensity) parameter changes throughthe separation process. Levitin and Hausken (2008,2009a,b) consider the role of redundancy and falsetargets.
Within political economy and political science,strategic interaction has been accounted for moreextensively. Enders and Sandler (2006) provide anoverview of the nature of terrorism, and Sandler andEnders (2007) evaluate policy effectiveness and quan-tify the economic impact of terrorism. More specifi-cally, Arce and Sandler (2007) present a model ofterrorist attacks as signals where the government isuncertain about whether it faces a politically motivatedor militant opponent. They determine two types ofex post regret: P-regret, where the governmentconcedes to political types that would not subsequentlyattack; and M-regret, where the government does notconcede to militant types that subsequently attack at
greater levels. They then define a measure of the valueof intelligence based on avoiding such regret.Counterterrorism policy involves whether a govern-ment should focus on increased intelligence versusincreased security defined as hardening targets. Theyevaluate the use of asset freezing in terms of theresources required by terrorists to reach objectives.Their article supports the empirical finding of inter-temporal substitution of resources by terrorists.
Sandler and Siqueira (2006) analyse two anti-terrorism policies when a nation is at risk at homeand abroad. The deterrence decision involves externalbenefits and costs, whereas pre-emption typically givesexternal benefits when the threat is reduced for allpotential targets. They show that with damages limitedto home interests, a country overdeters. In contrast, forglobalised terror, a country underdeters. Furthermore,pre-emption is usually undersupplied. They show thatleader–follower behaviour decreases deterrence ineffi-ciency, but worsens pre-emption inefficiency, com-pared with simultaneous-choice allocations. Finally,targeted nations can never achieve the proper counter-terrorism policy through leadership.
Siqueira and Sandler (2007) analyse a three-stageproactive game with terrorists, elected policymakersand voters. In each of two countries, a representativevoter chooses an elected policymaker who determinesproactive countermeasures to reduce a transnationalterrorist threat. The voters’ strategic choice is influ-enced by free riding on the other countries’ counter-measures, and limiting a reprisal terrorist attack. Thefree riding causes low proactive countermeasureswhich benefit the terrorists. This gives a delegationproblem where leadership by voters has a detrimentalconsequence on the well-being of targeted countries.The authors finally consider how domestic politicsimpacts how a terrorist threat is addressed.
Powell (2007a) shows that in many resources-allocation problems, strategic adversaries movesequentially and are likely to have private informationabout the effectiveness of their spending. It argues, asthis article also does, that a defender often has todetermine its defensive before an attacker decideswhere to attack. Defenders are also likely to haveprivate information about the vulnerability of theassets they protect. The author argues that sequentialdecisions and private information about effectivenesscauses a dilemma for the defender. Allocating more toa highly vulnerable site reduces the expected losses ifthat site is attacked, but also draws the attacker’sattention which increases the probability of an attack.Modelling as a signalling game, the analysis shows thatsecrecy concerns are generally stronger than vulner-ability concerns when more vulnerable sites are weaklyharder to protect on the margin. This causes the
International Journal of Systems Science 13
Downloaded By: [Mundy, Gillian][informa internal users] At: 09:21 30 November 2010
defender to allocate its resources independently of
vulnerability. In contrast, if more vulnerable sites are
easier to protect on the margin, then vulnerability
concerns may be stronger than secrecy concerns.Powell (2007b) considers a defender’s resource
distribution against a strategic adversary in four
settings. First, resources allocated to protecting one
site have as a benchmark no effect on other sites.Second, the defender can allocate resources to border
defence, intelligence or counterterrorist operations
which may protect all sites. Third, threats can have
strategic and non-strategic components. Fourth, the
defender can be unsure of the terrorists’ preferred
targets. The author determines the optimal defence
allocation in these four settings.Realising that all potential targets cannot be
defended, Powell (2007c) analyses a defence allocation
across multiple sites before an attacker chooses where
to attack. As also done in this article, the defender
allocates its resource to minimise the attacker’s
maximum payoff. The author finds that this defence
allocation is unique regardless of whether the game iszero- or non-zero-sum or is static or dynamic.
3. Problem definition
An infrastructure system is considered with n compo-
nents or targets in parallel, in series, in combined
series/parallel, or independent. We also consider
systems which we refer to as interlinked or interde-pendent. Infrastructure refers to assets that support an
economy, such as roads, power supply, telecommuni-
cations systems, water supply, political and economic
institutions, businesses, schools, hospitals, recreational
facilities and other assets. A defender minimises the
expected damage of the system and the investment
expenditure incurred to protect the system, which isformulated as a utility that can be maximised. Damage
measures the economic, human and symbolic value,
including a system’s ability to function in a reliable
manner according to its stated objective, such as
serving a population.Investment expenditures to protect a system can
mean hardening targets defensively. We consider m
attackers who maximise the expected damage minusthe investment expenditure, expressed as a utility. The
system can be destroyed, eliminated or its parts can be
disabled. Examples are to contaminate water supplies,
destroy roads, eliminate power generators, cut com-
munications lines and attack government officials or
hospital personnel chemically. The m attackers are
assumed to operate independently. If some attackersare dependent or strongly interlinked, then these may
for the purpose of analysis be perceived as merged into
a unitary agent.We consider n defence investments t1, t2, . . . , tn for
the n targets, and nm attack investments Tj1,T
j2, . . . ,Tj
n,
j¼ 1, . . . ,m. The agents are concerned about how their
investments vary across the n targets, the sum of their
investments, and the impact on their utilities. In the
benchmark case considered in this article the defence
and attack investments are made simultaneously and
independently for each of the n targets. This gives a
non-cooperative game between mþ 1 agents who
together have n(mþ1) free choice variables. Let us
briefly describe the conventional method for solving
such a game. A first step is to solve the first order
conditions. Assuming utility u for the defender and
utility Uj for attacker j, the defender calculates
@u=@ti¼ 0 and attacker j calculates @Uj=@Tji ¼ 0 for
the n targets to maximise their utilities. This gives
n(mþ 1) first order conditions. For some cases, solving
these equations gives one unique interior solution.
More generally, for unconstrained optimisation of a
multi-variable function, maximum utilities exist when
the first order conditions are satisfied, the Hessian
matrices are negative semi-definite, and one accounts
for corner solutions.The defender and attackers may be subject to
constraints of various kinds which can give corner
solutions. None of the n(mþ 1) investments can be
negative. Negativity is avoided by setting such invest-
ments to zero, one by one, and determining the optimal
values for the other investments. Other examples are a
total budget constraint for each agent, or a constraint
for each target for each agent for economic or other
reasons. Parts of an agent’s budget may be ‘frozen’, as
is the case for some terrorist organisations. Budget
constraints reduce the number of first order conditions
accordingly. If mþ 1 agents each have one budget
constraint, there are (n�1)(mþ1) first order conditions.
For constrained optimisation, the Kuhn–Tucker con-
ditions are sufficient for optimality of convex pro-
grammes. Bier and Abhichandani (2002) find that the
failure probability for a simple parallel system is not
necessarily convex.2 Hausken (2008b,c) applies a
contest success function and shows that the second
order conditions are not necessarily satisfied when the
decisiveness (intensity) of conflict between two adver-
saries is large.Today’s computers are well equipped to solve this
optimisation programme, injecting the utilities, free
choice variables and constraints. A variety of search
methods and computational approaches, for example,
hill climbing and Runge–Kutta methods, can be
applied by the defender, the attackers and outside
analysts, to determine optimal solutions.
14 K. Hausken
Downloaded By: [Mundy, Gillian][informa internal users] At: 09:21 30 November 2010
Complex infrastructures and systems of targets areusually built up over time. Defences are usually alsobuilt up over time in association with the values of thetargets, subject to various budgets, allocation proce-dures, political processes, precedent, historical inertiaand other influences. Hence an alternative to thebenchmark static game is a two period game where thedefender invests in the first period and the attackersinvest simultaneously in the second period. The gameis solved with backward induction. The second periodis solved first, which means calculating @Uj=@Tj
i ¼ 0and solving the nm first order conditions for the mattackers to determine Tj
1,Tj2, . . . ,Tj
n, j¼ 1, . . . ,m,conditional on t1, t2, . . . , tn having been determined inthe first period. This means that the Tj
i ’s aredetermined as functions of the ti’s. Thereafter, thefirst period is solved, inserting these Tj
i ’s into u for thedefender. @u=@ti¼ 0 is calculated and the n first orderconditions are solved which gives the optimalt1, t2, . . . , tn for the defender in equilibrium. Finally,the ti’s are inserted into the Tj
i ’s to determine theequilibrium solution for the m attackers. Of course, thesame caveats discussed above also apply for repeatedgames.
Examples of more complex repeated or dynamicgames are as follows. First, the defender and attackersmay invest simultaneously and independently in afinitely repeated or infinitely repeated game where eachagent has a different discount parameter. Commonequilibrium concepts for repeated games are sequentialequilibrium (Kreps and Wilson 1982) and trembling-hand perfect equilibrium (Selten 1975). Second, thedefender and attackers may invest alternately insuccessive time periods. Third, the defender andsubsets of attackers may invest in prescribed mannersin successive time periods. Fourth, each agent mayinvest in one target or subset k of targets, k¼ 1, . . . , n,in successive periods, in prescribed manners for thedefender and attackers. Fifth, each agent may splithis investment in target i into arbitrarily many sub-investments to be deployed in successive periods, eitherin prescribed manners, or dependent on how the gameevolves according to an updating mechanism. Sixth, anattacker may divide his investment into many smallsubsequent investments to observe whether small earlyinvestments have impact. Seventh, in a dynamic gamewith continuous time, each agent may invest or sub-invest in any target at any point in time dependent onhow the game evolves.
Defending and attacking infrastructures ofteninvolve assessing incomplete information (Fudenbergand Tirole 1991; Straffin 1993; Dixit and Skeath 1999;Rasmusen 2001). Incomplete information can besymmetric or asymmetric across players, for example,one-sided, two-sided, or (mþ 1)-sided. Prominent
candidates for incomplete information are the defen-der’s and attackers’ valuations and weights for theeconomic, human and symbolic values of target i, andthe values of system operability for the defender andattackers. Parameters in the investment expenditurefunctions for the defender and attackers can also beincompletely known. For repeated games the agents’discount parameters can be incompletely known. Thecommon method to model incomplete information isto apply the Harsanyi’s doctrine (Harsanyi 1967/68).Each player knows his own characteristics, but forms asubjective probability distribution over the alternativepossibilities, or types, of incomplete information forthe other players.3 A player’s type is his characteristicsof psychological, physical or other nature. Incompleteinformation can be introduced for static games, orrepeated or dynamic games. For games where timeplays a role, incomplete information can be updatedsuccessively, using for example Bayesian updating, asmore information gets compiled by each player aboutthe strategies chosen by all players as the game evolves.
Most defenders have to handle attackers who differgreatly in objectives, skills, methods of operation anddegrees of sanity. The examples are thieves, terrorists,disgruntled ex-employees, technological breakdownsand natural disasters. Assuming multiple attackersmay imply that a particular level of defence may detersome attackers, but not others. This means that fromthe defender’s point of view, the likelihood of asuccessful attack may be a non-convex function ofthe defensive investment, even if to each individualattacker, the likelihood of success is convex in the levelof defensive investment.
For probabilistic scenarios stochastic optimisationis applicable. Scenarios are probabilistic when theagents are unsure about characteristics of each other ortheir surroundings, such as unit costs of defence andattack, decisiveness parameters, utility functions, therole of time in their interaction, whether strategies areobservable or not, whether defences are present orattacks occur and other factors. A variety of strategiescan be determined to be optimal or robust towardssuch kinds of uncertainty.
4. How to value targets: economic, human and
symbolic values
A target or component can be conceived to haveeconomic value, human value and/or symbolic value.These are generally different for the defender andattackers, perceived subjectively for each agent, differ-ent across attackers, and may be unknown to others,and sometimes unknown to oneself if a valuation hasnot been made or is difficult to make. We could
International Journal of Systems Science 15
Downloaded By: [Mundy, Gillian][informa internal users] At: 09:21 30 November 2010
consider other kinds of values than these, but thesehave been common in the literature. Three values foreach target are sufficient for many purposes, and makethe analysis tractable. Most targets possess two orthree of these kinds of values.
These can be substitutes or complements for eachother. They are perfect substitutes when the threevalues are equivalent and all agents are motivatedequivalently to keep, preserve, capture or destroy atarget measured with any of the values. They areperfect complements when the total value is the sum ofthe three individual values so that, for example, thehuman value supplies to the total value what theeconomic value and symbolic value do not supply. Letus consider three stereotypical examples.
First, a target such as $1 million has economicvalue, no human value and usually limited symbolicvalue. $1 million may earn symbolic value dependenton the owner, the attacker, dependent on how it isobtained, how it is subsequently used (e.g., destroyed),how it is represented (e.g., in 100 dollar bills), andwhether it is represented in US dollars or alternativelyin yen, euro or renminbi.
Second, a target such as one human being hashuman value which can be considered to be infinite inphilosophical or religious terms, and symbolic valuedependent on the nationality, competence, age, sex,conviction and other characteristics of the human. Theeconomic value is statistically often calculated as thecost of reducing the average number of deaths by one.Applying wage-fatality risk tradeoffs, a commonestimate for the value of a statistical life is $7 millionfor US workers (Viscusi 2005). Insurance values areoften lower, for example, $1 million for trains and$20,000 for automobiles.
Third, a target such as the US Statue of Liberty hassubstantial symbolic value, and no human value. Theeconomic value can in one sense be calculated from theraw materials, one hundred tons of copper, priced at$5000 per ton, and 125 tons of steel, priced at $600 perton, gives $575,000. In other senses, the economicvalue can be determined from its sales value if it wereto be auctioned to the highest bidder, its reconstructionor replacement value if it were to be stolen ordestroyed, or its value in impacting the US economy,measured in some manner.
Bier et al. (2005, p. 316) consider the ‘inherent valueof a target,’ defined as ‘the loss incurred by thedefender if a component is disabled.’ Similarly, theyconsider ‘the value of system functionality,’ defined as‘the loss (in dollar terms) incurred by the defender ifthe system is disabled.’ These losses can haveeconomic, human and/or symbolic dimensions. If atarget or system is disabled, then repairing or replacingit can be given a value in dollar terms. Beitel, Gertman,
and Plum (2004) present six measures for the value of atarget, with formulas for each. These are loss of life,primary economic loss, national economic stress andinconvenience, decrease presence considered undesir-able by an attacker, increase presence considereddesirable by an attacker, opportunity to leverage withother terrorists.
The total value of a target has to be determinedwith care. For the defender we define the economicvalue of target i as ei, the human value as hi, and thesymbolic value as si. To allow these to be combinationsof substitutes and complements of each other, thedefender assigns subjective weights we, wh, and ws tothese. We define the total value of target i to thedefender as vi ¼ weei þ whhi þ wssi. For attacker j weanalogously introduce subjective weights Wj
E, WjH, and
WjS, which gives the total value of target i as Vj
i ¼
WjEE
ji þWj
HHji þWj
SSji .4
5. Investment expenditure functions for defence
and attack
Generally, targets have to be produced, maintained,repaired, inspected and defended. There is a tradeoffbetween how much to invest in these various activities.The defender may prefer or need a high quality target,but high quality targets are more likely to be attacked,which suggests a high defence cost. Hausken (2005)analyses the tradeoffs an agent makes between produ-cing and defending a target when facing otherattacking agents. This approach is contrasted withthe approach where the value of the target isexogenously given but subject to defence and attack.Our infrastructures have been produced over time andare gradually improved, repaired, inspected, etc.,subject to various tradeoffs. For our purpose, tomake the analysis tractable, we consider the infra-structure or system as exogenously given, as has beencommon in the rent seeking literature. We definedefence and attack broadly. Defence means protectionagainst attack, maintenance to prevent breakdown andrepair if the system breaks down. Attack meansintentional attack, which can be supported by non-intentional factors such as technology and nature todisable the system.
Generally, to defend target i with exogenouslygiven value vi, the defender incurs an investment effortti (investment, for short) which is a vector withelements that are capital and labour of various kinds.We simplify to the scalar ti. The investment expendi-ture is fi¼ fiðtiÞ, measured in dollar terms, where@fi=@ti 4 0. The function fi can take many differentforms. First, it can increase linearly in ti defined asfi¼ citi, where ci is unit cost of defence investment for
16 K. Hausken
Downloaded By: [Mundy, Gillian][informa internal users] At: 09:21 30 November 2010
target i. Higher ci means greater defence inefficiency,and 1=ci is the efficiency. Second, fi can increaseconcavely in ti, @
2fi=@t2i 5 0, which occurs when there is
economy of scale. For example, one unit of effort maybe expensive to produce, but producing further unitsmay get successively cheaper as routine, division oflabour and coordination simplify. Third, and conver-sely, fi can increase convexly in ti, @
2fi=@t2i 40, which
occurs when there are diseconomies of scale. Forexample, one worker may easily generate the first unitof effort if little physical or mental effort is required.However, producing additional units of effort may getsuccessively more expensive as physical and mentalexhaustion, strain, wear and tear, start to operate.Going that extra mile may get extremely burdensomeand costly. Fourth, fi can increase logistically, whichmeans convexly for small ti and concavely for large ti.Generating marketing effort often takes this form.Initial marketing is expensive with limited impact.As the expense exceeds certain thresholds, impactimproves due to cascades and ripple effects. Thereafter,impact is substantial due to economy of scale. Fifth,fi can increase in an incremental step-wise manner.For example, a target may be defended by one type oftechnology up to a certain level, whereas moreextensive defence may require investment in a differenttype of technology. For example, the employment ofhighly skilled security personnel trained to run 24-hsurveillance may be needed to handle certain attacks.Sixth, fi can be subject to budget constraints which forpolitical or other reasons may prevent investmentbeyond a certain level to defend target i.
Let us consider two examples. First, if the targetproduces goods and services (food, water, education,health services, communication, transportation) thedefence investment includes securing the target withhuman forces, technological factors, surveillance,reconnaissance, encryption and deterrence. Second, ifthe target is a cyber security system, the defenderinstalls firewalls, applies encryption, hires experts insecurity and develops intrusion detection systems.
Let us then consider attacker j where analogousreasoning applies. To attack target i with value Vj
i , theattacker incurs an investment effort Tj
i , a vectorconsisting of capital and labour. Simplifying to thescalar Tj
i , the investment expenditure is Fji ¼Fj
i ðTji Þ,
measured in dollar terms, where @Fji =@T
ji 4 0. If Fj
i islinear, we set Fj
i ¼Cji T
ji , where Cj
i is the unit cost ofinvestment for target i, analogously to ci for thedefender. Alternatively, Fj
i may be concave (@2Fji =@T
j2i
50), convex (@2Fji =@T
j2i 40), logistic, a step function
or subject to a budget constraint.Let us consider the same two examples from the
perspective of attacker j. First, if the target is involvedin production of goods and services, etc., the attacker
channels investment into destruction, theft, interfer-ence, manipulates information and seeks to avoidsurveillance and detection. Second, if the target is acyber security system, the attacker attempts to breakthrough the defence, works around the protection setup by security experts, hacks through firewalls,deciphers the encryption and avoids intrusion detec-tion. The attack decreases the system’s reliabilitythrough appropriating or destroying something ofvalue associated with the system, or taking controlover factors which decrease system reliability.
There is variability across targets for the costfunctions. The residences and offices of state leadershave high unit defence and attack costs. More opensystems, such as assemblies for nationally electedofficials or government offices with frequent visitation,have lower unit attack cost. Dispersed transportationsystems have high unit defence cost since these have tobe defended in many locations, and low unit attackcost. A concentrated non-dispersed asset stored toavoid easy access, for example, in a remote area, haslow unit defence cost and high unit attack cost.Common assets usually have both low unit defenceand attack costs.
6. Contest success function
Whether a target is operational or not depends on therelative investments by the defender and attackers,which determine the reliability of the target, and thusalso determine the success of defence and success ofattack.5 We define the probability of a successfulattack on target i as
pi ¼ piðti,T1i , . . . ,Tm
i ,mi, riÞ, @pi=@ti 5 0,
@pi=@Tji 4 0 ð1Þ
assuming m attackers, where mi and ri are parameters.The probability of a successful attack decreases in thedefensive investment, and increases in the offensiveinvestment. The successful attack probability equalsthe unreliability of target i, which equals one minus thereliability, and corresponds to the asset in the conflictliterature. There is conflict over unreliability betweenthe defender and the attackers, just as there is conflictover an asset between multiple contenders. Theprobability pi can depend on ti and Tj
i in extremelymany different ways. The two most common contestsuccess functions are the ratio and difference forms(Hirshleifer 1989; Skaperdas 1996). The ratio form(Tullock 1980) states that
pi ¼ðT1
i Þmi þ � � � þ ðTm
i Þmi
tmi
i þ ðT1i Þ
mi þ � � � þ ðTmi Þ
mi¼
Pmj¼1 ðT
ji Þ
mi
tmi
i þPm
j¼1 ðTji Þ
mi
ð2Þ
International Journal of Systems Science 17
Downloaded By: [Mundy, Gillian][informa internal users] At: 09:21 30 November 2010
where mi is a decisiveness parameter that expresses theintensity of the contest over target i.6 At the limit, withinfinitely much defensive investment, and finite offen-sive investment, the target is 100% reliable and pi¼ 0.The same result follows with finite defensive invest-ment and zero offensive investment. At the other limit,with infinitely much offensive investment, and finitedefensive investment, the target is 0% reliable andpi¼ 1. The same result follows with finite offensiveinvestment and zero defensive investment.
Figure 1 illustrates how, for Tji ¼Ti held fixed for
one single attacker, the probability pi responds tochanges in the investment ti for the defender. Thesensitivity of pi to ti increases as the decisivenessparameter mi increases. When mi¼ 0, the investments tiand Ti have equal impact on the reliability regardlessof their size which gives 50% reliability, pi¼ 1/2.7
05mi5 1 gives a disproportional advantage ofinvesting less than one’s opponent. When mi¼ 1, theinvestments have proportional impact on the reliabil-ity. mi4 1 gives a disproportional advantage ofinvesting more than one’s opponent. This is oftenrealistic in praxis, as evidenced by benefits fromeconomies of scale. Finally, mi¼1 gives a stepfunction where ‘winner-takes-all’. This means that thedefender suffers probability one when ti is marginallysmaller than Ti, and enjoys probability zero when ti ismarginally larger than Ti.
The difference (logit) form contest success functionstates that
pi ¼Exp½riT
1i � þ � � � þ Exp½riT
mi �
Exp½riti� þ Exp½riT1i � þ � � � þ Exp½riT
mi �
¼
Pmj¼1 Exp½riT
ji �
Exp½riti� þPm
j¼1 Exp½riTji �
¼1
1þ Exp riðti �Pm
j¼1 Tji
h i ð3Þ
where ri is a mass effect parameter for target i. The
successful attack probability is strictly less than onealso when the defender invests zero, ti¼ 0, asillustrated in Figure 2. If the defender invests zero,then it is not always realistic that the defender loses thetarget when the attackers invest a finite, and possiblyarbitrarily small, amount, as the ratio form suggests.With the difference form, some targets may enjoyattack probability less than one even without defence
investment. This is possible for targets that aretechnologically designed in a hardened manner, orwhen the attackers are less than fully alert anddetermined. Hirshleifer (1989) provides examples forwhen the difference form is realistic.8
Both the ratio and difference forms assume that ifthe defender invests infinitely much, whereas theattackers invest finite amounts, then the successfulattack probability equals zero. This is not alwaysrealistic, especially for targets that need to be available
and accessible in order to be operational. Investinginfinitely much to defend an information set withincyber security does not make it 100% secure as it needsto be available and accessible, which makes itvulnerable for attack (Hausken 2006b). A target suchas a television station cannot be made 100% secureeven with infinite defence investment since employeesand others move in and out of the station, and ascommunication links with the outside world cannot be
blocked. The following contest success functionaccounts for this
pi ¼ ai
Pmj¼1 Exp½riT
ji �
1þPm
j¼1 Exp½riTji �
þ ð1� aiÞ
Pmj¼1 Exp½riT
ji �
Exp½riti� þPm
j¼1 Exp½riTji �
ð4Þ
where 0� ai 5 1. With zero defence investment ti¼ 0,(3) and (4) are equivalent regardless of ai. With infinite
Figure 1. Ratio form: successful attack probability pi as afunction of the investment ti for various mi when Ti ¼ 1.
Figure 2. Difference form: successful attack probability pi asa function of the investment ti for various ri when Ti ¼ 1.
18 K. Hausken
Downloaded By: [Mundy, Gillian][informa internal users] At: 09:21 30 November 2010
defence investment ti¼1, (3) gives pi¼ 0, whereas (4)gives a fraction ai of the probability that occurs withzero investment since the second term vanishes.
7. Systems with targets that are in parallel, in series,
interlinked, interdependent and independent
7.1. Targets in parallel
A system of n parallel targets functions if at least onetarget functions. An example is two telecommunicationlines which can both deliver the required function. Theexpected damage for target i for the defender is vipi,which decreases in ti. Further, the investment expen-diture is fi, which increases in ti. The expected damageif the system is disabled is v, which occurs withprobability p1p2 . . . pn. As suggested by Bier et al.(2005), the defender’s expected damage d and utilityu are
d ¼Xni¼1
vipi þ vYni¼1
pi,
u ¼ �Xni¼1
vipi þ vYni¼1
pi
!�Xni¼1
fi ð5Þ
The defender maximises his utility u. The first ordercondition for target i is @u=@ti¼ 0, which gives n firstorder conditions to determine the n investmentst1, t2, . . . , tn. The reasoning for attacker j, j¼ 1, . . . ,m, is analogous, but the valuations for target i and thesystem are Vj
i and Vj, respectively. The expecteddamage Dj and utility Uj for attacker j are
Dj ¼Xni¼1
Vji pi þ Vj
Yni¼1
pi,
Uj ¼Xni¼1
Vji pi þ Vj
Yni¼1
pi �Xni¼1
Fji ð6Þ
Attacker j maximises his utility Uj. The first ordercondition for target i is @Uj=@Tj
i ¼ 0, which gives n firstorder conditions to determine the n investmentsTj1,T
j2, . . . ,Tj
n , which gives nm first order conditionsfor the m attackers. The value vi may well differsubstantially from Vj
i , which may again differ sub-stantially across the m attackers. Analogously, v maydiffer from Vj, which may differ across the attackers.The optimisation programme in (5) and (6) is coupledor linked through the probability pi of a successfulattack on target i, which depends on the investments tiand Tj
i , i¼ 1, . . . , n, j¼ 1, . . . ,m as specified in Section5. This gives n(mþ 1) first order conditions when thereare no constraints on the investments.
With investment constraints, assume thatthe defender has a resource r and attacker j a
resource R j. The utilities in (5) and (6) then become
u ¼ �Xni¼1
vipi þ vYni¼1
pi
!� r, r ¼
Xni¼1
fi,
Uj ¼Xni¼1
Vji pi þ Vj
Yni¼1
pi � Rj, Rj ¼Xni¼1
Fji
ð7Þ
where each agent has n�1 first order conditions, and
the n-th investment follows from the other n�1
investments using the resource constraints in (7).
7.2. Targets in series
A system with n targets in series functions if all targets
function. An example is a transmission line with many
parts, each of which can block the transmission. As
argued by Bier et al. (2005, 2006), if the attacker is
limited to a single attack on a single target, then the
defender’s focus should be on the highest value across
the n targets, as evaluated by the attacker. If the
defender were to equalise losses across targets accord-
ing to his own perspective, then he might waste money
defending targets that the attacker has limited interest
in. The defender’s objective function equalises the
attacker’s valuations because it is the most cost-
effective way to achieve his own goals. Making all
targets equally desirable to the attacker is thus the
correct strategy. The intuition is the same in mixed
equilibrium strategy calculations in game theory where
one player randomises to make the other player
indifferent in his randomising. A target may have a
high ðVj þ Vji Þ pi because it is highly valuable to
attacker j (high Vj þ Vji ), or because the attack
probability pi for that target is high. Investing to
defend another target makes no difference unless target
i has been sufficiently well defended through reducing
pi. In other words, the defender should adjust
t1, t2, . . . , tn to make the expected damage from an
attack on each target equal to each other, as assessed
by the attacker. With m attackers, the defender
identifies for each target which attacker has the highest
ðVj þ Vji Þ pi. Once these highest n values have been
determined, the defender invests to make these values
equal to each other. This does not mean that each
target is made equally desirable for each attacker.
Instead, it means that the defender invests so that the
attacker most interested in a given target places the
same value on this target as any of the m attackers
most interested in any other target places on this other
target. This gives the defender’s expected damage
International Journal of Systems Science 19
Downloaded By: [Mundy, Gillian][informa internal users] At: 09:21 30 November 2010
and utility9
d ¼ maxi¼1,...,nj¼1,...,m
ðVj þ Vji Þ pi
� �,
u ¼ � maxi¼1,...,nj¼1,...,m
ðVj þ Vji Þ pi
� ��Xni¼1
fi
ð8Þ
The expected damage and utility for attacker j is
Dj ¼ maxi¼1,...,n
ðVj þ Vji Þ pi
� �,
Uj ¼ maxi¼1,...,n
ðVj þ Vji Þ pi
� ��Xni¼1
Fji
ð9Þ
With investment constraints, and resource r for thedefender and Rj for attacker j, the utilities in (8)and (9) become
u ¼ � maxi¼1,...,nj¼1,...,m
ðVj þ Vji Þ pi
� �� r,
r ¼Xni¼1
fi, Ui ¼ maxi¼1,...,n
ðVj þ Vji Þ pi
� �� Rj, Rj ¼
Xni¼1
Fji
ð10Þ
where each agent has n�1 first order conditions.If the attacker can attack each target once, then the
defender’s expected damage and utility is
d ¼Xni¼1
vipi þ v 1�Yni¼1
ð1� piÞ
!,
u ¼ �Xni¼1
vipi � v 1�Yni¼1
ð1� piÞ
!�Xni¼1
fi,
ð11Þ
The expected damage and utility for attacker j is
Dj ¼Xni¼1
Vji pi þ Vj 1�
Yni¼1
ð1� piÞ
!,
Uj ¼Xni¼1
Vji pi þ Vj 1�
Yni¼1
ð1� piÞ
!�Xni¼1
Fji
ð12Þ
7.3. Interlinked targets
Some targets are interlinked in manners that areneither fully in parallel nor fully in series. Consider amilitary force consisting of three targets which are anarmy, a navy and an air force. If the army is 100%eliminated through a successful attack, then themilitary force becomes less operational, but not non-operational. The capacity for ground manoeuvres isreduced, which can be partly compensated for by more
heavy bombardment and employment of helicoptersby the air force, or retraining of the navy to carry outarmy operations. If the military force had been a fullyparallel system, then eliminating the army would notreduce the operability of the military force. Conversely,if the military force had been a fully series system, theneliminating the army would eliminate the operability.Various sufficiently complex combinations of serialand parallel links do not seem to describe the example.For example, consider three serial components, whereeach component is a parallel system with an army, anavy, and an air force. If the army is eliminated, thenthe military force still operates as effectively as before.The difference is that each component then has twoinstead of three parallel links, which reduces thereliability.
Conventional reliability theory refers to suchsystems as degraded systems. One example isEbeling’s (1997, pp. 117–118) Markov analysis of aone-component system which can be in one of threestates, that is, operational, degraded or failed.Generalisation to more than one component quicklybecomes complex.10 For systems which cannot bedescribed as combined series/parallel systems, there is aneed to venture outside reliability theory to explorealternative methods of analysing such systems. Onetentative step towards handling such systems is todefine the objective function for the defender as aweighted sum of the damage of various combinedseries/parallel systems. One example is a weighted sumof the damage for a parallel system and a seriessystems, that is,
u ¼ �
aXni¼1
vipi þ vYni¼1
pi
" #
þ ð1� aÞ
"max
i¼1,...,nj¼1,...,m
½ðVj þ Vji Þ pi�
#!�Xni¼1
fi ð13Þ
where 0� a� 1. The system is a parallel system whena¼ 1, a series system when a¼ 0, and otherwise ahybrid interlinked system. The problem with (13) fromthe viewpoint of reliability theory is that it does notrefer to a specific underlying system structure, but to aweighted combination of two possible structures. Analternative to (13) is to design an arbitrarily complexseries/parallel system which somehow captures thelogic of an army, a navy, and an air force. But it isunclear which system captures that logic, and unclearwhether an army, a navy and an air force can berepresented as a series/parallel system. Equation (13)does not mean that the defender is uncertain about thesystem structure. We assume an objectively existingworld. Instead, it suggests that the phenomenoncannot be captured as a series/parallel system.
20 K. Hausken
Downloaded By: [Mundy, Gillian][informa internal users] At: 09:21 30 November 2010
Although (13) is not a real physical system, it may bean empirical approximation, where the weight a isdetermined empirically. Work is required to character-ise where on the spectrum between series and parallelsystems the behaviour of systems with intermediateseries/parallel structure lies.
However, uncommon (13) may look as it isreminiscent of functions used in production andconsumption theories. There are multiple inputs, andtradeoffs are made between these to maximise produc-tion or consumption. One example is the Cobb–Douglas function y¼x�1x
1��2 , where x1 and x2 are
inputs, and 05�5 1. This would have been a seriessystem if �¼ 1/2, but � 6¼ 1/2 gives unequal weight tothe two inputs. If x1 is steak and x2 is potatoes,measured in weight, then � allows giving differentweights to steak and potatoes in one’s design of theoptimal dinner. Adapting the Cobb–Douglas functionto our analysis, one possibility is
u ¼ � ðv1p1Þ�ðv2p2Þ
1��þ vp1p2
� ��Xni¼1
fi ð14Þ
Another possibility is
u ¼ � ððvþ v1Þ p1Þ�ððvþ v2Þ p2Þ
1��� �
�Xni¼1
fi ð15Þ
Although (14) and (15) are common in economics, withadequate empirical support (Cobb and Douglas 1928),these are neither a 100% series system nor a 100%parallel system. We think that neither (14) nor (15) onthe one hand, or a classical series/parallel system onthe other hand, can be considered as more founda-tional in a philosophical sense. Engineers and econo-mists think differently here, and there seems to beincompatibility between the domains.
Another function used in production and con-sumption theories is the constant elasticity of substitu-tion (CES) function y¼ ½�x�1 þ ð1� �Þx
�2 �
1=�, where05 �5 1, �¼ð� � 1Þ=�, and � is the elasticity ofsubstitution. This function is never a 100% seriessystem since y does not equal zero if one of theinputs x1 or x2 is zero. However, neither is the system a100% parallel system since reducing either x1 or x2reduces y. Adapting the constant elasticity of substitu-tion function to our analysis, three possibilities are asfollows:
u ¼ �Xni¼1
�iðvipiÞ�þ v
Yni¼1
pi
!1=�
�Xni¼1
fi,
�n ¼ 1�Xn�1i¼1
�i
ð16Þ
u ¼ �Xni¼1
�iðvipiÞ�
!1=�
þ vYni¼1
pi
0@
1A�Xn
i¼1
fi,
�n ¼ 1�Xn�1i¼1
�i
ð17Þ
u ¼ �Xni¼1
�iððvþ viÞ piÞ�
!1=�
�Xni¼1
fi, �n ¼ 1�Xn�1i¼1
�i
ð18Þ
Analogously to (13), the expected utility for attackerj is
Uj ¼ aXni¼1
Vji pi þ Vj
Yni¼1
pi
" #
þ ð1� aÞ maxi¼1,...,n
½ðvþ viÞ pi�
� ��Xni¼1
Fji ð19Þ
which attacker j maximises. Analogues to (14)–(18) arestraightforward to set up for attacker j.
7.4. Interdependent targets
Interdependent systems are systems where the defenceof one target impacts other targets, and where theattack on one target usually also impacts other targets.Examples occur within the airline industry, computernetworks, fire protection, theft protection, bankruptcyprotection, vaccinations. Such systems have beenanalysed by Kunreuther and Heal (2003). Zhuang,Bier, and Gupta (2007) explore the effects of hetero-geneous discount rates on the optimal defensivestrategy in such systems. Hausken (2006a) finds thatwith increasing interdependence, each defending agentfree rides by investing less, and suffers lower profit,while the attacker enjoys higher profit. Kunreuther andHeal (2003, p. 232) illustrate
‘by reference to an airline that is determining whetherto install a baggage checking system voluntarily. Inmaking this decision it needs to balance the cost ofinstalling and operating such a system with thereduction in the risk of an explosion from a piece ofluggage not only from the passengers who check inwith it, but also from the bags of passengers who checkin on other airlines and then transfer to it.’
Each airline prefers all airlines to install baggagechecking systems, but there is a free-rider dilemma. Forcyber security, Hausken (2006a) states that
‘When firms are interconnected on a common platformor network such as in a supply chain where upstreamsuppliers are connected via Electronic DataInterchanges (EDI) to downstream manufacturers orretailers (which is an example of interdependentsecurity), a security vulnerability in either the upstreamor downstream firm can also impact the other firms.
International Journal of Systems Science 21
Downloaded By: [Mundy, Gillian][informa internal users] At: 09:21 30 November 2010
Consider the following scenario. Firm j is breached bya group of hackers and since firm i is connected to firmj through a common network (e.g., a virtual privatenetwork) it is also susceptible to a breach through thenetwork. Now if firm i has invested in the best anti-intrusion technologies (for simplicity let us imagineinstallation of the most expensive firewalls at the edges– routers and switches), it is less likely to be hacked.Thus, the probability that firm i gets breached becauseits security risks are interdependent with firm j is likelyto be dependent on the security investments made byboth itself and the rival firm. Further the extent of theindirect attack would also depend on how closelyconnected the two firms are.’
The expected damage and utility for the defender ofa system of n interdependent targets are
d ¼Xni¼1
vipi, u ¼ �Xni¼1
ðvipi þ fiÞ ð20Þ
The expected damage and utility for attacker j are
Dj ¼Xni¼1
Vji pi, Uj ¼
Xni¼1
ðVji pi � Fj
i Þ ð21Þ
To account for the interdependence, the probability piof a successful attack on target i has to be generalisedbeyond that of Section 6. The ratio form in (2)generalises to
pi ¼
Pnk¼1 �ik
Pmj¼1 ðT
jk Þ
mkPnk¼1 �ik tmk
k þPm
j¼1 ðTjk Þ
mk
� ,�ik ¼ 1 when i ¼ k, �1 � �ik � 1 when i 6¼ k
ð22Þ
where �ik expresses the interdependence between targeti and target and 0 � pi � 1. As �ik¼ 1 when i¼ k, thedefender’s defence tmk
k and attacker j’s attack ðTjk Þ
mk
have full impact for target i. Consider target k, wherek 6¼ i, and assume that �ik is a number between zeroand one. Because of the interdependence, attacker j’sattack ðTj
k Þmk on target k gets transferred further, with
weight �ik, to an attack on target i. Analogously, thedefender’s defence tmk
k of target k counteractsthe attack on target k, and counteracts with weight�ik the extent to which that attack gets transferredfurther to target i. The interdependence may also benegative, with a minimum value of �1 (Hausken 2007).For example, one firm’s increase in security investmentcan redirect the agent’s attack to the other firm andtherefore reduce the other firm’s contest success.
Analogously, the difference form in (3)generalises to
pi ¼
Pnk¼1 �ik
Pmj¼1 Exp½rkT
jk �Pn
k¼1 �ik Exp½rktk� þPm
j¼1 Exp½rkTjk �
� ,�ik ¼ 1 when i ¼ k, �1 � �ik � 1 when i 6¼ k
ð23Þ
Without interdependence, that is, �ik¼ 0 for all i 6¼ k,
(22) and (23) simplify to (2) and (3), respectively.
7.5. Independent targets
Independent targets have no connection with other
targets. Examples are geographically remote targets
which are self-sufficient with no external impact, or a
country’s interests of various kinds abroad.
Independent targets are less common in today’s
interconnected and complex world, but they are
theoretically possible, and targets which are almost
independent may be approximated with independent
targets. The expected damage and utility for the
defender are
d ¼Xni¼1
vipi, u ¼ �Xni¼1
ðvipi þ fiÞ ð24Þ
The expected damage and utility for attacker j are
Dj ¼Xni¼1
Vji pi, Uj ¼
Xni¼1
ðVji pi � Fj
i Þ ð25Þ
7.6. Multi-use systems11
Examples of ‘multi-use’ systems are various transpor-
tation systems, consumption systems or the Internet.
Two links may be perceived as being in series for
someone trying to go from one point to another, but in
parallel for someone trying to go through one of the
points to a third point. In consumption, two compo-
nents may be perceived as strategic complements by
some consumers, and strategic substitutes for other
consumers. That is, one consumer may require both of
two components in order to function (series system),
whereas another consumer may function based on any
one of the components in sufficient abundance
(parallel system). Assume N users and assign weight
wi to user i, which expresses how important user i is for
the defender of the multi-use system,PN
i¼1 wi¼ 1. If
user i, i¼ 1, . . . ,M perceives a series system of two
components A and B, the system is defended for user i
as if it is a series system. Assume that this gives the
optimal defence tsA for component A and tsB for
component B. If user j, j¼Mþ 1, . . . ,N perceives a
parallel system of the two components A and B, the
system is defended for user j as if it is a parallel system.
Assume that this gives the optimal defence tpA for
component A and tpB for component B. The two
22 K. Hausken
Downloaded By: [Mundy, Gillian][informa internal users] At: 09:21 30 November 2010
components then get defences
tA ¼MtsAXMi¼1
wi þ ðN�MÞtpAXN
i¼Mþ1
wi,
tB ¼MtsBXMi¼1
wi þ ðN�MÞtpBXN
i¼Mþ1
wi
ð26Þ
which may be rephrased as the weighted sum in (13).
8. An example
Many empirical challenges are involved in determiningthe makeup of an infrastructure. Assume that thoroughanalysis has given the system in Figure 3. To determinethe expected damage and utility for the defender, let usstart with the parallel and series system. Using (5),the parallel targets 2 and 3 have an expected damage:
d23 ¼ v2p2 þ v3p3 þ v23p2p3 ð27Þ
where subscript ‘23’ refers to targets 2 and 3, so thatv23 is the damage if both targets 2 and 3 are disabled.Joining in target 1, which is in series with 2 and 3 inparallel, and using (8), the expected damage of targets1–3 is
d123 ¼ max½ðV123 þ V1Þ p1,D23� ð28Þ
where subscript ‘123’ refers to targets 1, 2, 3, and whereD23 is determined below. Joining in target 4 in parallel,using (5), gives the expected damage
d1234 ¼ d123 þ v4p4 þ v1234p4p1½1� ð1� p2Þð1� p3Þ�
ð29Þ
where p1½1� ð1� p2Þð1� p3Þ� is the probability of asuccessful attack on targets 1, 2, 3. Joining in target 5 inseries, and using (8), the expected damage of targets1–5 is
d12345 ¼ max½ðV12345 þ V5Þ p5,D1234� ð30Þ
where D1234 is determined below. Targets 6 and 7 are
interlinked. Using (13), the expected damage to the
defender is
d67 ¼ a v6p6 þ v7p7 þ v67p6p7½ �
þ ð1� aÞ max½ðV67 þ V6Þ p6, ðV67 þ V7Þ p7�½ � ð31Þ
For targets 1–7 and 11 the contest success functions in
Section 6 determine the probability pi of a successful
attack on target i. Assume one attacker so that m¼ 1,
and suppress the superscript j in the attacker notation.
Using (2) and (3) for targets 1–7 and 11, the success
probability is
pri ¼
Tmi
i
tmi
i þ Tmi
i
,
pdi ¼Exp½riTi�
Exp½riti� þ Exp½riTi�, i ¼ 1, . . . , 7, 11
ð32Þ
where superscripts r and d on pi refer to the ratio form
and difference form, respectively.Targets 8–10 are interdependent. Using (20), the
expected damage for the defender is
d89,10 ¼ v8p8 þ v9p9 þ v10p10 ð33Þ
where the comma in the subscript is used to distinguish
‘10’ from ‘8’ and ‘9’. To determine the probability piaccounting for the interdependence, the ratio form in
(22) gives
p r8 ¼
Tm8
8 þ �89Tm9
9 þ �8,10Tm10
10
tm8
8 þ Tm8
8 þ �89ðtm9
9 þ Tm9
9 Þ þ �8,10ðtm10
10 þ Tm10
10 Þ,
p r9 ¼
�98Tm8
8 þ Tm9
9 þ �9,10Tm10
10
�98ðtm8
8 þ Tm8
8 Þ þ tm9
9 þ Tm9
9 þ �9,10ðtm10
10 þ Tm10
10 Þ,
p r10 ¼
�10,8Tm8
8 þ �10,9Tm9
9 þ Tm10
10
�10,8ðtm8
8 þ Tm8
8 Þ þ �10,9ðtm9
9 þ Tm9
9 Þ þ tm10
10 þ Tm10
10
ð34Þ
and the difference form in (23) gives
Target 11 is independent. Using (24), the expecteddamage for the defender is
d11 ¼ v11p11 ð36Þ
Summing up across the 11 targets gives the defender’sexpected damage and utility
d ¼ d12345 þ d67 þ d89,10 þ d11, u ¼ �d�X11i¼1
fi ð37Þ
pd8 ¼
Exp½r8T8� þ �89Exp½r9T9� þ �8,10Exp½r10T10�
Exp½r8t8� þ Exp½r8T8� þ �89ðExp½r9t9� þ Exp½r9T9�Þ þ �8,10ðExp½r9t9� þ Exp½r9T9�Þ,
pd9 ¼�98Exp½r8T8� þ Exp½r9T9� þ �9,10Exp½r10T10�
�98ðExp½r8t8� þ Exp½r8T8�Þ þ Exp½r9t9� þ Exp½r9T9� þ �9,10ðExp½r9t9� þ Exp½r9T9�Þ,
pd10 ¼�10,8Exp½r8T8� þ �10,9Exp½r9T9� þ Exp½r10T10�
�10,8ðExp½r8t8� þ Exp½r8T8�Þ þ �10,9ðExp½r9t9� þ Exp½r9T9�Þ þ Exp½r9t9� þ Exp½r9T9�
ð35Þ
Parallel and series Interlinked Interdependent Independentsubsystem subsystem subsystem subsystem
13 5
4
2
6 78 9
1011
Figure 3. Example of system with 11 targets.
International Journal of Systems Science 23
Downloaded By: [Mundy, Gillian][informa internal users] At: 09:21 30 November 2010
Proceeding to the attacker, the analogous
equations are
D23 ¼ V2p2 þ V3p3 þ V23p2p3 ð38Þ
D123 ¼ max½ðV123 þ V1Þ p1,D23� ð39Þ
D1234 ¼ D123 þ V4p4 þ V1234p4p1½1� ð1� p2Þð1� p3Þ�
ð40Þ
D12345 ¼ max½ðV12345 þ V5Þ p5,D1234� ð41Þ
D67 ¼ a V6p6 þ V7p7 þ V67p6p7½ �
þ ð1� aÞ max½ðV67 þ V6Þ p6, ðV67 þ V7Þ p7�½ �
ð42Þ
D89,10 ¼ V8p8 þ V9p9 þ V10p10 ð43Þ
D11 ¼ V11p11 ð44Þ
D ¼ D12345 þD67 þD89,10 þD11, U ¼ D�X11i¼1
Fi
ð45Þ
To illustrate a special case of (27)–(45), inserting
v23¼ v1234¼ v67¼V123¼V12345¼V67¼ 0, applying the
ratio form with mi¼ 1, and assuming interdependence
one for components 8–10 expressed with setting all the
�’s equal to one, gives the expected utilities
u ¼ �max V5p5, max½V1p1,V2p2 þ V3p3� þ V4p4½ �
� a v6p6 þ v7p7½ � þ ð1� aÞ max½V6p6,V7p7�½ �ð Þ
�ðv8 þ v9 þ v10ÞðT8 þ T9 þ T10Þ
t8 þ T8 þ t9 þ T9 þ t10 þ T10� v11p11 �
X11i¼1
citi,
pi ¼Ti
ti þ Tið46Þ
for the defender and
U ¼ max V5p5, max½V1p1,V2p2 þ V3p3� þ V4p4 �� �
þ a V6p6 þ V7p7½ � þ ð1� aÞ max½V6p6,V7p7�½ �
þðV8 þ V9 þ V10ÞðT8 þ T9 þ T10Þ
t8 þ T8 þ t9 þ T9 þ t10 þ T10
þ V11p11 �X11i¼1
CiTi ð47Þ
for the attacker. As two further simplifications, assume
that component 5 is sufficiently more valuable than
components 1–4 for the attacker, expressed with V5
being large, and that component 6 is more valuable
than component 7 for the attacker, expressed with
V6 4V7. Inserting the expression for the contest
success function, Equations (46) and (47) then become
u ¼ �V5T5
t5 þ T5� av6 þ ð1� aÞV6ð Þ
T6
t6 þ T6
� av7T7
t7 þ T7�ðv8 þ v9 þ v10ÞðT8 þ T9 þ T10Þ
t8 þ T8 þ t9 þ T9 þ t10 þ T10
� v11T11
t11 þ T11�X11i¼1
citi,
U ¼ V5T5
t5 þ T5þ V6
T6
t6 þ T6þ aV7
T7
t7 þ T7
þðV8 þ V9 þ V10ÞðT8 þ T9 þ T10Þ
t8 þ T8 þ t9 þ T9 þ t10 þ T10
þ V11T11
t11 þ T11�X11i¼1
CiTi ð48Þ
First, differentiating the utilities with respect to the free
choice variables ti and Ti, i¼ 1, 2, 3, 4 gives ti¼Ti¼ 0
when i¼ 1, 2, 3, 4. Second, differentiating the utilities
with respect to the remaining free choice variables gives
the first order conditions:
@u
@t5¼
V5T5
ðt5 þ T5Þ2� c5 ¼ 0,
@U
@T5¼
V5t5
ðt5 þ T5Þ2� C5 ¼ 0,
@u
@t6¼½aðv6 � V6Þ þ V6�T6
ðt6 þ T6Þ2
� c6 ¼ 0,
@U
@T6¼
V6t6
ðt6 þ T6Þ2� C6 ¼ 0,
@u
@t7¼
av7T7
ðt7 þ T7Þ2� c7 ¼ 0,
@U
@T7¼
av7t7
ðt7 þ T7Þ2� C7 ¼ 0,
@u
@t8¼ðv8 þ v9 þ v10ÞðT8 þ T9 þ T10Þ
ðt8 þ T8 þ t9 þ T9 þ t10 þ T10Þ2� c8 ¼ 0,
@U
@T8¼ðV8 þ V9 þ V10Þðt8 þ t9 þ t10Þ
ðt8 þ T8 þ t9 þ T9 þ t10 þ T10Þ2� C8 ¼ 0,
@u
@t9¼ðv8 þ v9 þ v10ÞðT8 þ T9 þ T10Þ
ðt8 þ T8 þ t9 þ T9 þ t10 þ T10Þ2� c9 ¼ 0,
@U
@T9¼ðV8 þ V9 þ V10Þðt8 þ t9 þ t10Þ
ðt8 þ T8 þ t9 þ T9 þ t10 þ T10Þ2� C9 ¼ 0,
@u
@t10¼ðv8 þ v9 þ v10ÞðT8 þ T9 þ T10Þ
ðt8 þ T8 þ t9 þ T9 þ t10 þ T10Þ2� c10 ¼ 0,
@U
@T10¼ðV8 þ V9 þ V10Þðt8 þ t9 þ t10Þ
ðt8 þ T8 þ t9 þ T9 þ t10 þ T10Þ2� C10 ¼ 0,
@u
@t11¼
v11T11
ðt11 þ T11Þ2� c11 ¼ 0,
@U
@T11¼
V11t11
ðt11 þ T11Þ2� C11 ¼ 0
ð49Þ
24 K. Hausken
Downloaded By: [Mundy, Gillian][informa internal users] At: 09:21 30 November 2010
The second order conditions are
@2u
@t25¼�2V5T5
ðt5 þ T5Þ3,
@2U
@T25
¼�2V5t5
ðt5 þT5Þ3,
@2u
@t26¼�2½aðv6 �V6Þ þV6�T6
ðt6 þT6Þ3
,
@2U
@T26
¼�2V6t6
ðt6 þ T6Þ3,@2u
@t27¼�2av7T7
ðt7 þT7Þ3,
@2U
@T27
¼�2av7t7
ðt7 þT7Þ3,
@2u
@t28¼@2u
@t29¼@2u
@t210¼�2ðv8 þ v9 þ v10ÞðT8 þT9 þ T10Þ
ðt8 þT8 þ t9 þ T9 þ t10 þT10Þ3,
@2U
@T28
¼@2U
@T29
¼@2U
@T210
¼�2ðV8 þV9 þV10Þðt8 þ t9 þ t10Þ
ðt8 þT8 þ t9 þT9 þ t10 þT10Þ3,
@2u
@t211¼�2v11T11
ðt11 þT11Þ3,
@2U
@T211
¼�2V11t11
ðt11 þT11Þ3
ð50Þ
which are satisfied since 0� a� 1. For simplicity we set
v8¼ v9¼ v10, c8¼ c9¼ c10, V8¼V9¼V10, C8¼C9¼C10
which gives t8¼ t9¼ t10, T8¼T9¼T10. Solving (49)
gives
t5 ¼V5C5
ðc5 þ C5Þ2, T5 ¼
V5c5
ðc5 þ C5Þ2,
t6 ¼V6C6½aðv6 � V6Þ þ V6�
2
½aC6ðv6 � V6Þ þ ðc6 þ C6ÞV6�2,
T6 ¼V2
6c6½aðv6 � V6Þ þ V6�
½aC6ðv6 � V6Þ þ ðc6 þ C6ÞV6�2,
t7 ¼av7C7
ðc7 þ C7Þ2, T7 ¼
av7c7
ðc7 þ C7Þ2,
t8 ¼ t9 ¼ t10 ¼v28V8C8
ðV8c8 þ v8C8Þ2,
T8 ¼ T9 ¼ T10 ¼V2
8v8c8
ðV8c8 þ v8C8Þ2,
t11 ¼v211V11C11
ðV11c11 þ v11C11Þ2, T11 ¼
V211v11c11
ðV11c11 þ v11C11Þ2
ð51Þ
Inserting into the utilities in (48) gives
u¼�V5c5ðc5þ 2C5Þ
ðc5þC5Þ2
�V6c6½av6þð1� aÞV6�½c6V6þ 2C6ðaðv6�V6ÞþV6Þ�
½aC6ðv6�V6Þþ ðc6þC6ÞV6�2
�av7c7ðc7þ 2C7Þ
ðc7þC7Þ2� 3v8þ
3v38C28
ðV8c8þ v8C8Þ2� v11
þv311C
211
ðV11c11þ v11C11Þ2,
U ¼V5c
25
ðc5 þ C5Þ2þ
V36c
26
½aC6ðv6 � V6Þ þ ðc6 þ C6ÞV6�2
þav7c
27
ðc7 þ C7Þ2þ
3V38c
28
ðV8c8 þ v8C8Þ2þ
V311c
211
ðV11c11 þ v11C11Þ2
ð52Þ
9. Validating the models
Having developed models by intuitive reasoning andexplanations, future research should support themodels empirically and validate them. This meansestimating and tuning the parameters to match realworld cases. Governments continuously work toimprove their defence profile. One may start withcases that have occurred, which means that defenceinvestments are known and attack investments may beknown, proceed with cases deemed likely to occur, andthereafter consider all targets within a government’sjurisdiction. Parameters can also be estimated experi-mentally applying the methods common in decisiontheory.
We first determine the number n of targets whichare subject to defence and protection, and the numberm of attackers, possibly grouping attackers withsimilar objectives into fewer attackers. For eachtarget i we estimate 2(mþ 1)þ 1 parameters. Theseare the defender’s and attacker j’s unit costs ci and Cj
i
of investment (or further parameters if more complexinvestment expenditure functions fi and Fj
i are used),the defender’s and attacker j’s target valuations vi andVj
i , and the decisiveness parameter mi. Additionallycome the defender’s and attacker j’s system valuationsv and Vj. If the agents have resource constraints, weestimate r for the defender and Rj for attacker j. If thesystem is interdependent, there are 2
Pn�1k¼1 k interde-
pendence parameters �ik between the n targets. Thisgives [2(mþ 1)þ 1]nþ 2(mþ 1)þ2
Pn�1k¼1 k parameters.
Let us for the September 11, 2001 attack considerthe four targets, the World Trade Center’s North andNorth Towers, the Pentagon and the White House(which was not hit). The defender’s budget and unitcosts of defence for these four targets are confidentialinformation, but are known by the US StateDepartment, and may be estimated from larger andpublicly available budgets, or from similar budgetsand targets elsewhere. As argued in Section 5, thePentagon, and similar reasoning applies for the WhiteHouse, have high unit defence and attack costs. TheWorld Trade Center has lower unit defence and attackcosts, but its prominence makes the costs larger thanregular office buildings.
As argued in Section 6, the decisiveness is large fortargets such as these four. The decisiveness parameter
International Journal of Systems Science 25
Downloaded By: [Mundy, Gillian][informa internal users] At: 09:21 30 November 2010
mi is challenging to estimate exactly in practice, butdefining mi as a fuzzy variable and applying fuzzy logictheory is one method. A second method is to estimatethe range of possible variation of mi and determine themost conservative ‘worst case’ defence strategy assum-ing that mi takes the value that is most favourable forattacker j, assessing the favourability across the mattackers. Then mi becomes an additional strategicvariable that one of the attackers can choose within thespecified range.
Target and system valuations can be estimated byletting people and elected officials rank the value oftargets against each other, exploring statements andinterviewing defectors and sympathisers of potentialattackers, and applying expert judgments. For foursimultaneous attacks a first approximation is to set theinterdependence parameters equal to zero. Thereafter,it can be assessed how defence of and attack againstone target impacts each other target.
When all parameters have been estimated, weproceed to determine the structure of the game, firstassuming that the defender and m attackers choosetheir strategies simultaneously and independently. Wesolve the game and determine the agents’ optimalinvestments across the n targets. These investments arecompared with actual investments and possible dis-crepancies are attempted, explained and justified. Onemay have to go back and retune parameters, or themodel analysis may have yielded insights to causechanges in investments. We proceed to consideralternative game structures, for example, sequentialgames and account for incomplete information anduncertainty, and solve the game anew to determinealternative investments which are again comparedagainst actual investments and policies, and discussedwith policy administrators.
10. Conclusion
Infrastructures subject to defence by a strategicdefender and attack by multiple strategic attackersare analysed. A framework for analysis is provided.Each agent on the defensive and offensive side faces anoptimisation programme that is specified. The strategicdecision for each agent is how much to invest indefending versus attacking each target within theinfrastructure, how to allocate investments acrosstargets and what kinds of investments are suitable.Operations research, reliability theory, and gametheory are merged for optimal analytical impact.
A target can have economic, human and symbolicvalues. These values are discussed and exemplified,and are generally different for the defender andattackers. Thereafter investment expenditure functions
are considered. These can be linear in the investmenteffort for each agent, concave, convex, logistic, canincrease in an incremental step-wise manner, or can besubject to budget constraints. To determine the prob-ability of a successful attack on a target, contest successfunctions are introduced which depend on the relativeinvestments of the defender and attackers on eachtarget, and on characteristics of the contest over eachtarget such as its decisiveness or intensity, and whetherthere is a mass effect for investments. The examples ofsuch functions are the ratio and difference forms.
Targets can be in parallel, in series, interlinked,interdependent, independent or multi-use. Interlinkedtargets are neither fully in parallel nor fully in series,exemplified with a military force consisting of an army,a navy and an air force. For interdependent systemsthe defence of one target impacts all targets, and theattack on one target usually impacts other targets.Examples are within the airline industry and computernetworks. Independent targets are not connected withother targets, for example, because of geographicalremoteness or self-sufficiency. Multi-use systems areviewed differently by different agents.
The optimisation programme for the defender andeach of multiple attackers is specified. The defenderminimises the expected damage plus the defenceexpenditures, accounting for his valuation of targets.Each attacker maximises the expected damage minusthe attack expenditures, accounting for a possiblydifferent valuation of targets. The number of freechoice variables equals the number of agents times thenumber of targets, or lower if there are budgetconstraints. Investments cannot be negative, andagents may have budget constraints. Each agent isinterested in how his investments vary across thetargets, and the impact on his utilities.
Infrastructures are built over time. A two periodgame that is often realistic is to assume that thedefender chooses investments in the first period,whereas the attackers choose investments in thesecond period. Such games are solved with backwardinduction. The game may be repeated finitely orinfinitely many times, with alternating investmentsfor agents or groups of agents, and with differentdiscount parameters for each agent. More generally,each agent may invest or sub-invest in any target at anypoint in time dependent on how the game evolves.
Defending and attacking infrastructures ofteninvolves assessing incomplete information, which maybe symmetric or asymmetric across players. Examplesof incomplete information are the agents’ valuations ofthe targets, parameters in the investment expenditurefunctions or the agents’ discount parameters forrepeated games. Finally, an example of a system with11 targets is analysed.
26 K. Hausken
Downloaded By: [Mundy, Gillian][informa internal users] At: 09:21 30 November 2010
Acknowledgement
I thank two anonymous referees of this journal and Vicki M.Bier for useful comments.
Notes
1. See http://www.state.gov/s/ct/rls/other/des/123085.htm and http://security.homeoffice.gov.uk/legislation/current-legislation/terrorism-act-2000/proscribed-groups#,retrieved August 6, 2009.
2. In particular, Bier (private communication) observesthat simple convexity of the component failure prob-abilities is not sufficient to yield convexity of theirproduct; one needs log-convexity – which implies,roughly speaking, that the success probability of anattack against any given component decreases fasterthan exponentially in the level of investment.
3. This superseded earlier infinite recursions of the kind ‘IfI think that you think that I think . . .’
4. An alternative is Vji ¼ viþ "i, which is the defender’s
valuation plus an error term for target i. The error termcan reflect attacker lack of information about thedefender’s valuations, or attacker-specific goals such asprominence of target i, or the cost of attacking target i.I thank Vicky Bier for this suggestion.
5. Bier et al. (2006, p. 316) define the probability of successof an attack on a component as a function of theinvestment by the defender to strengthen that compo-nent, where the probability of attack on the system isexogenously given.
6. The decisiveness mi is a characteristic of the contest. Itcan be well illustrated by the history of warfare. Lowdecisiveness occurs for systems that are defendable,predictable, and where the individual components aredispersed, that is, physically distant or separated bybarriers of various kinds. Neither the defender nor theattacker can get a significant upper hand. An example isthe time prior to the emergence of cannons and modernfortifications in the fifteenth century. Another exampleis entrenchment combined with the machine gun, inmultiply dispersed locations, in World War I. Highdecisiveness occurs for systems that are less predictable,easier to attack, and where the individual componentsare concentrated, that is, close to each other or notseparated by particular barriers. This may cause‘winner-take-all’ battles and dictatorship by the stron-gest. Either the defender or the attacker may get theupper hand. The combination of airplanes, tanks, andmechanised infantry in World War II allowed theoffence to concentrate firepower more rapidly than thedefence, which intensified the effect of force superiority(Hirshleifer 1995, pp. 32–33).
7. In the conflict literature, this is referred to as egalitariandistribution of an asset independent of effort (invest-ment), so that each agent receives 50%. In our contextm¼ 0 gives a certain ‘egalitarianism’ between thedefender and the attacker in the sense that the defenderobtains half as much reliability as he maximally hopesfor. We ignore m5 0 which corresponds in one sense toaltruism and in another sense to punishing individualinvestments and placing a premium on laziness.
8. Hirshleifer (1989, p. 104) argues that ‘in a militarycontext we might expect the ratio form of the ContestSuccess Function to be applicable when clashes take
place under close to ‘idealized’ conditions such as: anundifferentiated battlefield, full information, and unflag-ging weapons effectiveness. In contrast, the differenceform tends to apply where there are sanctuaries andrefuges, where information is imperfect, and where thevictorious player is subject to fatigue and distraction.’Hence, applying the difference form, in strugglesbetween nations, one side may surrender rather thanresist against an unappeasable opponent, with theexpectation of not losing everything, realising the costto the victor of locating and extracting all the spoils.
9. For the parallel system in Section 7.1, one alternative isto let the attacker equalise the vulnerabilities of thetargets as perceived by the defender.
10. Conventional reliability theory distinguishes betweenindependent and dependent systems. Ebeling (1997,108ff) describes dependent systems as systems where‘component failures are in some way dependent’.Markov analysis is typically applied. Aside fromdegraded systems, examples are load-sharing systemsand standby systems where the breakdown of onecomponent affects the other components.
11. I thank Vicky Bier for suggesting multi-use systems.
Notes on contributor
Kjell Hausken has been Professor ofeconomics and societal safety at theFaculty of Social Sciences, Universityof Stavanger, Norway, since 1999.He holds a PhD (Thesis: ‘DynamicMultilevel Game Theory’) from theUniversity of Chicago (1990–1994),was a postdoc at the Max PlanckInstitute for the Studies of Societies
(Cologne) 1995–1998, and a visiting scholar at Yale Schoolof Management 1989–1990. He holds a Doctorate ProgramDegree (‘Philosophical, Behavioral, and GametheoreticNegotiation Theory’) in Administration from theNorwegian School of Economics and BusinessAdministration, an MSc degree (Thesis: ‘Nonlinear BayesEstimation’) in Electrical Engineering (Cybernetics) from theNorwegian Institute of Technology, focusing on mathematicsand statistics, and a minor in Public Law from the Universityof Oslo. He has worked as a Field Engineer for Schlumbergerin Oman/Egypt, completed military service at the NorwegianDefence Research Establishment, and has published 90articles in international journals. Hausken is on the editorialboard for Theory and Decision, and Defence and PeaceEconomics, and has refereed for 40 journals. Introducingstrategic interaction into risk analysis, Hausken’s researchfields are economic risk management, political economy,information security, public choice, conflict, game theory,reliability, war, crime, terrorism, disaster prevention, sto-chastic theory, resilience management.
References
Arce, D.G., and Sandler, T. (2007), ‘Terrorist Signaling and
the Value of Intelligence’, British Journal of Political
Science, 37, 573–586.
International Journal of Systems Science 27
Downloaded By: [Mundy, Gillian][informa internal users] At: 09:21 30 November 2010
Azaiez, N., and Bier, V.M. (2007), ‘Optimal Resource
Allocation for Security in Reliability Systems’, European
Journal of Operational Research, 181, 773–786.
Beitel, G.A., Gertman, D.I., and Plum, M.M. (2004),
Balanced Scorecard Method for Predicting the
Probability of a Terrorist Attack, Idaho Falls, Idaho,
USA: Idaho National Engineering and Environmental
Laboratory.
Bier, V.M., and Abhichandani, V. (2002), ‘Optimal
Allocation of Resources for Defense of Simple Series and
Parallel Systems from Determined Adversaries’, in
Proceedings of the Engineering Foundation Conference on
Risk-Based Decision Making in Water Resources X, Santa
Barbara, CA: American Society of Civil Engineers.
Bier, V.M., Nagaraj, A., and Abhichandani, V. (2005),
‘Protection of Simple Series and Parallel Systems with
Components of Different Values’, Reliability Engineering
and System Safety, 87, 315–323.Bier, V.M., Oliveros, S., and Samuelson, L. (2006),
‘Choosing What to Protect: Strategic Defense Allocation
Against an Unknown Attacker’, Journal of Public
Economic Theory, 9, 563–587.Brown, G., Carlyle, M., Salmeron, J., and Wood, K. (2006),
‘Defending Critical Infrastructure’, Interfaces, 36, 530–544.Carayon, P., Kraemer, S., and Bier, V.M. (2005), ‘Human
Factors Issues in Computer and E-business Security’,
in Handbook of Integrated Risk Management for
E-Business: Measuring, Modeling and Managing Risk, ed.
A. Labbi, Florida, UA: J Ross Publishing, pp. 63–85.Cobb, C.W., and Douglas, P.H. (1928), ‘A Theory of
Production’, American Economic Review, 18(Suppl.),
139–165.Dighe, N., Zhuang, J., and Bier, V.M. (2008), ‘Secrecy in
defensive allocations as a strategy for achieving more cost-
effective attacker deterrence’, International Journal of
Performability Engineering, Special issue on System
Survivability and Defense against External Impacts, 5,
31–43.Dixit, A., and Skeath, S. (1999), Games of Strategy,
New York: Norton.Ebeling, C. (1997), An Introduction to Reliability and
Maintainability Engineering, New York, NY: McGraw-Hill.Enders, W., and Sandler, T. (2003), ‘What Do We Know
about the Substitution Effect in Transnational Terrorism?’,
in Researching Terrorism: Trends, Achievements, Failures
eds. A. Silke and G. Ilardi, Ilfords, UK: Frank Cass.
http://www-rcf.usc.edu/�tsandler/substitution2ms.pdfEnders, W., and Sandler, T. (2006), The Political Economy of
Terrorism, New York: Cambridge University Press.Fudenberg, D.M., and Tirole, J. (1991), Game Theory,
Cambridge: MIT Press.Gal-Or, E., and Ghose, A. (2005), ‘The Economic Incentives
for Sharing Security Information’, Information Systems
Research, 16, 186–208.
Gordon, L.A., and Loeb, M. (2002), ‘The Economics of
Information Security Investment’, ACM Transactions on
Information and System Security, 5, 438–457.Gordon, L.A., Loeb, M., and Lucyshyn, W. (2003), ‘Sharing
Information on Computer Systems Security: An Economic
Analysis’, Journal of Accounting and Public Policy, 22,461–485.
Harsanyi, J. (1967/68), ‘Games with Incomplete InformationPlayed by ‘Bayesian Players’’, I-III Management Science,14, 159–183, 320–334, 486–501.
Hausken, K. (2002), ‘Probabilistic Risk Analysis and GameTheory’, Risk Analysis, 22, 17–27.
Hausken, K. (2005), ‘Production and Conflict Models Versus
Rent Seeking Models’, Public Choice, 123, 59–93.Hausken, K. (2006a), ‘Income, Interdependence, andSubstitution Effects Affecting Incentives for Security
Investment’, Journal of Accounting and Public Policy, 25,629–665.
Hausken, K. (2006b), ‘Returns to Information Security
Investment: The Effect of Alternative InformationSecurity Breach Functions on Optimal Investment andSensitivity to Vulnerability’, Information Systems Frontiers,
8, 338–349.Hausken, K. (2007), ‘Information Sharing among Firms andCyber Attacks’, Journal of Accounting and Public Policy,
26, 639–688.Hausken, K. (2008a), ‘Strategic Defense and Attack forSeries and Parallel Reliability Systems’, European Journal
of Operational Research, 186, 856–881.Hausken, K. (2008b), ‘Strategic Defense and Attack forReliability Systems’, Reliability Engineering & System
Safety, 93, 1740–1750.Hausken, K. (2008c), ‘Strategic Defense and Attack ofComplex Networks’, International Journal of
Performability Engineering, 4, 341–364.Hausken, K., and Levitin, G. (2008), ‘Efficiency of EvenSeparation of Parallel Elements with Variable Contest
Intensity’, Risk Analysis, 28, 1477–1486.Hausken, K., and Levitin, G. (2009), ‘Minmax DefenseStrategy for Complex Multi-state Systems’, Reliability
Engineering and System Safety, 94, 577–587.Hirshleifer, J. (1989), ‘Conflict and Rent-seeking SuccessFunctions: Ratio vs. Difference Models of Relative
Success’, Public Choice, 63, 101–112.Hirshleifer, J. (1995), ‘Anarchy and Its Breakdown’, Journalof Political Economy, 103, 26–52.
Kreps, D.M., and Wilson, R. (1982), ‘Sequential Equilibria’,
Econometrica, 50, 863–894.Kunreuther, H., and Heal, G. (2003), ‘InterdependentSecurity’, The Journal of Risk and Uncertainty, 26,
231–249.Levitin, G. (2002), ‘Maximizing Survivability of AcyclicTransmission Networks with Multi-state Retransmitters
and Vulnerable Nodes’, Reliability Engineering and SystemSafety, 77, 189–199.
Levitin, G. (2003a), ‘Optimal Multilevel Protection in Series-
parallel Systems’, Reliability Engineering and SystemSafety, 81, 93–102.
Levitin, G. (2003b), ‘Optimal Allocation of Multi-state
Elements in Linear Consecutively Connected Systemswith Vulnerable Nodes’, European Journal of Operational
Research, 150, 406–419.Levitin, G. (2007), ‘Optimal Defense Strategy againstIntentional Attacks’, IEEE Transactions on Reliability,
56, 148–157.
28 K. Hausken
Downloaded By: [Mundy, Gillian][informa internal users] At: 09:21 30 November 2010
Levitin, G., and Hausken, K. (2008), ‘Protectionvs. Redundancy in Homogeneous Parallel Systems’,
Reliability Engineering and System Safety, 93, 1444–1451.Levitin, G., and Hausken, K. (2009a), ‘False TargetsEfficiency in Defense Strategy’, European Journal ofOperational Research, 194, 155–162.
Levitin, G., and Hausken, K. (2009b), ‘False Targets vs.Redundancy in Homogeneous Parallel Systems’, ReliabilityEngineering and System Safety, 94, 588–595.
Levitin, G., and Lisnianski, A. (2000), ‘SurvivabilityMaximization for Vulnerable Multi-state Systems withBridge Topology’, Reliability Engineering and System
Safety, 70, 125–140.Levitin, G., and Lisnianski, A. (2001), ‘Optimal Separationof Elements in Vulnerable Multi-state Systems’, ReliabilityEngineering and System Safety, 73, 55–66.
Levitin, G., and Lisnianski, A. (2003), ‘OptimizingSurvivability of Vulnerable Series-parallel Multi-stateSystems’, Reliability Engineering and System Safety, 79,
319–331.Levitin, G., Dai, Y., Xie, M., and Poh, K.L. (2003),‘Optimizing Survivability of Multi-state Systems with
Multi-level Protection by Multi-processor GeneticAlgorithm’, Reliability Engineering and System Safety, 82,93–104.
Major, J. (2002), ‘Advanced Techniques for ModelingTerrorism Risk’, Journal of Risk Finance, 4, 15–24.
O’Hanlon, M., Orszag, P., Daalder, I., Destler, M., Gunter,D., Litan, R., and Steinberg, J. (2002), Protecting the
American Homeland, Washington, DC: BrookingsInstitution.
Patterson, S.A., and Apostolakis, G.E. (2007), ‘Identification
of Critical Locations Across Multiple Infrastructures forTerrorist Actions’, Reliability Engineering and SystemSafety, 92, 1183–1203.
Phimister, J.R., Bier, V.M., and Kunreuther, H.C. (eds.)(2004), Accident Precursor Analysis and Management:Reducing Technological Risk Through Diligence,
Washington, DC: National Academies Press.Powell, R. (2007a), ‘Allocating Defensive Resources withPrivate Information about Vulnerability’, AmericanPolitical Science Review, 101, 799–809.
Powell, R. (2007b), ‘Defending against Terrorist Attackswith Limited Resources’, American Political ScienceReview, 101, 527–541.
Powell, R. (2007c), ‘Allocating Defensive Resources Prior toAttack’, in Paper presented at the Annual Meeting of the
ISA’s 49th Annual Convention, Bridging Multiple Divides,Hilton, San Francisco, CA. http://www.allacademic.com/meta/p250775_index.html
Rasmusen, E. (2001), Games and Information, Cambridge:
Basil Blackwell, Inc.Sandler, T., and Enders, W. (2007), ‘Applying AnalyticalMethods to Study Terrorism’, International Studies
Perspectives, 8, 287–302.Sandler, T., and Siqueira, K. (2006), ‘Global Terrorism:Deterrence versus Pre-emption’, Canadian Journal of
Economics, 39, 1370–1387.Selten, R. (1975), ‘Reexamination of the Perfectness Conceptfor Equilibrium Points in Extensive Games’, InternationalJournal of Game Theory, 4, 25–55.
Shier, D.R. (1991), Network Reliability and AlgebraicStructures, New York, NY: Clarendon Press.
Simon, H. (1969), The Sciences of the Artificial, Cambridge:
MIT Press.Siqueira, K., and Sandler, T. (2007), ‘Terrorist Backlash,Terrorism Mitigation, and Policy Delegation’, Journal of
Public Economics, 91, 1800–1815.Skaperdas, S. (1991), ‘Conflict and Attitudes Toward Risk’,American Economic Review, 81, 116–120.
Skaperdas, S. (1996), ‘Contest Success Functions’, EconomicTheory, 7, 283–290.
Straffin, P. (1993), Game Theory and Strategy, Washington,DC: Mathematical Association of America.
Tullock, G. (1980), ‘Efficient Rent-Seeking’, in Toward aTheory of the Rent-seeking Society, eds. J.M. Buchanan,R.D. Tollison and G. Tullock, College Station, TX: Texas
A&M University Press, pp. 97–112.Viscusi, W.K. (2005), ‘‘The Value of Life’’ New PalgraveDictionary of Economics and the Law (2nd ed.), SSRN:
http://ssrn.com/abstract¼827205.Woo, G. (2002), ‘Quantitative Terrorism Risk Assessment’,Journal of Risk Finance, 4, 7–14.
Woo, G. (2003), ‘Insuring against Al-Qaeda’, InsuranceProject Workshop, National Bureau of EconomicResearch, Inc. (Available at: http://www.nber.org/�confer/2003/insurance03/woo.pdf).
Zhuang, J., Bier, V.M., and Gupta, A. (2007), ‘Subsidies inInterdependent Security with Heterogeneous DiscountRates’, Engineering Economist, 52, 1–19.
International Journal of Systems Science 29
Downloaded By: [Mundy, Gillian][informa internal users] At: 09:21 30 November 2010