A Quantal Response Analysis of Human Decision-Making in Interdependent Security Games Modeled by Attack Graphs

Interdependent systems, under the management of multiple decision-makers, confront rapidly growing cybersecurity threats. This paper delves into the realm of security decision-making within these complex interdependent systems managed by multiple defenders. Each defender assumes responsibility for safeguarding a specific subnetwork of the system against potential attacks. The relationships between these assets are depicted through an attack graph, where edges connecting assets signify that the compromise of one asset could expose vulnerabilities in another asset. These edges are associated with probabilities that represent the likelihood of a successful attack, which can be reduced through security investments by the defenders. Our approach involves modeling these systems using game-theoretic frameworks, accounting for the impact of bounded rationality and imperfect best-response behavior-as frequently observed in human decision-making within the domains of behavioral economics and psychology. We first establish the existence of quantal response equilibrium in our interdependent security games. We present illustrative examples to highlight the disparities between the solutions derived from the social optimal perspective and those arising from quantal response equilibrium. Subsequently, we analyze the inefficiency introduced by behavioral players with this type of bounded rationality in terms of the overall social cost of the system. We adapt a widely recognized metric to quantify the extent of this inefficiency, providing bounds and illustrating its exponential growth with an increase in the security budget. To assess our models, we employ a representative real-world interdependent system and compare the game-theoretic optimal investment strategies to those derived from a socially optimal standpoint.