A Tullock-contest-based approach for cyber security investments

We study a cyber security game between a defender who wishes to defend her information assets and an attacker who tries to attack them. In this game the attacker and the defender choose how to distribute their resources in attacking or defending the different information assets. Given these investments the probability that an attack on a given asset is successful is an increasing function of the attacker’s investment and a decreasing function of the defender’s investment. The defender tries to minimize the expected damage from the attacks plus the cost of the defense while the attacker tries to maximize the expected damage from attacks minus his attacks’ expenses. The attacker is constrained by a budget. We compare two scenarios: a sequential move game and a simultaneous game. In the sequential game the defender moves first by deciding how much resources to allocate to the defense of each information asset and the attacker observes these investments and responds by allocating his resources in a manner that maximizes his expected utility. In the simultaneous game the attacker does not observe the defender’s decision before making his own. We analyze the best response strategies of the players and the equilibria of each of these games. Based on this analysis, we provide a tight upper bound on the reduction in defender’s costs that can be achieved by moving from the simultaneous to the sequential game.