You Can Only Die Once: Interdependent Security in an Uncertain

You Can Only Die Once: Interdependent Security in an Uncertain World Howard Kunreuther Center for Risk Management and Decision Processes The Wharton School University of Pennsylvania ([email protected]) CIS620/OPIM952 February 11, 2003 1

Characteristics of the Problem Risk faced by one person depends on actions of others (negative stochastic externalities) Non-additive damages (You can only die once – two events no worse than one) 2

What is Interdependent Security? Protect against a risk by making an investment Airline can invest in baggage security system to reduce chance of bomb explosions Investment in computer protection against viruses and hackers BUT can be contaminated by others even after investing Airline can be contaminated by bags transferred from other airlines that did not invest Computer can be attacked by viruses from other computers on the network 3

Types of Problems Investing in airline security Securing computer systems against attacks. Avoiding divisional gambles that could bring bankrupt entire firm. Nick Leeson & collapse of Baring’s Arthur Andersen brought into bankruptcy by Houston bran Investing in Research and Development (R&D) Vaccination Against Diseases 4

Scenario Illustrating IDS Be Careful (BC) Airlines considers installing baggage checking system for added protection. Needs to balance the cost of this system with reduction in risk of explosion of luggage not only checked in with BC but also from bags of passengers checked in on other airlines & transferred to BC. 5

Game Theory Framework Identical Agents Airlines A1 and A2. Y income of airline before expenditure on security Probability contaminated bag is accepted & explodes in A i : p Probability contaminated bag accepted by Ai is transferred to another airline where it explodes : q Loss if a bag explodes : L. Investment Cost of Baggage Security System: c Threats respond to security measures 6

Payoffs & Contamination Investing (S) & Not Investing (N) in Security System AIRLINE 2 S N S Y -c, Y -c Y- c - qL, Y - pL AIRLINE 1 N Y - pL, Y – c - qL Y–pL– (1-p)qL, Y–pL– (1-p)qL If c pL(1-q) then each will invest. Alone would invest if c pL. Tighter inequality reflects reduced incentive to invest because of interdependence & risk of contamination. Investment no longer buys complete security 7

A Simple Numerical Example Expected Costs Associated with Investing (S) and Not Investing (N) in Baggage Security System AIRLINE 2 S S Y -95, Y -95 N Y -100, Y -295 N Y-295, Y -100 AIRLINE 1 Y -280, Y -280 Decisions If A2 has a security system (S) then it is worthwhile for A1 to invest in one Expected losses reduced by pL - 100 Cost of baggage security system. 95 If A2 does not invest in security (N) then A1 will not want to invest in one Expected losses reduced by p(1-q)L - (280-200) -80 Cost of baggage security system. 95 8

Types of Nash Equilibria for Different c Values If c pL then (N,N) is a dominant strategy If c pL(1-q) then (S, S) is dominant strategy If pL(1-q) c pL then (S,S) & (N,N) are Nash equilibria Illustrative Example: p .1 q .2 L 1000 If c 100 then (N, N) is a dominant strategy If c 80 then (S, S) is dominant strategy If 80 c 100 then (S,S) & (N,N) are Nash equilibria 9

Impact of Contamination on Nash Equilibria if there are n Agents Define Xi(n,0) to be the negative externalities to Agent i if it invests in security and none of the other agents do. What is expected cost to Agent i from investing in security if none of the other agents invest in security? E(Cost from Investing) Y - c – Xi(n,0) What is expected cost to Agent i from not investing in security if none of the other agents invest in security? E(Cost from Not Investing ) Y- pL - (1-p) Xi(n,0) Agent i will only want to invest in security if Y- c – Xi(n,0) Y- pL- (1-p) Xi(n,0) This implies that c p [L- Xi(n,0)] 10

Impact of Contamination for n Agents: Airline Security Problem One can show that the negative externalities to airline i if it invests in security and none of the others do is: n-2 Xi(n,0) [q/(n-1)] [ [1-q /(n-1)] t] L {1- [1-q/(n-1)] L n-1 } What is the expectedt 0 loss [E(L)] to Airline i if it does not invest in security and none of the others invest in security? E (L) pL (1-p) Xi(n,0) In the limit as n then Xi(n,0) (1 - e-q) L We know that if c p[ L –Xi(n,0)] then Airline i will not invest in security Hence if c p [e-q L] then Airline i will not invest in security 11

Impact of Contamination on Computer Security One unprotected computer can infect all the others in the network Expected negative externalities imposed by all other agents on i Xi(n,0)) n-2 Xi(n,0) q L [ (1-q) t] [1-(1-q) ]L n-1 t 0 What is the expected loss [E(L)] to Computer i if it invests in security and none of the others do? E (L) pL (1-p) Xi(n,0) In the limit as n then Xi(n,0) L so that E(L) L Note: c p [ L –Xi(n,0) ] for Computer i to want to invest in security Hence in the limit c 0 so there is no cost incentive to invest in protecting any machine against viruses or hackers if none of the other machines are protected. 12

More is worse – much! Bottom line – one unprotected firm/individual poses a contamination problem for others Link many of them so that security of each depends on what others do and problem gets worse as number of unprotected agents increases Some individuals/firms offer vast policy leverage because of their linkages & positions in the network (Have tipping power: Can lead everyone to protect) 13

Game Theory Framework Heterogeneous Agents Airlines A1 and A2. Y income of airline before expenditure on security Probability contaminated bag is accepted & explodes in A i : pi Probability contaminated bag accepted by Ai is transferred to another airline where it explodes : qi Loss if a bag explodes : L. Investment Cost of Baggage Security System for Ai : ci 14

Payoffs & Contamination Investing (S) & Not Investing (N) in Security System AIRLINE 2 S N Y –c1 Y –c2 Y- c2 – q1 L, Y – p2 L S AIRLINE 1 N Y – p1 L, Y – c2 – q1 L Y – p1 L – (1-p1 )q 2L, Y – p2 L – (1-p2 )q 1L If ci pi L(1-qj ) then each will invest. Alone would invest if ci pi L. Tighter inequality reflects reduced incentive to invest because of interdependence & risk of contamination. Investment no longer buys complete security 15

c2 N,N is Nash NN is Nash and dominant S,N p 2L S,S is Nash equilibrium p 2 L(1-q Either N,N or S,S is Nash equilibrium N,N is Nash 1) S,S is Nash equilibrium S,S is dominant strategy & Nash equilibrium p 1 L(1-q 2 ) N,S c1 p 1L 16

Tipping & contamination when airlines have different costs and risks Ei (n,0) - negative externalities imposed by airline i on all other airlines when no other airlines invest and airline i changes from investing to not investing Note Ei (n,0) is externality imposed by airline i on other airlines while Xi (n,0) is externality imposed on airline i when no other airlines invest in security If by switching from N to S a single airline i can cause all others to switch from N to S it will be the one with the highest Ei (n,0). This turns out to be the same as the airline with the highest qi. If by switching from N to S a group of K airlines can cause all others to follow they will be the ones having the K highest Ei (n,0). 17

Illustrative Example of Tipping Consider 3 airlines Airlines 1 and 2 are identical (p1 p2 0.1; q1 q2 0.1; c1 c2 90 Airline 3 has risks and costs so that the Nash Equilibrium is where no airline invests in security ( q3 0.5 and c3 is high enough so A3 doesn’t want to invest) If A3 is taxed so it decides to invest in security it will tip the equilibrium so both A1 and A2 will also want to invest in security 18

100, 100 c2 Equilibrium in DS is (N,N) 90, 90 Actual costs (85, 85) in (N,N) region 75, 75 71.25, 71.25 Equilibrium in DS is (S,S) c1 Figure 2 19

Equilibrium in DS is (N,N) c2 100, 100 90, 90 71.25, 71.25 75, 75 Actual costs (85, 85) in (S,S) region Equilibrium in DS is (S,S) c1 Figure 3 20

Investing in R&D Same structure as airline security problem with the following key differences airline security---investment by one airline encourages others to also invest and can lead to tipping behavior R&D—investment by one firm discourages others from following suit and can lead to free riding Nash Equilibrium for R&D Problem If no firms are investing then E(return) is at its highest level In all firms are investing then E(return) is at its lowest level If there are gains to being first, there is a wider range where investment by all firms can be a dominant strategy 21

c 2 N,N only I,N only p 2 G Both I,N & N,I p 2 {1-q 1 }G N,I only I,I only p 1 {1-q 2 }G p 1G c1 Figure 4 22

Bioterrorism & Vaccination What should public policy be on smallpox vaccination? (e.g. requiring it for certain groups; voluntary decision) Interdependent security models relevant – You only catch smallpox once My risk depends on whether you are vaccinated Applying IDS models to analyze public policy here 23

Bioterrorism & Vaccination Analyze Nash equilibrium of individual choices over vaccination Each person’s choice depends on probability of infection, severity, and costs of vaccination And probability of infection depends on what choices others make 24

Bioterrorism & Vaccination Epidemiological models assume either all or none vaccinated Modeling individual choice an important advance as this can make or break public policies Show that a wide range of outcomes is possible and how to influence the outcome 25

Patterns of vaccination 3 person case c pL: V,V,V pL c pL (1-p)qL: V,V,NV pL (1-p)qL c TR(3,0)L: V,NV,NV TR(3,0)L c: NV,NV,NV TR(3,0) total risk of infection to 1 of 3 individuals when noone is vaccinated 26

Types of Interventions (Internalizing Negative Externalities) Insurance Not feasible under current system because insurer of agent i does not pay for damage to agent j j i Social insurance provides premium reduction to agent i for reduction in contamination to all other agents Liability---This policy tool only works if contaminating agent is held liable for damage to others if it did not invest in protection Regulations Importance of well-enforced codes and standards to ensure that cost-effective security measures are adopted 27

Types of Interventions (Internalizing Externalities) Taxation—Can levy a tax of t dollars on any agent that did not invest in protection to encourage them to adopt security measures Coordinating mechanisms International Air Transport Association (IATA)--require baggage security on all bags to be transferred to other airlines Coops in NYC—Require that all buyers of apartments invest in sprinkler system as a condition for purchase Social norms—role of friends and neighbors 28

Future Research Directions Prescriptive Questions Do you tax some agents more because they have a greater chance of contaminating others? Role of regulations (e.g. building codes, required baggage check-in) Multi-Period and Dynamic Models Importance of time horizon and discount rate How do you get process of investing in security started? Importance of developing sequential models of choice which incorporates learning 29

Future Research Directions Behavioral Considerations Impact of ambiguity Misperceptions of risk Myopia (i.e. short time horizons) Importance of affect (e.g. worry, dread, anxiety) 30

Future Research: Risk Management Strategies Collecting information on risk and costs (e.g. constructing scenarios so that one can estimate pi qi Li and ci with greater accuracy) Designing incentive systems (e.g. subsidies or taxes) to encourage investment by agents in protective measures. Developing insurance programs for encouraging investment in protective measures when firms are faced with contamination. Designing well-enforced standards (e.g. building codes for high-rises to withstand future terrorist attacks) using third-party inspections. Federal reinsurance or state-operated pools providing protection against future losses from terrorist attacks to supplement private insurance I 31

Future Empirical Studies Why do some agents and organizations invest in protection and others do not when there is an IDS problem? What actions can the public sector take to encourage property owners and organizations to invest in protective and security measures and constrain others from doing so? What role can private sector mechanisms such as subsidies, fines, insurance, bank loans and potential liability play? What are the appropriate roles of taxation, regulations and standards to supplement private sector mechanisms? 32

Future Empirical Studies What institutional mechanisms would aid the decision process of agents in adopting protective measures given that there are interdependent security problems? Can industry associations (e.g. IATA for the airlines) play an important role in facilitating actions by individual companies? What types of property rights would encourage agents to undertake security measures? Turkey requires unanimity for apartments to change rules NYC Coops has government board (majority rule) 33

Conclusions IDS structure – non-additive damages & interdependent risks – characterizes wide range of problems Airlines, computers, vaccination, R&D, Bankruptcy of an organization Need new computational techniques to take advantage of special problem structure such as ones covered in this course Need for public-private partnerships 34