Protecting complex infrastructures against multiple strategic attackers

PLEASE SCROLL DOWN FOR ARTICLE

This article was downloaded by: [Mundy, Gillian][informa internal users]On: 30 November 2010Access details: Access Details: [subscription number 755239602]Publisher Taylor & FrancisInforma Ltd Registered in England and Wales Registered Number: 1072954 Registered office: Mortimer House, 37-41 Mortimer Street, London W1T 3JH, UK

International Journal of Systems SciencePublication details, including instructions for authors and subscription information: http://www-intra.informaworld.com/smpp/title~content=t713697751

Protecting complex infrastructures against multiple strategic attackersKjell Hauskena

a Faculty of Social Sciences, University of Stavanger, N-4036 Stavanger, Norway

First published on: 23 July 2010

To cite this Article Hausken, Kjell(2011) 'Protecting complex infrastructures against multiple strategic attackers',International Journal of Systems Science, 42: 1, 11 — 29, First published on: 23 July 2010 (iFirst)To link to this Article: DOI: 10.1080/00207720903434789URL: http://dx.doi.org/10.1080/00207720903434789

Full terms and conditions of use: http://www-intra.informaworld.com/terms-and-conditions-of-access.pdf

This article may be used for research, teaching and private study purposes. Any substantial orsystematic reproduction, re-distribution, re-selling, loan or sub-licensing, systematic supply ordistribution in any form to anyone is expressly forbidden.

The publisher does not give any warranty express or implied or make any representation that the contentswill be complete or accurate or up to date. The accuracy of any instructions, formulae and drug dosesshould be independently verified with primary sources. The publisher shall not be liable for any loss,actions, claims, proceedings, demand or costs or damages whatsoever or howsoever caused arising directlyor indirectly in connection with or arising out of the use of this material.

http://www-intra.informaworld.com/smpp/title~content=t713697751

http://www-intra.informaworld.com/smpp/title~content=t713697751

http://dx.doi.org/10.1080/00207720903434789

http://www-intra.informaworld.com/terms-and-conditions-of-access.pdf

International Journal of Systems ScienceVol. 42, No. 1, January 2011, 11–29

Protecting complex infrastructures against multiple strategic attackers

Kjell Hausken*

Faculty of Social Sciences, University of Stavanger, N-4036 Stavanger, Norway

(Received 31 July 2008; final version received 20 October 2009)

Infrastructures are analysed subject to defence by a strategic defender and attack by multiple strategic attackers.A framework is developed where each agent determines how much to invest in defending versus attacking each ofmultiple targets. A target can have economic, human and symbolic values, which generally vary across agents.Investment expenditure functions for each agent can be linear in the investment effort, concave, convex, logistic,can increase incrementally, or can be subject to budget constraints. Contest success functions (e.g., ratio anddifference forms) determine the probability of a successful attack on each target, dependent on the relativeinvestments of the defender and attackers on each target, and on characteristics of the contest. Targets can be inparallel, in series, interlinked, interdependent or independent. The defender minimises the expected damage plusthe defence expenditures. Each attacker maximises the expected damage minus the attack expenditures. Thenumber of free choice variables equals the number of agents times the number of targets, or lower if there arebudget constraints. Each agent is interested in how his investments vary across the targets, and the impact on hisutilities. Alternative optimisation programmes are discussed, together with repeated games, dynamic games andincomplete information. An example is provided for illustration.

Keywords: complex infrastructures; game theory; reliability theory; OR in military; utility theory; defence;attack; contest success function; parallel system; series system; interlinked systems; interdependent systems;independent systems; protection; terrorism; war; conflict

1. Introduction

Our infrastructures are threatened by humans, tech-

nology and nature. Population growth and increasing

complexity make protection challenging. The

September 11, 2001 attack showed that no targets

and no methods of operation are out of bounds.

Strategic attackers attack targets (assets, components)

with economic, human and symbolic value. Strategic

decisions for defenders and attackers are as follows:

how much to allocate to defence and attack, how to

allocate investments across targets and what kinds of

defence and attack are appropriate.Operations research and reliability theory have

traditionally been used to solve the defender’s optimi-

sation problem. Assuming static external threats or

fixed probabilities of attack, objectives have been to

increase the probability of system survival. The

literature can be divided into two parts: one part

where one defender protects one target within a multi-

target system, and the other part where one defender

protects an entire system of multiple targets. This

article contributes to the latter literature which is

relevant for the defence of infrastructures of various

kinds at the global, continental, national, regional and

local levels.

This article introduces a conceptually new way of

thinking. One strategic defender and arbitrarily many

fully strategic attackers are considered. The external

threat is neither static, fixed nor immutable. An

arbitrarily complex system or infrastructure is analysed

with targets that are in parallel, in series, interlinked,

interdependent and independent. The defender and

attackers adapt to each other optimally choosing

defensive and offensive investments for each target.

The functionality or successful operation of each target

depends on the relative investments in defence versus

attack. Whether a system functions depends on the

agents’ resource allocation across targets, and how the

targets are linked together. The defender invests to

ensure that the system functions, whereas the attacker

invests to ensure that the system does not function.In contrast to much of earlier research, we analyse

the phenomenon from both the defender’s and attack-

ers’ viewpoints. There is a need to account fully for the

strategic dimensions associated with the defender and

attackers, for the time dimension, and for the ever

changing dynamic of the interaction between agents.

The proposed framework consists in a model for

valuing the targets of the attack for both the defender

and the attackers, multiple models for determining the

*Email: [email protected]

ISSN 0020–7721 print/ISSN 1464–5319 online

� 2011 Taylor & Francis

DOI: 10.1080/00207720903434789

http://www.informaworld.com

Downloaded By: [Mundy, Gillian][informa internal users] At: 09:21 30 November 2010

investment effort of the defender and the attackers,multiple models to compute the probability of asuccessful attack and multiple models for the utilityof the agents that take into account how the targets areconfigured into a system. The article thus implicitlylays out a research agenda.

We consider one single defender and multipleindependent attackers which is a realistic scenarioand provides policy advise for a single governmentfacing threats from many sources. There are currently45 proscribed terrorist groups1 under the TerrorismAct 2000. In addition come unknown groups, rougestates, loose constellations, single individuals andagents who may attack infrastructures without beinglabelled terrorist groups. Attackers have a broad rangeof different objectives and apply different methods.Considering the attackers as independent makes theanalysis tractable. For attackers with overlappingobjectives or coordinated efforts we apply Simon’s(1969) principle of ‘near decomposability’, whichmeans that sufficiently similar attackers are joined toone attacker, and sufficiently different attackers areassumed independent. Considering one defender isrealistic since a target is usually owned or controlledby one defender. For multiple owners we join these toone since they usually have a common objective ofprotecting the target. For targets without owners, thecontest success function applied in the formal appara-tus allows for interpreting the one defender as anattacker.

Section 2 describes the state-of-the-art literature.Section 3 defines the problem. Section 4 discusses howto value targets, which may have economic, humanand symbolic values. Section 5 considers investmentexpenditure functions for defence and attack. Section 6evaluates contest success functions. Section 7 describessystems with targets that are in parallel, in series,interlinked, interdependent, independent and multi-use. Section 8 analyses an example. Section 9 suggestsmethods for validating the models. Section 10concludes.

2. The state-of-the-art literature

Cost-effective risk reduction strategies applying relia-bility theory have been developed by Levitin (2002,2003a,b), Levitin and Lisnianski (2000, 2001, 2003)and Levitin, Dai, Xie, and Poh (2003). Objectives havebeen to increase the probability of system survival, andharden targets optimally. A main limitation is that theliterature has traditionally considered the externalthreat to be static, fixed and immutable, for example,by assuming a fixed probability and magnitude ofattack. Some research applying game theory considers

isolated targets (see, e.g. Major 2002; O’Hanlon et al.2002; Woo 2002, 2003).

For multiple targets, one strand of literatureassociates one defender with each target. Conflictsthen arise in series, parallel and summation systemsover which player(s) prefer(s) to incur the cost of riskreduction. Individual strategies at the subsystem levelgenerally conflict with collective desires at the systemlevel. Hausken (2002) lets each agent dichotomouslychoose a strategy which for his component causeseither reliability zero with no cost of effort or reliabilityone for a fixed cost of effort. He finds that the series,parallel and summation systems frequently correspondto the coordination game, the battle of the sexes andthe chicken game, and prisoner’s dilemma, respec-tively. Kunreuther and Heal (2003), Zhuang et al.(2007), and Hausken (2006a) analyse interdependentsystems. Enders and Sandler (2003) and Hausken(2006a) analyse the substitution effect which causes astrategic attacker to substitute into the most optimalattack allocation across multiple targets, and theincome effect which eliminates parts of the attacker’sresource base. Within cyber security Gordon and Loeb(2002) and Gordon, Loeb, and Lucyshyn (2003)determine the optimal investment for informationprotection, and Gal-Or and Ghose (2005) analysehow market characteristics affect security investment.

Another strand of literature, to which this articleadds new dimensions, lets one defender defend anentire system. Earlier promising research by Bier andAbhichandani (2002) and Bier, Nagaraj, andAbhichandani (2005) for series and parallel systemswith independent targets have assumed that thedefender minimises the success probability andexpected damage, respectively, of an attack. Thesuccess probability is assumed to depend on theresources expended by the defender to strengtheneach target. The probability of an attack is exogen-ously given. Bier et al. (2005, p. 322) show that ‘if onecomponent is more valuable than another, but has alower probability of being attacked, then the morevulnerable but less valuable component may be morelikely to be attacked, and hence merit greater invest-ment.’ Bier, Oliveros, and Samuelson (2006) analysethe optimal allocation of defensive resources in the faceof uncertainty about attacker goals, motivations andvaluations of potential targets. The defender allocatesdefence to a collection of locations whereas an attackerchooses a location to attack. They show that thedefender allocates resources in a centralised, ratherthan decentralised, manner, that the optimal allocationof resources can be non-monotonic in the value of theattacker’s outside option. Furthermore, the defenderprefers its defence to be public rather than secret. Also,the defender sometimes leaves a location undefended

12 K. Hausken


and sometimes prefers a higher vulnerability at aparticular location even if a lower risk could beachieved at zero cost. Azaiez and Bier (2007) assumethat the success probability of an attack on each targetis constant, and that the defender attempts to deterattacks by making them as costly as possible to theattacker. This enables them to find closed-form resultsfor systems with moderately general structures withboth parallel and series subsystems. Dighe, Zhuang,and Bier (2008) consider secrecy in defensive alloca-tions as a strategy for achieving more cost-effectiveattacker deterrence. See Carayon, Kraemer, and Bier(2005) for the role of human factors in computer ande-business security, Phimister, Bier, and Kunreuther(2004) for reducing technological risk through dili-gence, accident precursor analysis and management,and Hausken (2008a) for defence and attack of seriesand parallel systems.

Some research, for example, Brown, Carlyle,Salmeron, and Wood (2006), has focused on interdic-tion models, attacker–defender models, and relateddefender–attacker–defender models. These assume ahierarchical structure for decision making. In adefender–attacker–defender model, the defender firstinvests in protecting infrastructure, subject to a budgetconstraint. Then, a resource-constrained attack iscarried out. Finally, the defender operates the residualsystem as best possible. Brown et al. (2006) exemplifywith border control, the US strategic petroleum reserveand electric power grids. Patterson and Apostolakis(2007) rank geographic regions to allow decisionmakers to determine critical locations susceptible toterrorist attacks. Levitin (2007) considers optimaldefence strategy against intentional attacks, andHausken and Levitin (2009) consider minmax defencestrategy for complex multi-state systems. Hausken andLevitin (2008) analyse how to separate elements whenthe decisiveness (intensity) parameter changes throughthe separation process. Levitin and Hausken (2008,2009a,b) consider the role of redundancy and falsetargets.

Within political economy and political science,strategic interaction has been accounted for moreextensively. Enders and Sandler (2006) provide anoverview of the nature of terrorism, and Sandler andEnders (2007) evaluate policy effectiveness and quan-tify the economic impact of terrorism. More specifi-cally, Arce and Sandler (2007) present a model ofterrorist attacks as signals where the government isuncertain about whether it faces a politically motivatedor militant opponent. They determine two types ofex post regret: P-regret, where the governmentconcedes to political types that would not subsequentlyattack; and M-regret, where the government does notconcede to militant types that subsequently attack at

greater levels. They then define a measure of the valueof intelligence based on avoiding such regret.Counterterrorism policy involves whether a govern-ment should focus on increased intelligence versusincreased security defined as hardening targets. Theyevaluate the use of asset freezing in terms of theresources required by terrorists to reach objectives.Their article supports the empirical finding of inter-temporal substitution of resources by terrorists.

Sandler and Siqueira (2006) analyse two anti-terrorism policies when a nation is at risk at homeand abroad. The deterrence decision involves externalbenefits and costs, whereas pre-emption typically givesexternal benefits when the threat is reduced for allpotential targets. They show that with damages limitedto home interests, a country overdeters. In contrast, forglobalised terror, a country underdeters. Furthermore,pre-emption is usually undersupplied. They show thatleader–follower behaviour decreases deterrence ineffi-ciency, but worsens pre-emption inefficiency, com-pared with simultaneous-choice allocations. Finally,targeted nations can never achieve the proper counter-terrorism policy through leadership.

Siqueira and Sandler (2007) analyse a three-stageproactive game with terrorists, elected policymakersand voters. In each of two countries, a representativevoter chooses an elected policymaker who determinesproactive countermeasures to reduce a transnationalterrorist threat. The voters’ strategic choice is influ-enced by free riding on the other countries’ counter-measures, and limiting a reprisal terrorist attack. Thefree riding causes low proactive countermeasureswhich benefit the terrorists. This gives a delegationproblem where leadership by voters has a detrimentalconsequence on the well-being of targeted countries.The authors finally consider how domestic politicsimpacts how a terrorist threat is addressed.

Powell (2007a) shows that in many resources-allocation problems, strategic adversaries movesequentially and are likely to have private informationabout the effectiveness of their spending. It argues, asthis article also does, that a defender often has todetermine its defensive before an attacker decideswhere to attack. Defenders are also likely to haveprivate information about the vulnerability of theassets they protect. The author argues that sequentialdecisions and private information about effectivenesscauses a dilemma for the defender. Allocating more toa highly vulnerable site reduces the expected losses ifthat site is attacked, but also draws the attacker’sattention which increases the probability of an attack.Modelling as a signalling game, the analysis shows thatsecrecy concerns are generally stronger than vulner-ability concerns when more vulnerable sites are weaklyharder to protect on the margin. This causes the

International Journal of Systems Science 13


defender to allocate its resources independently of

vulnerability. In contrast, if more vulnerable sites are

easier to protect on the margin, then vulnerability

concerns may be stronger than secrecy concerns.Powell (2007b) considers a defender’s resource

distribution against a strategic adversary in four

settings. First, resources allocated to protecting one

site have as a benchmark no effect on other sites.Second, the defender can allocate resources to border

defence, intelligence or counterterrorist operations

which may protect all sites. Third, threats can have

strategic and non-strategic components. Fourth, the

defender can be unsure of the terrorists’ preferred

targets. The author determines the optimal defence

allocation in these four settings.Realising that all potential targets cannot be

defended, Powell (2007c) analyses a defence allocation

across multiple sites before an attacker chooses where

to attack. As also done in this article, the defender

allocates its resource to minimise the attacker’s

maximum payoff. The author finds that this defence

allocation is unique regardless of whether the game iszero- or non-zero-sum or is static or dynamic.

3. Problem definition

An infrastructure system is considered with n compo-

nents or targets in parallel, in series, in combined

series/parallel, or independent. We also consider

systems which we refer to as interlinked or interde-pendent. Infrastructure refers to assets that support an

economy, such as roads, power supply, telecommuni-

cations systems, water supply, political and economic

institutions, businesses, schools, hospitals, recreational

facilities and other assets. A defender minimises the

expected damage of the system and the investment

expenditure incurred to protect the system, which isformulated as a utility that can be maximised. Damage

measures the economic, human and symbolic value,

including a system’s ability to function in a reliable

manner according to its stated objective, such as

serving a population.Investment expenditures to protect a system can

mean hardening targets defensively. We consider m

attackers who maximise the expected damage minusthe investment expenditure, expressed as a utility. The

system can be destroyed, eliminated or its parts can be

disabled. Examples are to contaminate water supplies,

destroy roads, eliminate power generators, cut com-

munications lines and attack government officials or

hospital personnel chemically. The m attackers are

assumed to operate independently. If some attackersare dependent or strongly interlinked, then these may

for the purpose of analysis be perceived as merged into

a unitary agent.We consider n defence investments t1, t2, . . . , tn for

the n targets, and nm attack investments Tj1,T

j2, . . . ,Tj

n,

j¼ 1, . . . ,m. The agents are concerned about how their

investments vary across the n targets, the sum of their

investments, and the impact on their utilities. In the

benchmark case considered in this article the defence

and attack investments are made simultaneously and

independently for each of the n targets. This gives a

non-cooperative game between mþ 1 agents who

together have n(mþ1) free choice variables. Let us

briefly describe the conventional method for solving

such a game. A first step is to solve the first order

conditions. Assuming utility u for the defender and

utility Uj for attacker j, the defender calculates

@u=@ti¼ 0 and attacker j calculates @Uj=@Tji ¼ 0 for

the n targets to maximise their utilities. This gives

n(mþ 1) first order conditions. For some cases, solving

these equations gives one unique interior solution.

More generally, for unconstrained optimisation of a

multi-variable function, maximum utilities exist when

the first order conditions are satisfied, the Hessian

matrices are negative semi-definite, and one accounts

for corner solutions.The defender and attackers may be subject to

constraints of various kinds which can give corner

solutions. None of the n(mþ 1) investments can be

negative. Negativity is avoided by setting such invest-

ments to zero, one by one, and determining the optimal

values for the other investments. Other examples are a

total budget constraint for each agent, or a constraint

for each target for each agent for economic or other

reasons. Parts of an agent’s budget may be ‘frozen’, as

is the case for some terrorist organisations. Budget

constraints reduce the number of first order conditions

accordingly. If mþ 1 agents each have one budget

constraint, there are (n�1)(mþ1) first order conditions.

For constrained optimisation, the Kuhn–Tucker con-

ditions are sufficient for optimality of convex pro-

grammes. Bier and Abhichandani (2002) find that the

failure probability for a simple parallel system is not

necessarily convex.2 Hausken (2008b,c) applies a

contest success function and shows that the second

order conditions are not necessarily satisfied when the

decisiveness (intensity) of conflict between two adver-

saries is large.Today’s computers are well equipped to solve this

optimisation programme, injecting the utilities, free

choice variables and constraints. A variety of search

methods and computational approaches, for example,

hill climbing and Runge–Kutta methods, can be

applied by the defender, the attackers and outside

analysts, to determine optimal solutions.

14 K. Hausken


Complex infrastructures and systems of targets areusually built up over time. Defences are usually alsobuilt up over time in association with the values of thetargets, subject to various budgets, allocation proce-dures, political processes, precedent, historical inertiaand other influences. Hence an alternative to thebenchmark static game is a two period game where thedefender invests in the first period and the attackersinvest simultaneously in the second period. The gameis solved with backward induction. The second periodis solved first, which means calculating @Uj=@Tj

i ¼ 0and solving the nm first order conditions for the mattackers to determine Tj

1,Tj2, . . . ,Tj

n, j¼ 1, . . . ,m,conditional on t1, t2, . . . , tn having been determined inthe first period. This means that the Tj

i ’s aredetermined as functions of the ti’s. Thereafter, thefirst period is solved, inserting these Tj

i ’s into u for thedefender. @u=@ti¼ 0 is calculated and the n first orderconditions are solved which gives the optimalt1, t2, . . . , tn for the defender in equilibrium. Finally,the ti’s are inserted into the Tj

i ’s to determine theequilibrium solution for the m attackers. Of course, thesame caveats discussed above also apply for repeatedgames.

Examples of more complex repeated or dynamicgames are as follows. First, the defender and attackersmay invest simultaneously and independently in afinitely repeated or infinitely repeated game where eachagent has a different discount parameter. Commonequilibrium concepts for repeated games are sequentialequilibrium (Kreps and Wilson 1982) and trembling-hand perfect equilibrium (Selten 1975). Second, thedefender and attackers may invest alternately insuccessive time periods. Third, the defender andsubsets of attackers may invest in prescribed mannersin successive time periods. Fourth, each agent mayinvest in one target or subset k of targets, k¼ 1, . . . , n,in successive periods, in prescribed manners for thedefender and attackers. Fifth, each agent may splithis investment in target i into arbitrarily many sub-investments to be deployed in successive periods, eitherin prescribed manners, or dependent on how the gameevolves according to an updating mechanism. Sixth, anattacker may divide his investment into many smallsubsequent investments to observe whether small earlyinvestments have impact. Seventh, in a dynamic gamewith continuous time, each agent may invest or sub-invest in any target at any point in time dependent onhow the game evolves.

Defending and attacking infrastructures ofteninvolve assessing incomplete information (Fudenbergand Tirole 1991; Straffin 1993; Dixit and Skeath 1999;Rasmusen 2001). Incomplete information can besymmetric or asymmetric across players, for example,one-sided, two-sided, or (mþ 1)-sided. Prominent

candidates for incomplete information are the defen-der’s and attackers’ valuations and weights for theeconomic, human and symbolic values of target i, andthe values of system operability for the defender andattackers. Parameters in the investment expenditurefunctions for the defender and attackers can also beincompletely known. For repeated games the agents’discount parameters can be incompletely known. Thecommon method to model incomplete information isto apply the Harsanyi’s doctrine (Harsanyi 1967/68).Each player knows his own characteristics, but forms asubjective probability distribution over the alternativepossibilities, or types, of incomplete information forthe other players.3 A player’s type is his characteristicsof psychological, physical or other nature. Incompleteinformation can be introduced for static games, orrepeated or dynamic games. For games where timeplays a role, incomplete information can be updatedsuccessively, using for example Bayesian updating, asmore information gets compiled by each player aboutthe strategies chosen by all players as the game evolves.

Most defenders have to handle attackers who differgreatly in objectives, skills, methods of operation anddegrees of sanity. The examples are thieves, terrorists,disgruntled ex-employees, technological breakdownsand natural disasters. Assuming multiple attackersmay imply that a particular level of defence may detersome attackers, but not others. This means that fromthe defender’s point of view, the likelihood of asuccessful attack may be a non-convex function ofthe defensive investment, even if to each individualattacker, the likelihood of success is convex in the levelof defensive investment.

For probabilistic scenarios stochastic optimisationis applicable. Scenarios are probabilistic when theagents are unsure about characteristics of each other ortheir surroundings, such as unit costs of defence andattack, decisiveness parameters, utility functions, therole of time in their interaction, whether strategies areobservable or not, whether defences are present orattacks occur and other factors. A variety of strategiescan be determined to be optimal or robust towardssuch kinds of uncertainty.

4. How to value targets: economic, human and

symbolic values

A target or component can be conceived to haveeconomic value, human value and/or symbolic value.These are generally different for the defender andattackers, perceived subjectively for each agent, differ-ent across attackers, and may be unknown to others,and sometimes unknown to oneself if a valuation hasnot been made or is difficult to make. We could



consider other kinds of values than these, but thesehave been common in the literature. Three values foreach target are sufficient for many purposes, and makethe analysis tractable. Most targets possess two orthree of these kinds of values.

These can be substitutes or complements for eachother. They are perfect substitutes when the threevalues are equivalent and all agents are motivatedequivalently to keep, preserve, capture or destroy atarget measured with any of the values. They areperfect complements when the total value is the sum ofthe three individual values so that, for example, thehuman value supplies to the total value what theeconomic value and symbolic value do not supply. Letus consider three stereotypical examples.

First, a target such as $1 million has economicvalue, no human value and usually limited symbolicvalue. $1 million may earn symbolic value dependenton the owner, the attacker, dependent on how it isobtained, how it is subsequently used (e.g., destroyed),how it is represented (e.g., in 100 dollar bills), andwhether it is represented in US dollars or alternativelyin yen, euro or renminbi.

Second, a target such as one human being hashuman value which can be considered to be infinite inphilosophical or religious terms, and symbolic valuedependent on the nationality, competence, age, sex,conviction and other characteristics of the human. Theeconomic value is statistically often calculated as thecost of reducing the average number of deaths by one.Applying wage-fatality risk tradeoffs, a commonestimate for the value of a statistical life is $7 millionfor US workers (Viscusi 2005). Insurance values areoften lower, for example, $1 million for trains and$20,000 for automobiles.

Third, a target such as the US Statue of Liberty hassubstantial symbolic value, and no human value. Theeconomic value can in one sense be calculated from theraw materials, one hundred tons of copper, priced at$5000 per ton, and 125 tons of steel, priced at $600 perton, gives $575,000. In other senses, the economicvalue can be determined from its sales value if it wereto be auctioned to the highest bidder, its reconstructionor replacement value if it were to be stolen ordestroyed, or its value in impacting the US economy,measured in some manner.

Bier et al. (2005, p. 316) consider the ‘inherent valueof a target,’ defined as ‘the loss incurred by thedefender if a component is disabled.’ Similarly, theyconsider ‘the value of system functionality,’ defined as‘the loss (in dollar terms) incurred by the defender ifthe system is disabled.’ These losses can haveeconomic, human and/or symbolic dimensions. If atarget or system is disabled, then repairing or replacingit can be given a value in dollar terms. Beitel, Gertman,

and Plum (2004) present six measures for the value of atarget, with formulas for each. These are loss of life,primary economic loss, national economic stress andinconvenience, decrease presence considered undesir-able by an attacker, increase presence considereddesirable by an attacker, opportunity to leverage withother terrorists.

The total value of a target has to be determinedwith care. For the defender we define the economicvalue of target i as ei, the human value as hi, and thesymbolic value as si. To allow these to be combinationsof substitutes and complements of each other, thedefender assigns subjective weights we, wh, and ws tothese. We define the total value of target i to thedefender as vi ¼ weei þ whhi þ wssi. For attacker j weanalogously introduce subjective weights Wj

E, WjH, and

WjS, which gives the total value of target i as Vj

i ¼

WjEE

ji þWj

HHji þWj

SSji .4

5. Investment expenditure functions for defence

and attack

Generally, targets have to be produced, maintained,repaired, inspected and defended. There is a tradeoffbetween how much to invest in these various activities.The defender may prefer or need a high quality target,but high quality targets are more likely to be attacked,which suggests a high defence cost. Hausken (2005)analyses the tradeoffs an agent makes between produ-cing and defending a target when facing otherattacking agents. This approach is contrasted withthe approach where the value of the target isexogenously given but subject to defence and attack.Our infrastructures have been produced over time andare gradually improved, repaired, inspected, etc.,subject to various tradeoffs. For our purpose, tomake the analysis tractable, we consider the infra-structure or system as exogenously given, as has beencommon in the rent seeking literature. We definedefence and attack broadly. Defence means protectionagainst attack, maintenance to prevent breakdown andrepair if the system breaks down. Attack meansintentional attack, which can be supported by non-intentional factors such as technology and nature todisable the system.

Generally, to defend target i with exogenouslygiven value vi, the defender incurs an investment effortti (investment, for short) which is a vector withelements that are capital and labour of various kinds.We simplify to the scalar ti. The investment expendi-ture is fi¼ fiðtiÞ, measured in dollar terms, where@fi=@ti 4 0. The function fi can take many differentforms. First, it can increase linearly in ti defined asfi¼ citi, where ci is unit cost of defence investment for

16 K. Hausken


target i. Higher ci means greater defence inefficiency,and 1=ci is the efficiency. Second, fi can increaseconcavely in ti, @

2fi=@t2i 5 0, which occurs when there is

economy of scale. For example, one unit of effort maybe expensive to produce, but producing further unitsmay get successively cheaper as routine, division oflabour and coordination simplify. Third, and conver-sely, fi can increase convexly in ti, @

2fi=@t2i 40, which

occurs when there are diseconomies of scale. Forexample, one worker may easily generate the first unitof effort if little physical or mental effort is required.However, producing additional units of effort may getsuccessively more expensive as physical and mentalexhaustion, strain, wear and tear, start to operate.Going that extra mile may get extremely burdensomeand costly. Fourth, fi can increase logistically, whichmeans convexly for small ti and concavely for large ti.Generating marketing effort often takes this form.Initial marketing is expensive with limited impact.As the expense exceeds certain thresholds, impactimproves due to cascades and ripple effects. Thereafter,impact is substantial due to economy of scale. Fifth,fi can increase in an incremental step-wise manner.For example, a target may be defended by one type oftechnology up to a certain level, whereas moreextensive defence may require investment in a differenttype of technology. For example, the employment ofhighly skilled security personnel trained to run 24-hsurveillance may be needed to handle certain attacks.Sixth, fi can be subject to budget constraints which forpolitical or other reasons may prevent investmentbeyond a certain level to defend target i.

Let us consider two examples. First, if the targetproduces goods and services (food, water, education,health services, communication, transportation) thedefence investment includes securing the target withhuman forces, technological factors, surveillance,reconnaissance, encryption and deterrence. Second, ifthe target is a cyber security system, the defenderinstalls firewalls, applies encryption, hires experts insecurity and develops intrusion detection systems.

Let us then consider attacker j where analogousreasoning applies. To attack target i with value Vj

i , theattacker incurs an investment effort Tj

i , a vectorconsisting of capital and labour. Simplifying to thescalar Tj

i , the investment expenditure is Fji ¼Fj

i ðTji Þ,

measured in dollar terms, where @Fji =@T

ji 4 0. If Fj

i islinear, we set Fj

i ¼Cji T

ji , where Cj

i is the unit cost ofinvestment for target i, analogously to ci for thedefender. Alternatively, Fj

i may be concave (@2Fji =@T

j2i

50), convex (@2Fji =@T

j2i 40), logistic, a step function

or subject to a budget constraint.Let us consider the same two examples from the

perspective of attacker j. First, if the target is involvedin production of goods and services, etc., the attacker

channels investment into destruction, theft, interfer-ence, manipulates information and seeks to avoidsurveillance and detection. Second, if the target is acyber security system, the attacker attempts to breakthrough the defence, works around the protection setup by security experts, hacks through firewalls,deciphers the encryption and avoids intrusion detec-tion. The attack decreases the system’s reliabilitythrough appropriating or destroying something ofvalue associated with the system, or taking controlover factors which decrease system reliability.

There is variability across targets for the costfunctions. The residences and offices of state leadershave high unit defence and attack costs. More opensystems, such as assemblies for nationally electedofficials or government offices with frequent visitation,have lower unit attack cost. Dispersed transportationsystems have high unit defence cost since these have tobe defended in many locations, and low unit attackcost. A concentrated non-dispersed asset stored toavoid easy access, for example, in a remote area, haslow unit defence cost and high unit attack cost.Common assets usually have both low unit defenceand attack costs.

6. Contest success function

Whether a target is operational or not depends on therelative investments by the defender and attackers,which determine the reliability of the target, and thusalso determine the success of defence and success ofattack.5 We define the probability of a successfulattack on target i as

pi ¼ piðti,T1i , . . . ,Tm

i ,mi, riÞ, @pi=@ti 5 0,

@pi=@Tji 4 0 ð1Þ

assuming m attackers, where mi and ri are parameters.The probability of a successful attack decreases in thedefensive investment, and increases in the offensiveinvestment. The successful attack probability equalsthe unreliability of target i, which equals one minus thereliability, and corresponds to the asset in the conflictliterature. There is conflict over unreliability betweenthe defender and the attackers, just as there is conflictover an asset between multiple contenders. Theprobability pi can depend on ti and Tj

i in extremelymany different ways. The two most common contestsuccess functions are the ratio and difference forms(Hirshleifer 1989; Skaperdas 1996). The ratio form(Tullock 1980) states that

pi ¼ðT1

i Þmi þ � � � þ ðTm

i Þmi

tmi

i þ ðT1i Þ

mi þ � � � þ ðTmi Þ

mi¼

Pmj¼1 ðT

ji Þ

mi

tmi

i þPm

j¼1 ðTji Þ

mi

ð2Þ



where mi is a decisiveness parameter that expresses theintensity of the contest over target i.6 At the limit, withinfinitely much defensive investment, and finite offen-sive investment, the target is 100% reliable and pi¼ 0.The same result follows with finite defensive invest-ment and zero offensive investment. At the other limit,with infinitely much offensive investment, and finitedefensive investment, the target is 0% reliable andpi¼ 1. The same result follows with finite offensiveinvestment and zero defensive investment.

Figure 1 illustrates how, for Tji ¼Ti held fixed for

one single attacker, the probability pi responds tochanges in the investment ti for the defender. Thesensitivity of pi to ti increases as the decisivenessparameter mi increases. When mi¼ 0, the investments tiand Ti have equal impact on the reliability regardlessof their size which gives 50% reliability, pi¼ 1/2.7

05mi5 1 gives a disproportional advantage ofinvesting less than one’s opponent. When mi¼ 1, theinvestments have proportional impact on the reliabil-ity. mi4 1 gives a disproportional advantage ofinvesting more than one’s opponent. This is oftenrealistic in praxis, as evidenced by benefits fromeconomies of scale. Finally, mi¼1 gives a stepfunction where ‘winner-takes-all’. This means that thedefender suffers probability one when ti is marginallysmaller than Ti, and enjoys probability zero when ti ismarginally larger than Ti.

The difference (logit) form contest success functionstates that

pi ¼Exp½riT

1i � þ � � � þ Exp½riT

mi �

Exp½riti� þ Exp½riT1i � þ � � � þ Exp½riT

mi �

¼

Pmj¼1 Exp½riT

ji �

Exp½riti� þPm

j¼1 Exp½riTji �

¼1

1þ Exp riðti �Pm

j¼1 Tji

h i ð3Þ

where ri is a mass effect parameter for target i. The

successful attack probability is strictly less than onealso when the defender invests zero, ti¼ 0, asillustrated in Figure 2. If the defender invests zero,then it is not always realistic that the defender loses thetarget when the attackers invest a finite, and possiblyarbitrarily small, amount, as the ratio form suggests.With the difference form, some targets may enjoyattack probability less than one even without defence

investment. This is possible for targets that aretechnologically designed in a hardened manner, orwhen the attackers are less than fully alert anddetermined. Hirshleifer (1989) provides examples forwhen the difference form is realistic.8

Both the ratio and difference forms assume that ifthe defender invests infinitely much, whereas theattackers invest finite amounts, then the successfulattack probability equals zero. This is not alwaysrealistic, especially for targets that need to be available

and accessible in order to be operational. Investinginfinitely much to defend an information set withincyber security does not make it 100% secure as it needsto be available and accessible, which makes itvulnerable for attack (Hausken 2006b). A target suchas a television station cannot be made 100% secureeven with infinite defence investment since employeesand others move in and out of the station, and ascommunication links with the outside world cannot be

blocked. The following contest success functionaccounts for this

pi ¼ ai

Pmj¼1 Exp½riT

ji �

1þPm

j¼1 Exp½riTji �

þ ð1� aiÞ

Pmj¼1 Exp½riT

ji �

Exp½riti� þPm

j¼1 Exp½riTji �

ð4Þ

where 0� ai 5 1. With zero defence investment ti¼ 0,(3) and (4) are equivalent regardless of ai. With infinite

Figure 1. Ratio form: successful attack probability pi as afunction of the investment ti for various mi when Ti ¼ 1.

Figure 2. Difference form: successful attack probability pi asa function of the investment ti for various ri when Ti ¼ 1.

18 K. Hausken


defence investment ti¼1, (3) gives pi¼ 0, whereas (4)gives a fraction ai of the probability that occurs withzero investment since the second term vanishes.

7. Systems with targets that are in parallel, in series,

interlinked, interdependent and independent

7.1. Targets in parallel

A system of n parallel targets functions if at least onetarget functions. An example is two telecommunicationlines which can both deliver the required function. Theexpected damage for target i for the defender is vipi,which decreases in ti. Further, the investment expen-diture is fi, which increases in ti. The expected damageif the system is disabled is v, which occurs withprobability p1p2 . . . pn. As suggested by Bier et al.(2005), the defender’s expected damage d and utilityu are

d ¼Xni¼1

vipi þ vYni¼1

pi,

u ¼ �Xni¼1

vipi þ vYni¼1

pi

!�Xni¼1

fi ð5Þ

The defender maximises his utility u. The first ordercondition for target i is @u=@ti¼ 0, which gives n firstorder conditions to determine the n investmentst1, t2, . . . , tn. The reasoning for attacker j, j¼ 1, . . . ,m, is analogous, but the valuations for target i and thesystem are Vj

i and Vj, respectively. The expecteddamage Dj and utility Uj for attacker j are

Dj ¼Xni¼1

Vji pi þ Vj

Yni¼1

pi,

Uj ¼Xni¼1

Vji pi þ Vj

Yni¼1

pi �Xni¼1

Fji ð6Þ

Attacker j maximises his utility Uj. The first ordercondition for target i is @Uj=@Tj

i ¼ 0, which gives n firstorder conditions to determine the n investmentsTj1,T

j2, . . . ,Tj

n , which gives nm first order conditionsfor the m attackers. The value vi may well differsubstantially from Vj

i , which may again differ sub-stantially across the m attackers. Analogously, v maydiffer from Vj, which may differ across the attackers.The optimisation programme in (5) and (6) is coupledor linked through the probability pi of a successfulattack on target i, which depends on the investments tiand Tj

i , i¼ 1, . . . , n, j¼ 1, . . . ,m as specified in Section5. This gives n(mþ 1) first order conditions when thereare no constraints on the investments.

With investment constraints, assume thatthe defender has a resource r and attacker j a

resource R j. The utilities in (5) and (6) then become

u ¼ �Xni¼1

vipi þ vYni¼1

pi

!� r, r ¼

Xni¼1

fi,

Uj ¼Xni¼1

Vji pi þ Vj

Yni¼1

pi � Rj, Rj ¼Xni¼1

Fji

ð7Þ

where each agent has n�1 first order conditions, and

the n-th investment follows from the other n�1

investments using the resource constraints in (7).

7.2. Targets in series

A system with n targets in series functions if all targets

function. An example is a transmission line with many

parts, each of which can block the transmission. As

argued by Bier et al. (2005, 2006), if the attacker is

limited to a single attack on a single target, then the

defender’s focus should be on the highest value across

the n targets, as evaluated by the attacker. If the

defender were to equalise losses across targets accord-

ing to his own perspective, then he might waste money

defending targets that the attacker has limited interest

in. The defender’s objective function equalises the

attacker’s valuations because it is the most cost-

effective way to achieve his own goals. Making all

targets equally desirable to the attacker is thus the

correct strategy. The intuition is the same in mixed

equilibrium strategy calculations in game theory where

one player randomises to make the other player

indifferent in his randomising. A target may have a

high ðVj þ Vji Þ pi because it is highly valuable to

attacker j (high Vj þ Vji ), or because the attack

probability pi for that target is high. Investing to

defend another target makes no difference unless target

i has been sufficiently well defended through reducing

pi. In other words, the defender should adjust

t1, t2, . . . , tn to make the expected damage from an

attack on each target equal to each other, as assessed

by the attacker. With m attackers, the defender

identifies for each target which attacker has the highest

ðVj þ Vji Þ pi. Once these highest n values have been

determined, the defender invests to make these values

equal to each other. This does not mean that each

target is made equally desirable for each attacker.

Instead, it means that the defender invests so that the

attacker most interested in a given target places the

same value on this target as any of the m attackers

most interested in any other target places on this other

target. This gives the defender’s expected damage



and utility9

d ¼ maxi¼1,...,nj¼1,...,m

ðVj þ Vji Þ pi

� �,

u ¼ � maxi¼1,...,nj¼1,...,m

ðVj þ Vji Þ pi

� ��Xni¼1

fi

ð8Þ

The expected damage and utility for attacker j is

Dj ¼ maxi¼1,...,n

ðVj þ Vji Þ pi

� �,

Uj ¼ maxi¼1,...,n

ðVj þ Vji Þ pi

� ��Xni¼1

Fji

ð9Þ

With investment constraints, and resource r for thedefender and Rj for attacker j, the utilities in (8)and (9) become

u ¼ � maxi¼1,...,nj¼1,...,m

ðVj þ Vji Þ pi

� �� r,

r ¼Xni¼1

fi, Ui ¼ maxi¼1,...,n

ðVj þ Vji Þ pi

� �� Rj, Rj ¼

Xni¼1

Fji

ð10Þ

where each agent has n�1 first order conditions.If the attacker can attack each target once, then the

defender’s expected damage and utility is

d ¼Xni¼1

vipi þ v 1�Yni¼1

ð1� piÞ

!,

u ¼ �Xni¼1

vipi � v 1�Yni¼1

ð1� piÞ

!�Xni¼1

fi,

ð11Þ

The expected damage and utility for attacker j is

Dj ¼Xni¼1

Vji pi þ Vj 1�

Yni¼1

ð1� piÞ

!,

Uj ¼Xni¼1

Vji pi þ Vj 1�

Yni¼1

ð1� piÞ

!�Xni¼1

Fji

ð12Þ

7.3. Interlinked targets

Some targets are interlinked in manners that areneither fully in parallel nor fully in series. Consider amilitary force consisting of three targets which are anarmy, a navy and an air force. If the army is 100%eliminated through a successful attack, then themilitary force becomes less operational, but not non-operational. The capacity for ground manoeuvres isreduced, which can be partly compensated for by more

heavy bombardment and employment of helicoptersby the air force, or retraining of the navy to carry outarmy operations. If the military force had been a fullyparallel system, then eliminating the army would notreduce the operability of the military force. Conversely,if the military force had been a fully series system, theneliminating the army would eliminate the operability.Various sufficiently complex combinations of serialand parallel links do not seem to describe the example.For example, consider three serial components, whereeach component is a parallel system with an army, anavy, and an air force. If the army is eliminated, thenthe military force still operates as effectively as before.The difference is that each component then has twoinstead of three parallel links, which reduces thereliability.

Conventional reliability theory refers to suchsystems as degraded systems. One example isEbeling’s (1997, pp. 117–118) Markov analysis of aone-component system which can be in one of threestates, that is, operational, degraded or failed.Generalisation to more than one component quicklybecomes complex.10 For systems which cannot bedescribed as combined series/parallel systems, there is aneed to venture outside reliability theory to explorealternative methods of analysing such systems. Onetentative step towards handling such systems is todefine the objective function for the defender as aweighted sum of the damage of various combinedseries/parallel systems. One example is a weighted sumof the damage for a parallel system and a seriessystems, that is,

u ¼ �

aXni¼1

vipi þ vYni¼1

pi

" #

þ ð1� aÞ

"max

i¼1,...,nj¼1,...,m

½ðVj þ Vji Þ pi�

#!�Xni¼1

fi ð13Þ

where 0� a� 1. The system is a parallel system whena¼ 1, a series system when a¼ 0, and otherwise ahybrid interlinked system. The problem with (13) fromthe viewpoint of reliability theory is that it does notrefer to a specific underlying system structure, but to aweighted combination of two possible structures. Analternative to (13) is to design an arbitrarily complexseries/parallel system which somehow captures thelogic of an army, a navy, and an air force. But it isunclear which system captures that logic, and unclearwhether an army, a navy and an air force can berepresented as a series/parallel system. Equation (13)does not mean that the defender is uncertain about thesystem structure. We assume an objectively existingworld. Instead, it suggests that the phenomenoncannot be captured as a series/parallel system.

20 K. Hausken


Although (13) is not a real physical system, it may bean empirical approximation, where the weight a isdetermined empirically. Work is required to character-ise where on the spectrum between series and parallelsystems the behaviour of systems with intermediateseries/parallel structure lies.

However, uncommon (13) may look as it isreminiscent of functions used in production andconsumption theories. There are multiple inputs, andtradeoffs are made between these to maximise produc-tion or consumption. One example is the Cobb–Douglas function y¼x�1x

1��2 , where x1 and x2 are

inputs, and 05�5 1. This would have been a seriessystem if �¼ 1/2, but � 6¼ 1/2 gives unequal weight tothe two inputs. If x1 is steak and x2 is potatoes,measured in weight, then � allows giving differentweights to steak and potatoes in one’s design of theoptimal dinner. Adapting the Cobb–Douglas functionto our analysis, one possibility is

u ¼ � ðv1p1Þ�ðv2p2Þ

1��þ vp1p2

� ��Xni¼1

fi ð14Þ

Another possibility is

u ¼ � ððvþ v1Þ p1Þ�ððvþ v2Þ p2Þ

1��

�Xni¼1

fi ð15Þ

Although (14) and (15) are common in economics, withadequate empirical support (Cobb and Douglas 1928),these are neither a 100% series system nor a 100%parallel system. We think that neither (14) nor (15) onthe one hand, or a classical series/parallel system onthe other hand, can be considered as more founda-tional in a philosophical sense. Engineers and econo-mists think differently here, and there seems to beincompatibility between the domains.

Another function used in production and con-sumption theories is the constant elasticity of substitu-tion (CES) function y¼ ½�x�1 þ ð1� �Þx

�2 �

1=�, where05 �5 1, �¼ð� � 1Þ=�, and � is the elasticity ofsubstitution. This function is never a 100% seriessystem since y does not equal zero if one of theinputs x1 or x2 is zero. However, neither is the system a100% parallel system since reducing either x1 or x2reduces y. Adapting the constant elasticity of substitu-tion function to our analysis, three possibilities are asfollows:

u ¼ �Xni¼1

�iðvipiÞ�þ v

Yni¼1

pi

!1=�

�Xni¼1

fi,

�n ¼ 1�Xn�1i¼1

�i

ð16Þ

u ¼ �Xni¼1

�iðvipiÞ�

!1=�

þ vYni¼1

pi

0@

1A�Xn

i¼1

fi,

�n ¼ 1�Xn�1i¼1

�i

ð17Þ

u ¼ �Xni¼1

�iððvþ viÞ piÞ�

!1=�

�Xni¼1

fi, �n ¼ 1�Xn�1i¼1

�i

ð18Þ

Analogously to (13), the expected utility for attackerj is

Uj ¼ aXni¼1

Vji pi þ Vj

Yni¼1

pi

" #

þ ð1� aÞ maxi¼1,...,n

½ðvþ viÞ pi�

� ��Xni¼1

Fji ð19Þ

which attacker j maximises. Analogues to (14)–(18) arestraightforward to set up for attacker j.

7.4. Interdependent targets

Interdependent systems are systems where the defenceof one target impacts other targets, and where theattack on one target usually also impacts other targets.Examples occur within the airline industry, computernetworks, fire protection, theft protection, bankruptcyprotection, vaccinations. Such systems have beenanalysed by Kunreuther and Heal (2003). Zhuang,Bier, and Gupta (2007) explore the effects of hetero-geneous discount rates on the optimal defensivestrategy in such systems. Hausken (2006a) finds thatwith increasing interdependence, each defending agentfree rides by investing less, and suffers lower profit,while the attacker enjoys higher profit. Kunreuther andHeal (2003, p. 232) illustrate

‘by reference to an airline that is determining whetherto install a baggage checking system voluntarily. Inmaking this decision it needs to balance the cost ofinstalling and operating such a system with thereduction in the risk of an explosion from a piece ofluggage not only from the passengers who check inwith it, but also from the bags of passengers who checkin on other airlines and then transfer to it.’

Each airline prefers all airlines to install baggagechecking systems, but there is a free-rider dilemma. Forcyber security, Hausken (2006a) states that

‘When firms are interconnected on a common platformor network such as in a supply chain where upstreamsuppliers are connected via Electronic DataInterchanges (EDI) to downstream manufacturers orretailers (which is an example of interdependentsecurity), a security vulnerability in either the upstreamor downstream firm can also impact the other firms.



Consider the following scenario. Firm j is breached bya group of hackers and since firm i is connected to firmj through a common network (e.g., a virtual privatenetwork) it is also susceptible to a breach through thenetwork. Now if firm i has invested in the best anti-intrusion technologies (for simplicity let us imagineinstallation of the most expensive firewalls at the edges– routers and switches), it is less likely to be hacked.Thus, the probability that firm i gets breached becauseits security risks are interdependent with firm j is likelyto be dependent on the security investments made byboth itself and the rival firm. Further the extent of theindirect attack would also depend on how closelyconnected the two firms are.’

The expected damage and utility for the defender ofa system of n interdependent targets are

d ¼Xni¼1

vipi, u ¼ �Xni¼1

ðvipi þ fiÞ ð20Þ

The expected damage and utility for attacker j are

Dj ¼Xni¼1

Vji pi, Uj ¼

Xni¼1

ðVji pi � Fj

i Þ ð21Þ

To account for the interdependence, the probability piof a successful attack on target i has to be generalisedbeyond that of Section 6. The ratio form in (2)generalises to

pi ¼

Pnk¼1 �ik

Pmj¼1 ðT

jk Þ

mkPnk¼1 �ik tmk

k þPm

j¼1 ðTjk Þ

mk

� ,�ik ¼ 1 when i ¼ k, �1 � �ik � 1 when i 6¼ k

ð22Þ

where �ik expresses the interdependence between targeti and target and 0 � pi � 1. As �ik¼ 1 when i¼ k, thedefender’s defence tmk

k and attacker j’s attack ðTjk Þ

mk

have full impact for target i. Consider target k, wherek 6¼ i, and assume that �ik is a number between zeroand one. Because of the interdependence, attacker j’sattack ðTj

k Þmk on target k gets transferred further, with

weight �ik, to an attack on target i. Analogously, thedefender’s defence tmk

k of target k counteractsthe attack on target k, and counteracts with weight�ik the extent to which that attack gets transferredfurther to target i. The interdependence may also benegative, with a minimum value of �1 (Hausken 2007).For example, one firm’s increase in security investmentcan redirect the agent’s attack to the other firm andtherefore reduce the other firm’s contest success.

Analogously, the difference form in (3)generalises to

pi ¼

Pnk¼1 �ik

Pmj¼1 Exp½rkT

jk �Pn

k¼1 �ik Exp½rktk� þPm

j¼1 Exp½rkTjk �

� ,�ik ¼ 1 when i ¼ k, �1 � �ik � 1 when i 6¼ k

ð23Þ

Without interdependence, that is, �ik¼ 0 for all i 6¼ k,

(22) and (23) simplify to (2) and (3), respectively.

7.5. Independent targets

Independent targets have no connection with other

targets. Examples are geographically remote targets

which are self-sufficient with no external impact, or a

country’s interests of various kinds abroad.

Independent targets are less common in today’s

interconnected and complex world, but they are

theoretically possible, and targets which are almost

independent may be approximated with independent

targets. The expected damage and utility for the

defender are

d ¼Xni¼1

vipi, u ¼ �Xni¼1

ðvipi þ fiÞ ð24Þ

The expected damage and utility for attacker j are

Dj ¼Xni¼1

Vji pi, Uj ¼

Xni¼1

ðVji pi � Fj

i Þ ð25Þ

7.6. Multi-use systems11

Examples of ‘multi-use’ systems are various transpor-

tation systems, consumption systems or the Internet.

Two links may be perceived as being in series for

someone trying to go from one point to another, but in

parallel for someone trying to go through one of the

points to a third point. In consumption, two compo-

nents may be perceived as strategic complements by

some consumers, and strategic substitutes for other

consumers. That is, one consumer may require both of

two components in order to function (series system),

whereas another consumer may function based on any

one of the components in sufficient abundance

(parallel system). Assume N users and assign weight

wi to user i, which expresses how important user i is for

the defender of the multi-use system,PN

i¼1 wi¼ 1. If

user i, i¼ 1, . . . ,M perceives a series system of two

components A and B, the system is defended for user i

as if it is a series system. Assume that this gives the

optimal defence tsA for component A and tsB for

component B. If user j, j¼Mþ 1, . . . ,N perceives a

parallel system of the two components A and B, the

system is defended for user j as if it is a parallel system.

Assume that this gives the optimal defence tpA for

component A and tpB for component B. The two

22 K. Hausken


components then get defences

tA ¼MtsAXMi¼1

wi þ ðN�MÞtpAXN

i¼Mþ1

wi,

tB ¼MtsBXMi¼1

wi þ ðN�MÞtpBXN

i¼Mþ1

wi

ð26Þ

which may be rephrased as the weighted sum in (13).

8. An example

Many empirical challenges are involved in determiningthe makeup of an infrastructure. Assume that thoroughanalysis has given the system in Figure 3. To determinethe expected damage and utility for the defender, let usstart with the parallel and series system. Using (5),the parallel targets 2 and 3 have an expected damage:

d23 ¼ v2p2 þ v3p3 þ v23p2p3 ð27Þ

where subscript ‘23’ refers to targets 2 and 3, so thatv23 is the damage if both targets 2 and 3 are disabled.Joining in target 1, which is in series with 2 and 3 inparallel, and using (8), the expected damage of targets1–3 is

d123 ¼ max½ðV123 þ V1Þ p1,D23� ð28Þ

where subscript ‘123’ refers to targets 1, 2, 3, and whereD23 is determined below. Joining in target 4 in parallel,using (5), gives the expected damage

d1234 ¼ d123 þ v4p4 þ v1234p4p1½1� ð1� p2Þð1� p3Þ�

ð29Þ

where p1½1� ð1� p2Þð1� p3Þ� is the probability of asuccessful attack on targets 1, 2, 3. Joining in target 5 inseries, and using (8), the expected damage of targets1–5 is

d12345 ¼ max½ðV12345 þ V5Þ p5,D1234� ð30Þ

where D1234 is determined below. Targets 6 and 7 are

interlinked. Using (13), the expected damage to the

defender is

d67 ¼ a v6p6 þ v7p7 þ v67p6p7½ �

þ ð1� aÞ max½ðV67 þ V6Þ p6, ðV67 þ V7Þ p7�½ � ð31Þ

For targets 1–7 and 11 the contest success functions in

Section 6 determine the probability pi of a successful

attack on target i. Assume one attacker so that m¼ 1,

and suppress the superscript j in the attacker notation.

Using (2) and (3) for targets 1–7 and 11, the success

probability is

pri ¼

Tmi

i

tmi

i þ Tmi

i

,

pdi ¼Exp½riTi�

Exp½riti� þ Exp½riTi�, i ¼ 1, . . . , 7, 11

ð32Þ

where superscripts r and d on pi refer to the ratio form

and difference form, respectively.Targets 8–10 are interdependent. Using (20), the

expected damage for the defender is

d89,10 ¼ v8p8 þ v9p9 þ v10p10 ð33Þ

where the comma in the subscript is used to distinguish

‘10’ from ‘8’ and ‘9’. To determine the probability piaccounting for the interdependence, the ratio form in

(22) gives

p r8 ¼

Tm8

8 þ �89Tm9

9 þ �8,10Tm10

10

tm8

8 þ Tm8

8 þ �89ðtm9

9 þ Tm9

9 Þ þ �8,10ðtm10

10 þ Tm10

10 Þ,

p r9 ¼

�98Tm8

8 þ Tm9

9 þ �9,10Tm10

10

�98ðtm8

8 þ Tm8

8 Þ þ tm9

9 þ Tm9

9 þ �9,10ðtm10

10 þ Tm10

10 Þ,

p r10 ¼

�10,8Tm8

8 þ �10,9Tm9

9 þ Tm10

10

�10,8ðtm8

8 þ Tm8

8 Þ þ �10,9ðtm9

9 þ Tm9

9 Þ þ tm10

10 þ Tm10

10

ð34Þ

and the difference form in (23) gives

Target 11 is independent. Using (24), the expecteddamage for the defender is

d11 ¼ v11p11 ð36Þ

Summing up across the 11 targets gives the defender’sexpected damage and utility

d ¼ d12345 þ d67 þ d89,10 þ d11, u ¼ �d�X11i¼1

fi ð37Þ

pd8 ¼

Exp½r8T8� þ �89Exp½r9T9� þ �8,10Exp½r10T10�

Exp½r8t8� þ Exp½r8T8� þ �89ðExp½r9t9� þ Exp½r9T9�Þ þ �8,10ðExp½r9t9� þ Exp½r9T9�Þ,

pd9 ¼�98Exp½r8T8� þ Exp½r9T9� þ �9,10Exp½r10T10�

�98ðExp½r8t8� þ Exp½r8T8�Þ þ Exp½r9t9� þ Exp½r9T9� þ �9,10ðExp½r9t9� þ Exp½r9T9�Þ,

pd10 ¼�10,8Exp½r8T8� þ �10,9Exp½r9T9� þ Exp½r10T10�

�10,8ðExp½r8t8� þ Exp½r8T8�Þ þ �10,9ðExp½r9t9� þ Exp½r9T9�Þ þ Exp½r9t9� þ Exp½r9T9�

ð35Þ

Parallel and series Interlinked Interdependent Independentsubsystem subsystem subsystem subsystem

13 5

4

2

6 78 9

1011

Figure 3. Example of system with 11 targets.



Proceeding to the attacker, the analogous

equations are

D23 ¼ V2p2 þ V3p3 þ V23p2p3 ð38Þ

D123 ¼ max½ðV123 þ V1Þ p1,D23� ð39Þ

D1234 ¼ D123 þ V4p4 þ V1234p4p1½1� ð1� p2Þð1� p3Þ�

ð40Þ

D12345 ¼ max½ðV12345 þ V5Þ p5,D1234� ð41Þ

D67 ¼ a V6p6 þ V7p7 þ V67p6p7½ �

þ ð1� aÞ max½ðV67 þ V6Þ p6, ðV67 þ V7Þ p7�½ �

ð42Þ

D89,10 ¼ V8p8 þ V9p9 þ V10p10 ð43Þ

D11 ¼ V11p11 ð44Þ

D ¼ D12345 þD67 þD89,10 þD11, U ¼ D�X11i¼1

Fi

ð45Þ

To illustrate a special case of (27)–(45), inserting

v23¼ v1234¼ v67¼V123¼V12345¼V67¼ 0, applying the

ratio form with mi¼ 1, and assuming interdependence

one for components 8–10 expressed with setting all the

�’s equal to one, gives the expected utilities

u ¼ �max V5p5, max½V1p1,V2p2 þ V3p3� þ V4p4½ �

� a v6p6 þ v7p7½ � þ ð1� aÞ max½V6p6,V7p7�½ �ð Þ

�ðv8 þ v9 þ v10ÞðT8 þ T9 þ T10Þ

t8 þ T8 þ t9 þ T9 þ t10 þ T10� v11p11 �

X11i¼1

citi,

pi ¼Ti

ti þ Tið46Þ

for the defender and

U ¼ max V5p5, max½V1p1,V2p2 þ V3p3� þ V4p4 ��

þ a V6p6 þ V7p7½ � þ ð1� aÞ max½V6p6,V7p7�½ �

þðV8 þ V9 þ V10ÞðT8 þ T9 þ T10Þ

t8 þ T8 þ t9 þ T9 þ t10 þ T10

þ V11p11 �X11i¼1

CiTi ð47Þ

for the attacker. As two further simplifications, assume

that component 5 is sufficiently more valuable than

components 1–4 for the attacker, expressed with V5

being large, and that component 6 is more valuable

than component 7 for the attacker, expressed with

V6 4V7. Inserting the expression for the contest

success function, Equations (46) and (47) then become

u ¼ �V5T5

t5 þ T5� av6 þ ð1� aÞV6ð Þ

T6

t6 þ T6

� av7T7

t7 þ T7�ðv8 þ v9 þ v10ÞðT8 þ T9 þ T10Þ

t8 þ T8 þ t9 þ T9 þ t10 þ T10

� v11T11

t11 þ T11�X11i¼1

citi,

U ¼ V5T5

t5 þ T5þ V6

T6

t6 þ T6þ aV7

T7

t7 þ T7

þðV8 þ V9 þ V10ÞðT8 þ T9 þ T10Þ

t8 þ T8 þ t9 þ T9 þ t10 þ T10

þ V11T11

t11 þ T11�X11i¼1

CiTi ð48Þ

First, differentiating the utilities with respect to the free

choice variables ti and Ti, i¼ 1, 2, 3, 4 gives ti¼Ti¼ 0

when i¼ 1, 2, 3, 4. Second, differentiating the utilities

with respect to the remaining free choice variables gives

the first order conditions:

@u

@t5¼

V5T5

ðt5 þ T5Þ2� c5 ¼ 0,

@U

@T5¼

V5t5

ðt5 þ T5Þ2� C5 ¼ 0,

@u

@t6¼½aðv6 � V6Þ þ V6�T6

ðt6 þ T6Þ2

� c6 ¼ 0,

@U

@T6¼

V6t6

ðt6 þ T6Þ2� C6 ¼ 0,

@u

@t7¼

av7T7

ðt7 þ T7Þ2� c7 ¼ 0,

@U

@T7¼

av7t7

ðt7 þ T7Þ2� C7 ¼ 0,

@u

@t8¼ðv8 þ v9 þ v10ÞðT8 þ T9 þ T10Þ

ðt8 þ T8 þ t9 þ T9 þ t10 þ T10Þ2� c8 ¼ 0,

@U

@T8¼ðV8 þ V9 þ V10Þðt8 þ t9 þ t10Þ

ðt8 þ T8 þ t9 þ T9 þ t10 þ T10Þ2� C8 ¼ 0,

@u


ðt8 þ T8 þ t9 þ T9 þ t10 þ T10Þ2� c9 ¼ 0,

@U


ðt8 þ T8 þ t9 þ T9 þ t10 þ T10Þ2� C9 ¼ 0,

@u


ðt8 þ T8 þ t9 þ T9 þ t10 þ T10Þ2� c10 ¼ 0,

@U


ðt8 þ T8 þ t9 þ T9 þ t10 þ T10Þ2� C10 ¼ 0,

@u

@t11¼

v11T11

ðt11 þ T11Þ2� c11 ¼ 0,

@U

@T11¼

V11t11

ðt11 þ T11Þ2� C11 ¼ 0

ð49Þ

24 K. Hausken


The second order conditions are

@2u

@t25¼�2V5T5

ðt5 þ T5Þ3,

@2U

@T25

¼�2V5t5

ðt5 þT5Þ3,

@2u

@t26¼�2½aðv6 �V6Þ þV6�T6

ðt6 þT6Þ3

,

@2U

@T26

¼�2V6t6

ðt6 þ T6Þ3,@2u

@t27¼�2av7T7

ðt7 þT7Þ3,

@2U

@T27

¼�2av7t7

ðt7 þT7Þ3,

@2u

@t28¼@2u

@t29¼@2u

@t210¼�2ðv8 þ v9 þ v10ÞðT8 þT9 þ T10Þ

ðt8 þT8 þ t9 þ T9 þ t10 þT10Þ3,

@2U

@T28

¼@2U

@T29

¼@2U

@T210

¼�2ðV8 þV9 þV10Þðt8 þ t9 þ t10Þ

ðt8 þT8 þ t9 þT9 þ t10 þT10Þ3,

@2u

@t211¼�2v11T11

ðt11 þT11Þ3,

@2U

@T211

¼�2V11t11

ðt11 þT11Þ3

ð50Þ

which are satisfied since 0� a� 1. For simplicity we set

v8¼ v9¼ v10, c8¼ c9¼ c10, V8¼V9¼V10, C8¼C9¼C10

which gives t8¼ t9¼ t10, T8¼T9¼T10. Solving (49)

gives

t5 ¼V5C5

ðc5 þ C5Þ2, T5 ¼

V5c5

ðc5 þ C5Þ2,

t6 ¼V6C6½aðv6 � V6Þ þ V6�

2

½aC6ðv6 � V6Þ þ ðc6 þ C6ÞV6�2,

T6 ¼V2

6c6½aðv6 � V6Þ þ V6�

½aC6ðv6 � V6Þ þ ðc6 þ C6ÞV6�2,

t7 ¼av7C7

ðc7 þ C7Þ2, T7 ¼

av7c7

ðc7 þ C7Þ2,

t8 ¼ t9 ¼ t10 ¼v28V8C8

ðV8c8 þ v8C8Þ2,

T8 ¼ T9 ¼ T10 ¼V2

8v8c8

ðV8c8 þ v8C8Þ2,

t11 ¼v211V11C11

ðV11c11 þ v11C11Þ2, T11 ¼

V211v11c11

ðV11c11 þ v11C11Þ2

ð51Þ

Inserting into the utilities in (48) gives

u¼�V5c5ðc5þ 2C5Þ

ðc5þC5Þ2

�V6c6½av6þð1� aÞV6�½c6V6þ 2C6ðaðv6�V6ÞþV6Þ�

½aC6ðv6�V6Þþ ðc6þC6ÞV6�2

�av7c7ðc7þ 2C7Þ

ðc7þC7Þ2� 3v8þ

3v38C28

ðV8c8þ v8C8Þ2� v11

þv311C

211

ðV11c11þ v11C11Þ2,

U ¼V5c

25

ðc5 þ C5Þ2þ

V36c

26

½aC6ðv6 � V6Þ þ ðc6 þ C6ÞV6�2

þav7c

27

ðc7 þ C7Þ2þ

3V38c

28

ðV8c8 þ v8C8Þ2þ

V311c

211

ðV11c11 þ v11C11Þ2

ð52Þ

9. Validating the models

Having developed models by intuitive reasoning andexplanations, future research should support themodels empirically and validate them. This meansestimating and tuning the parameters to match realworld cases. Governments continuously work toimprove their defence profile. One may start withcases that have occurred, which means that defenceinvestments are known and attack investments may beknown, proceed with cases deemed likely to occur, andthereafter consider all targets within a government’sjurisdiction. Parameters can also be estimated experi-mentally applying the methods common in decisiontheory.

We first determine the number n of targets whichare subject to defence and protection, and the numberm of attackers, possibly grouping attackers withsimilar objectives into fewer attackers. For eachtarget i we estimate 2(mþ 1)þ 1 parameters. Theseare the defender’s and attacker j’s unit costs ci and Cj

i

of investment (or further parameters if more complexinvestment expenditure functions fi and Fj

i are used),the defender’s and attacker j’s target valuations vi andVj

i , and the decisiveness parameter mi. Additionallycome the defender’s and attacker j’s system valuationsv and Vj. If the agents have resource constraints, weestimate r for the defender and Rj for attacker j. If thesystem is interdependent, there are 2

Pn�1k¼1 k interde-

pendence parameters �ik between the n targets. Thisgives [2(mþ 1)þ 1]nþ 2(mþ 1)þ2

Pn�1k¼1 k parameters.

Let us for the September 11, 2001 attack considerthe four targets, the World Trade Center’s North andNorth Towers, the Pentagon and the White House(which was not hit). The defender’s budget and unitcosts of defence for these four targets are confidentialinformation, but are known by the US StateDepartment, and may be estimated from larger andpublicly available budgets, or from similar budgetsand targets elsewhere. As argued in Section 5, thePentagon, and similar reasoning applies for the WhiteHouse, have high unit defence and attack costs. TheWorld Trade Center has lower unit defence and attackcosts, but its prominence makes the costs larger thanregular office buildings.

As argued in Section 6, the decisiveness is large fortargets such as these four. The decisiveness parameter



mi is challenging to estimate exactly in practice, butdefining mi as a fuzzy variable and applying fuzzy logictheory is one method. A second method is to estimatethe range of possible variation of mi and determine themost conservative ‘worst case’ defence strategy assum-ing that mi takes the value that is most favourable forattacker j, assessing the favourability across the mattackers. Then mi becomes an additional strategicvariable that one of the attackers can choose within thespecified range.

Target and system valuations can be estimated byletting people and elected officials rank the value oftargets against each other, exploring statements andinterviewing defectors and sympathisers of potentialattackers, and applying expert judgments. For foursimultaneous attacks a first approximation is to set theinterdependence parameters equal to zero. Thereafter,it can be assessed how defence of and attack againstone target impacts each other target.

When all parameters have been estimated, weproceed to determine the structure of the game, firstassuming that the defender and m attackers choosetheir strategies simultaneously and independently. Wesolve the game and determine the agents’ optimalinvestments across the n targets. These investments arecompared with actual investments and possible dis-crepancies are attempted, explained and justified. Onemay have to go back and retune parameters, or themodel analysis may have yielded insights to causechanges in investments. We proceed to consideralternative game structures, for example, sequentialgames and account for incomplete information anduncertainty, and solve the game anew to determinealternative investments which are again comparedagainst actual investments and policies, and discussedwith policy administrators.

10. Conclusion

Infrastructures subject to defence by a strategicdefender and attack by multiple strategic attackersare analysed. A framework for analysis is provided.Each agent on the defensive and offensive side faces anoptimisation programme that is specified. The strategicdecision for each agent is how much to invest indefending versus attacking each target within theinfrastructure, how to allocate investments acrosstargets and what kinds of investments are suitable.Operations research, reliability theory, and gametheory are merged for optimal analytical impact.

A target can have economic, human and symbolicvalues. These values are discussed and exemplified,and are generally different for the defender andattackers. Thereafter investment expenditure functions

are considered. These can be linear in the investmenteffort for each agent, concave, convex, logistic, canincrease in an incremental step-wise manner, or can besubject to budget constraints. To determine the prob-ability of a successful attack on a target, contest successfunctions are introduced which depend on the relativeinvestments of the defender and attackers on eachtarget, and on characteristics of the contest over eachtarget such as its decisiveness or intensity, and whetherthere is a mass effect for investments. The examples ofsuch functions are the ratio and difference forms.

Targets can be in parallel, in series, interlinked,interdependent, independent or multi-use. Interlinkedtargets are neither fully in parallel nor fully in series,exemplified with a military force consisting of an army,a navy and an air force. For interdependent systemsthe defence of one target impacts all targets, and theattack on one target usually impacts other targets.Examples are within the airline industry and computernetworks. Independent targets are not connected withother targets, for example, because of geographicalremoteness or self-sufficiency. Multi-use systems areviewed differently by different agents.

The optimisation programme for the defender andeach of multiple attackers is specified. The defenderminimises the expected damage plus the defenceexpenditures, accounting for his valuation of targets.Each attacker maximises the expected damage minusthe attack expenditures, accounting for a possiblydifferent valuation of targets. The number of freechoice variables equals the number of agents times thenumber of targets, or lower if there are budgetconstraints. Investments cannot be negative, andagents may have budget constraints. Each agent isinterested in how his investments vary across thetargets, and the impact on his utilities.

Infrastructures are built over time. A two periodgame that is often realistic is to assume that thedefender chooses investments in the first period,whereas the attackers choose investments in thesecond period. Such games are solved with backwardinduction. The game may be repeated finitely orinfinitely many times, with alternating investmentsfor agents or groups of agents, and with differentdiscount parameters for each agent. More generally,each agent may invest or sub-invest in any target at anypoint in time dependent on how the game evolves.

Defending and attacking infrastructures ofteninvolves assessing incomplete information, which maybe symmetric or asymmetric across players. Examplesof incomplete information are the agents’ valuations ofthe targets, parameters in the investment expenditurefunctions or the agents’ discount parameters forrepeated games. Finally, an example of a system with11 targets is analysed.

26 K. Hausken


Acknowledgement

I thank two anonymous referees of this journal and Vicki M.Bier for useful comments.

Notes

1. See http://www.state.gov/s/ct/rls/other/des/123085.htm and http://security.homeoffice.gov.uk/legislation/current-legislation/terrorism-act-2000/proscribed-groups#,retrieved August 6, 2009.

2. In particular, Bier (private communication) observesthat simple convexity of the component failure prob-abilities is not sufficient to yield convexity of theirproduct; one needs log-convexity – which implies,roughly speaking, that the success probability of anattack against any given component decreases fasterthan exponentially in the level of investment.

3. This superseded earlier infinite recursions of the kind ‘IfI think that you think that I think . . .’

4. An alternative is Vji ¼ viþ "i, which is the defender’s

valuation plus an error term for target i. The error termcan reflect attacker lack of information about thedefender’s valuations, or attacker-specific goals such asprominence of target i, or the cost of attacking target i.I thank Vicky Bier for this suggestion.

5. Bier et al. (2006, p. 316) define the probability of successof an attack on a component as a function of theinvestment by the defender to strengthen that compo-nent, where the probability of attack on the system isexogenously given.

6. The decisiveness mi is a characteristic of the contest. Itcan be well illustrated by the history of warfare. Lowdecisiveness occurs for systems that are defendable,predictable, and where the individual components aredispersed, that is, physically distant or separated bybarriers of various kinds. Neither the defender nor theattacker can get a significant upper hand. An example isthe time prior to the emergence of cannons and modernfortifications in the fifteenth century. Another exampleis entrenchment combined with the machine gun, inmultiply dispersed locations, in World War I. Highdecisiveness occurs for systems that are less predictable,easier to attack, and where the individual componentsare concentrated, that is, close to each other or notseparated by particular barriers. This may cause‘winner-take-all’ battles and dictatorship by the stron-gest. Either the defender or the attacker may get theupper hand. The combination of airplanes, tanks, andmechanised infantry in World War II allowed theoffence to concentrate firepower more rapidly than thedefence, which intensified the effect of force superiority(Hirshleifer 1995, pp. 32–33).

7. In the conflict literature, this is referred to as egalitariandistribution of an asset independent of effort (invest-ment), so that each agent receives 50%. In our contextm¼ 0 gives a certain ‘egalitarianism’ between thedefender and the attacker in the sense that the defenderobtains half as much reliability as he maximally hopesfor. We ignore m5 0 which corresponds in one sense toaltruism and in another sense to punishing individualinvestments and placing a premium on laziness.

8. Hirshleifer (1989, p. 104) argues that ‘in a militarycontext we might expect the ratio form of the ContestSuccess Function to be applicable when clashes take

place under close to ‘idealized’ conditions such as: anundifferentiated battlefield, full information, and unflag-ging weapons effectiveness. In contrast, the differenceform tends to apply where there are sanctuaries andrefuges, where information is imperfect, and where thevictorious player is subject to fatigue and distraction.’Hence, applying the difference form, in strugglesbetween nations, one side may surrender rather thanresist against an unappeasable opponent, with theexpectation of not losing everything, realising the costto the victor of locating and extracting all the spoils.

9. For the parallel system in Section 7.1, one alternative isto let the attacker equalise the vulnerabilities of thetargets as perceived by the defender.

10. Conventional reliability theory distinguishes betweenindependent and dependent systems. Ebeling (1997,108ff) describes dependent systems as systems where‘component failures are in some way dependent’.Markov analysis is typically applied. Aside fromdegraded systems, examples are load-sharing systemsand standby systems where the breakdown of onecomponent affects the other components.

11. I thank Vicky Bier for suggesting multi-use systems.

Notes on contributor

Kjell Hausken has been Professor ofeconomics and societal safety at theFaculty of Social Sciences, Universityof Stavanger, Norway, since 1999.He holds a PhD (Thesis: ‘DynamicMultilevel Game Theory’) from theUniversity of Chicago (1990–1994),was a postdoc at the Max PlanckInstitute for the Studies of Societies

(Cologne) 1995–1998, and a visiting scholar at Yale Schoolof Management 1989–1990. He holds a Doctorate ProgramDegree (‘Philosophical, Behavioral, and GametheoreticNegotiation Theory’) in Administration from theNorwegian School of Economics and BusinessAdministration, an MSc degree (Thesis: ‘Nonlinear BayesEstimation’) in Electrical Engineering (Cybernetics) from theNorwegian Institute of Technology, focusing on mathematicsand statistics, and a minor in Public Law from the Universityof Oslo. He has worked as a Field Engineer for Schlumbergerin Oman/Egypt, completed military service at the NorwegianDefence Research Establishment, and has published 90articles in international journals. Hausken is on the editorialboard for Theory and Decision, and Defence and PeaceEconomics, and has refereed for 40 journals. Introducingstrategic interaction into risk analysis, Hausken’s researchfields are economic risk management, political economy,information security, public choice, conflict, game theory,reliability, war, crime, terrorism, disaster prevention, sto-chastic theory, resilience management.

References

Arce, D.G., and Sandler, T. (2007), ‘Terrorist Signaling and

the Value of Intelligence’, British Journal of Political

Science, 37, 573–586.



Azaiez, N., and Bier, V.M. (2007), ‘Optimal Resource

Allocation for Security in Reliability Systems’, European

Journal of Operational Research, 181, 773–786.

Beitel, G.A., Gertman, D.I., and Plum, M.M. (2004),

Balanced Scorecard Method for Predicting the

Probability of a Terrorist Attack, Idaho Falls, Idaho,

USA: Idaho National Engineering and Environmental

Laboratory.

Bier, V.M., and Abhichandani, V. (2002), ‘Optimal

Allocation of Resources for Defense of Simple Series and

Parallel Systems from Determined Adversaries’, in

Proceedings of the Engineering Foundation Conference on

Risk-Based Decision Making in Water Resources X, Santa

Barbara, CA: American Society of Civil Engineers.

Bier, V.M., Nagaraj, A., and Abhichandani, V. (2005),

‘Protection of Simple Series and Parallel Systems with

Components of Different Values’, Reliability Engineering

and System Safety, 87, 315–323.Bier, V.M., Oliveros, S., and Samuelson, L. (2006),

‘Choosing What to Protect: Strategic Defense Allocation

Against an Unknown Attacker’, Journal of Public

Economic Theory, 9, 563–587.Brown, G., Carlyle, M., Salmeron, J., and Wood, K. (2006),

‘Defending Critical Infrastructure’, Interfaces, 36, 530–544.Carayon, P., Kraemer, S., and Bier, V.M. (2005), ‘Human

Factors Issues in Computer and E-business Security’,

in Handbook of Integrated Risk Management for

E-Business: Measuring, Modeling and Managing Risk, ed.

A. Labbi, Florida, UA: J Ross Publishing, pp. 63–85.Cobb, C.W., and Douglas, P.H. (1928), ‘A Theory of

Production’, American Economic Review, 18(Suppl.),

139–165.Dighe, N., Zhuang, J., and Bier, V.M. (2008), ‘Secrecy in

defensive allocations as a strategy for achieving more cost-

effective attacker deterrence’, International Journal of

Performability Engineering, Special issue on System

Survivability and Defense against External Impacts, 5,

31–43.Dixit, A., and Skeath, S. (1999), Games of Strategy,

New York: Norton.Ebeling, C. (1997), An Introduction to Reliability and

Maintainability Engineering, New York, NY: McGraw-Hill.Enders, W., and Sandler, T. (2003), ‘What Do We Know

about the Substitution Effect in Transnational Terrorism?’,

in Researching Terrorism: Trends, Achievements, Failures

eds. A. Silke and G. Ilardi, Ilfords, UK: Frank Cass.

http://www-rcf.usc.edu/�tsandler/substitution2ms.pdfEnders, W., and Sandler, T. (2006), The Political Economy of

Terrorism, New York: Cambridge University Press.Fudenberg, D.M., and Tirole, J. (1991), Game Theory,

Cambridge: MIT Press.Gal-Or, E., and Ghose, A. (2005), ‘The Economic Incentives

for Sharing Security Information’, Information Systems

Research, 16, 186–208.

Gordon, L.A., and Loeb, M. (2002), ‘The Economics of

Information Security Investment’, ACM Transactions on

Information and System Security, 5, 438–457.Gordon, L.A., Loeb, M., and Lucyshyn, W. (2003), ‘Sharing

Information on Computer Systems Security: An Economic

Analysis’, Journal of Accounting and Public Policy, 22,461–485.

Harsanyi, J. (1967/68), ‘Games with Incomplete InformationPlayed by ‘Bayesian Players’’, I-III Management Science,14, 159–183, 320–334, 486–501.

Hausken, K. (2002), ‘Probabilistic Risk Analysis and GameTheory’, Risk Analysis, 22, 17–27.

Hausken, K. (2005), ‘Production and Conflict Models Versus

Rent Seeking Models’, Public Choice, 123, 59–93.Hausken, K. (2006a), ‘Income, Interdependence, andSubstitution Effects Affecting Incentives for Security

Investment’, Journal of Accounting and Public Policy, 25,629–665.

Hausken, K. (2006b), ‘Returns to Information Security

Investment: The Effect of Alternative InformationSecurity Breach Functions on Optimal Investment andSensitivity to Vulnerability’, Information Systems Frontiers,

8, 338–349.Hausken, K. (2007), ‘Information Sharing among Firms andCyber Attacks’, Journal of Accounting and Public Policy,

26, 639–688.Hausken, K. (2008a), ‘Strategic Defense and Attack forSeries and Parallel Reliability Systems’, European Journal

of Operational Research, 186, 856–881.Hausken, K. (2008b), ‘Strategic Defense and Attack forReliability Systems’, Reliability Engineering & System

Safety, 93, 1740–1750.Hausken, K. (2008c), ‘Strategic Defense and Attack ofComplex Networks’, International Journal of

Performability Engineering, 4, 341–364.Hausken, K., and Levitin, G. (2008), ‘Efficiency of EvenSeparation of Parallel Elements with Variable Contest

Intensity’, Risk Analysis, 28, 1477–1486.Hausken, K., and Levitin, G. (2009), ‘Minmax DefenseStrategy for Complex Multi-state Systems’, Reliability

Engineering and System Safety, 94, 577–587.Hirshleifer, J. (1989), ‘Conflict and Rent-seeking SuccessFunctions: Ratio vs. Difference Models of Relative

Success’, Public Choice, 63, 101–112.Hirshleifer, J. (1995), ‘Anarchy and Its Breakdown’, Journalof Political Economy, 103, 26–52.

Kreps, D.M., and Wilson, R. (1982), ‘Sequential Equilibria’,

Econometrica, 50, 863–894.Kunreuther, H., and Heal, G. (2003), ‘InterdependentSecurity’, The Journal of Risk and Uncertainty, 26,

231–249.Levitin, G. (2002), ‘Maximizing Survivability of AcyclicTransmission Networks with Multi-state Retransmitters

and Vulnerable Nodes’, Reliability Engineering and SystemSafety, 77, 189–199.

Levitin, G. (2003a), ‘Optimal Multilevel Protection in Series-

parallel Systems’, Reliability Engineering and SystemSafety, 81, 93–102.

Levitin, G. (2003b), ‘Optimal Allocation of Multi-state

Elements in Linear Consecutively Connected Systemswith Vulnerable Nodes’, European Journal of Operational

Research, 150, 406–419.Levitin, G. (2007), ‘Optimal Defense Strategy againstIntentional Attacks’, IEEE Transactions on Reliability,

56, 148–157.

28 K. Hausken


Levitin, G., and Hausken, K. (2008), ‘Protectionvs. Redundancy in Homogeneous Parallel Systems’,

Reliability Engineering and System Safety, 93, 1444–1451.Levitin, G., and Hausken, K. (2009a), ‘False TargetsEfficiency in Defense Strategy’, European Journal ofOperational Research, 194, 155–162.

Levitin, G., and Hausken, K. (2009b), ‘False Targets vs.Redundancy in Homogeneous Parallel Systems’, ReliabilityEngineering and System Safety, 94, 588–595.

Levitin, G., and Lisnianski, A. (2000), ‘SurvivabilityMaximization for Vulnerable Multi-state Systems withBridge Topology’, Reliability Engineering and System

Safety, 70, 125–140.Levitin, G., and Lisnianski, A. (2001), ‘Optimal Separationof Elements in Vulnerable Multi-state Systems’, ReliabilityEngineering and System Safety, 73, 55–66.

Levitin, G., and Lisnianski, A. (2003), ‘OptimizingSurvivability of Vulnerable Series-parallel Multi-stateSystems’, Reliability Engineering and System Safety, 79,

319–331.Levitin, G., Dai, Y., Xie, M., and Poh, K.L. (2003),‘Optimizing Survivability of Multi-state Systems with

Multi-level Protection by Multi-processor GeneticAlgorithm’, Reliability Engineering and System Safety, 82,93–104.

Major, J. (2002), ‘Advanced Techniques for ModelingTerrorism Risk’, Journal of Risk Finance, 4, 15–24.

O’Hanlon, M., Orszag, P., Daalder, I., Destler, M., Gunter,D., Litan, R., and Steinberg, J. (2002), Protecting the

American Homeland, Washington, DC: BrookingsInstitution.

Patterson, S.A., and Apostolakis, G.E. (2007), ‘Identification

of Critical Locations Across Multiple Infrastructures forTerrorist Actions’, Reliability Engineering and SystemSafety, 92, 1183–1203.

Phimister, J.R., Bier, V.M., and Kunreuther, H.C. (eds.)(2004), Accident Precursor Analysis and Management:Reducing Technological Risk Through Diligence,

Washington, DC: National Academies Press.Powell, R. (2007a), ‘Allocating Defensive Resources withPrivate Information about Vulnerability’, AmericanPolitical Science Review, 101, 799–809.

Powell, R. (2007b), ‘Defending against Terrorist Attackswith Limited Resources’, American Political ScienceReview, 101, 527–541.

Powell, R. (2007c), ‘Allocating Defensive Resources Prior toAttack’, in Paper presented at the Annual Meeting of the

ISA’s 49th Annual Convention, Bridging Multiple Divides,Hilton, San Francisco, CA. http://www.allacademic.com/meta/p250775_index.html

Rasmusen, E. (2001), Games and Information, Cambridge:

Basil Blackwell, Inc.Sandler, T., and Enders, W. (2007), ‘Applying AnalyticalMethods to Study Terrorism’, International Studies

Perspectives, 8, 287–302.Sandler, T., and Siqueira, K. (2006), ‘Global Terrorism:Deterrence versus Pre-emption’, Canadian Journal of

Economics, 39, 1370–1387.Selten, R. (1975), ‘Reexamination of the Perfectness Conceptfor Equilibrium Points in Extensive Games’, InternationalJournal of Game Theory, 4, 25–55.

Shier, D.R. (1991), Network Reliability and AlgebraicStructures, New York, NY: Clarendon Press.

Simon, H. (1969), The Sciences of the Artificial, Cambridge:

MIT Press.Siqueira, K., and Sandler, T. (2007), ‘Terrorist Backlash,Terrorism Mitigation, and Policy Delegation’, Journal of

Public Economics, 91, 1800–1815.Skaperdas, S. (1991), ‘Conflict and Attitudes Toward Risk’,American Economic Review, 81, 116–120.

Skaperdas, S. (1996), ‘Contest Success Functions’, EconomicTheory, 7, 283–290.

Straffin, P. (1993), Game Theory and Strategy, Washington,DC: Mathematical Association of America.

Tullock, G. (1980), ‘Efficient Rent-Seeking’, in Toward aTheory of the Rent-seeking Society, eds. J.M. Buchanan,R.D. Tollison and G. Tullock, College Station, TX: Texas

A&M University Press, pp. 97–112.Viscusi, W.K. (2005), ‘‘The Value of Life’’ New PalgraveDictionary of Economics and the Law (2nd ed.), SSRN:

http://ssrn.com/abstract¼827205.Woo, G. (2002), ‘Quantitative Terrorism Risk Assessment’,Journal of Risk Finance, 4, 7–14.

Woo, G. (2003), ‘Insuring against Al-Qaeda’, InsuranceProject Workshop, National Bureau of EconomicResearch, Inc. (Available at: http://www.nber.org/�confer/2003/insurance03/woo.pdf).

Zhuang, J., Bier, V.M., and Gupta, A. (2007), ‘Subsidies inInterdependent Security with Heterogeneous DiscountRates’, Engineering Economist, 52, 1–19.



Documents

Protecting complex infrastructures against multiple strategic attackers