ERM Final research paper

2958 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 14, NO. 11, NOVEMBER 2019

Interdependent Strategic Security Risk Management With Bounded Rationality in the Internet of Things

Juntao Chen , Student Member, IEEE, and Quanyan Zhu, Member, IEEE

Abstract— With the increasing connectivity enabled by the Internet of Things (IoT), security becomes a critical concern, and users should invest to secure their IoT applications. Due to the massive devices in the IoT network, users cannot be aware of the security policies taken by all its connected neighbors. Instead, a user makes security decisions based on the cyber risks that he perceives by observing a selected number of nodes. To this end, we propose a model which incorporates the limited attention or bounded rationality nature of players in the IoT. Specifically, each individual builds a sparse cognitive network of nodes to respond to. Based on this simplified cognitive network representation, each user then determines his security management policy by minimizing his own real-world security cost. The bounded rational decision-makings of players and their cognitive network formations are interdependent and thus should be addressed in a holistic manner. We establish a games-in- games framework and propose a Gestalt Nash equilibrium (GNE) solution concept to characterize the decisions of agents and quantify their risk of bounded perception due to the limited attention. In addition, we design a proximal-based iterative algorithm to compute the GNE. With case studies of smart communities, the designed algorithm can successfully identify the critical users whose decisions need to be taken into account by the other users during the security management.

Index Terms— Risk management, bounded rationality, cogni- tive networks, Internet of Things, smart community.

I. INTRODUCTION

RECENT years have witnessed a significant growthof urban population. As the growth continues, cities need to become more efficient to serve the surging pop- ulation. To achieve this objective, cities need to become smarter with the integration of information and communication techniques (ICTs) and urban infrastructures. Driven by the advances in sensing, computing, storage and cloud technolo- gies, the Internet of Things (IoT) plays a central role in supporting the development of smart city. Though IoT enables a highly connected world, the security of IoT becomes a critical concern. There are 5.5 million new things connected

Manuscript received May 21, 2018; revised March 4, 2019; accepted April 9, 2019. Date of publication April 15, 2019; date of current ver- sion July 2, 2019. This work was supported in part by the National Sci- ence Foundation under Award SES-1541164 and Award ECCS-1847056, in part by the Army Research Office (ARO) under Grant W911NF1910041, and in part by a grant through the Critical Infrastructure Resilience Institute (CIRI). The associate editor coordinating the review of this manuscript and approving it for publication was Prof. Karen Renaud. (Corresponding author: Juntao Chen.)

The authors are with the Department of Electrical and Computer Engi- neering, Tandon School of Engineering, New York University, Brooklyn, NY 11201 USA (e-mail: jc6412@nyu.edu; qz494@nyu.edu).

Digital Object Identifier 10.1109/TIFS.2019.2911112

Fig. 1. IoT-enabled interconnected smart community. The connectivity, on one hand, enhances the situational awareness of smart homes. However, it increases the cyber risks of the community. Hence, the cyber security of each household not only dependents on its own risk management strategy but also the ones of connected neighbors.

every day in 2016, as we head toward more than 20 billion by 2020 [1]. These IoT devices come from different manufac- turers, and they have heterogeneous functionalities and secu- rity configurations and policies. No uniform security standards are used for IoT devices as they are developed using different system platforms for various functionalities. Moreover, due to the connections between IoT devices, the security of one device is also dependent on the security of other devices to which it connects. Therefore, the heterogeneity and the interconnectivity of massive heterogeneous IoT have created significant challenges for security management. Fig. 1 depicts a highly connected smart community enabled by IoT devices. Each household needs to take into account the cyber risks coming from their connected neighbors when securing their devices.

In cyber networks, security management and practices of users are often viewed as the weakest link [2]. The lack of security awareness and expertise at the user’s end creates human-induced vulnerabilities that can be easily exploited by an adversary, exacerbating the insecurity of IoT. To this end, it is critical to enhance the security by strengthening security management in a decentralized way. Hence, in the IoT, each device owner or system manager needs to allocate resources (e.g. human resources, computing resources, invest- ments or cognition) to secure his applications. For example, the smart building operator can spend resources on upgrading the hardware, hiring staff members for network monitoring and forensics, and developing tailored security solutions to

1556-6013 © 2019 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.

Authorized licensed use limited to: University of the Cumberlands. Downloaded on June 23,2021 at 19:20:28 UTC from IEEE Xplore. Restrictions apply.

CHEN AND ZHU: INTERDEPENDENT STRATEGIC SECURITY RISK MANAGEMENT WITH BOUNDED RATIONALITY 2959

the smart building. A smart home user, on the other hand, can safely configure its network and regularly updates its software and password of the IoT devices as illustrated in Fig. 1.

The devices in the IoT networks and their interconnections can be modeled as nodes and links, respectively. The security policy of one device can have an impact on the security risk of nodes that are connected to it. Since various users own different devices, the security management in IoT is decentralized in nature. Therefore, the process of decentralized security decision-making can be modeled as a game problem in which each user strategically allocates his resources to secure the devices [3]. In this game, the users’ risks are reduced when their connected neighbors are of high-level security. Due to the complex and massive connections, users cannot be aware of the security policies taken by all its connected neighbors. Instead, a user can only make security decisions based on the cyber risk he perceives by observing a selected number of nodes. This fact indicates that the game model needs to take into account the bounded rationality of players [4]. Therefore, in the game framework, we use a cognition vector representing the observation structure of each IoT user. Specifically, a sparser cognition vector represents a user with weaker cognition ability, and he observes a smaller number of other users’ behaviors when deciding his strategy. Thus, the limited attention nature of users creates a bounded perception of cyber risks.

In the established bounded rational game model, the users need to make security management decisions as well as design their cognition networks in a holistic manner. In order to achieve this goal, we define a new solution concept called Gestalt Nash equilibrium (GNE) to capture the cognitive network formation and the security management under the bounded rationality simultaneously. The analysis of the GNE provides a quantitative method to understand the risk of mas- sive IoTs and gives tractable security management policies. We further design a proximal-based iterative algorithm to compute the GNE of the game. The GNE resulting from the algorithm reveals several typical phenomena that match well with the real-world observations. For example, when the network contains two groups of users, then under the limited attention, all users will allocate their cognition resources to the same group which demonstrates the law of partisanship. Further, in a heterogeneous massive IoT, the equilibrium successfully identifies the set of agents that are invariably paid attention to by other users, demonstrating the phenomenon of attraction of the mighty. Since the framework predicts the high-level systemic risk of the IoT network, it also can be used to inform the design of security standards and incentive mechanisms, e.g., through contracts and cyber insurance.

The developed security management model provides an essential framework to assess IoT security risks when applied to various applications. For example, in smart home commu- nities, the households are connected together to share hetero- geneous information, e.g., electricity prices and temperature readings through smart meters, and real-time information of items in local stores and shops by wireless sensors. The con- nections of IoT devices thus create security interdependencies between households. Another broader application lies in the

different components in smart cities. Due to the interconnec- tivity between large-scale infrastructures including the trans- portation, power grids, and communications, the manager of each sector needs to take into account the cyber risks coming from other components when adopting security solutions.

The contributions of this paper are summarized as follows: 1) We propose a holistic framework to investigate the

security management of users with bounded rationality in the IoT networks.

2) We model the cognition of users with a sparse vector and quantify users’ risk of bounded perception resulting from the underperceived cyber threats in the network.

3) We design a proximal-based algorithm to compute the GNE which contains security management strategy and cognitive network of agents. The algorithm discovers several phenomena including emergence of partisanship, filling the inattention, and attraction of the mighty.

4) We apply the proposed model to a smart community, and demonstrate that the designed algorithm can identify the most critical households in the network.

A. Related Work

Security management has been investigated in various research fields including computer networks [5], communica- tions [6], cloud computing [7] and infrastructures [8]. With the advances in ICTs, a growing number of works have focused on the emerging critical issue of IoT security [9]–[11]. Due to the interconnectivity between different agents, the security of one agent is also dependent on its connected ones which gives rise to the notion of “interdependent security” [12]. The authors in [13]–[15] have further investigated the security interdependencies in multilayer cyber-physical systems.

Games over networks have caught a lot of attention recently especially from the economics perspective [16]–[19]. The couplings between players in the network can be either in a strategic exclusive or strategic complement manner. Based on the features of security management in IoT, our problem falls into the latter class. For the engineering applications, the authors in [8], [20] have studied the resource allocation game over interdependent critical infrastructures where both players aim to increase the connectivity of the network. Huang et al. [21], [22] have adopted a stochastic Markov game model to design resilient operating strategies for multi- layer networks. Zhu et al. [23] have proposed a game-theoretic framework for collaborative intrusion detection systems through resource management to mitigate network cyber threats. Our work differs from [23] in that we take into account the cognitive factors of human behaviors during decision making.

Humans with limited knowledge or cognitive resources are bounded rational, since they cannot pay attention to all the information [24], [25]. Gabaix has proposed a “sparse max” operator to model the limited attention of players in which each agent builds a simplified model of the network based on an l1 norm [4]. Our work leverages on the established “sparse max” operator and formulates a constrained game program to capture the bounded cognition ability of players in

Authorized licensed use limited to: University of the Cumberlands. Downloaded on June 23,2021 at 19:20:28 UTC from IEEE Xplore. Restrictions apply.

2960 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 14, NO. 11, NOVEMBER 2019

TABLE I

NOMENCLATURE

the IoT. In addition, we further consider the risk management of each user based on their underperceived cyber risks over the network.

B. Organization of the Paper

The rest of the paper is organized as follows. Section II formulates a security management game over IoT networks with bounded rational players. Section III analyzes the prob- lem. Section IV designs a proximal-based iterative algorithm to compute the GNE. Case studies are given in Section V, and Section VI concludes the paper.

C. Summary of Notations

For convenience, we summarize the notations used in the paper in Table I. Note that notations associated with ∗ refer to the value at equilibrium. Furthermore, notations with index k stands for its value at step k during the iterative updates.

II. PROBLEM FORMULATION

In this section, we formulate a problem involving strategic security decision making and cognitive network formation of players in the IoT networks.

A. Security Management Game Over Networks

In an IoT user network including a set N of nodes,1 where N := {1, 2, . . . , N }, each node can be seen as a player

1The terms of node, agent and player refer to the user in the IoT, and they are used interchangeably.

that makes strategic decisions on the security management to secure their IoT devices. For instance, in Fig. 1, each smart home is a player securing their smart things to mitigate the cyber threats. We define U := {u1, . . . , u N } by the decision profile of all the players. Specifically, ui is a one-dimensional decision variable representing player i ’s security management effort. For convenience, we denote u−i := U \ {ui }. The objective of player i , i ∈ N , is to minimize his security risk strategically by taking the costly action ui . We define by F

i 1 :

R+ → R+ the cost of security management effort of player i which is an increasing function of ui . The corresponding benefit of security management is captured by a function F i2 : R+ → R+. Intuitively, a larger ui yields a higher return, and hence F i2 is monotonically increasing. Due to the interconnections in the IoT, the risk of player i is also dependent on his connected users. Then, we use a function F i3 : R+ × RN −1+ → R+ to represent the influence of player i ’s connected users on his security. The coupling between players in the IoT is in a strategic complement fashion with respect to the security decisions. More specifically, a larger security investment u j of player j , a connected node of player i , decreases the cyber risks of player i as well. Therefore, the cost function of player i can be expressed as the following form:

J i (ui , u−i ) = F i1 (ui ) − F i2 (ui ) − F i3 (ui , u−i ), (1) where J i : R+ × RN −1+ → R. To facilitate the analysis and design of security risk management strategies, we spec- ify some appropriate forms of functions in (1). In the fol- lowing, we focus on player i taking the quadratic form: F i1 (ui ) = 12 Riii u2i , F i2 (ui ) = ri ui , and F i3 (ui , u−i ) =∑

j �=i, j ∈N R i i j ui u j . Thus, (1) can be detailed as

J i (ui , u−i ) = 1

2 Riii u

2 i − ri ui −

∑

j �=i, j ∈N Rii j ui u j , (2)

where Riii > 0, ri > 0, ∀i , and Rii j ≥ 0, ∀ j �= i, i ∈ N . Note that parameters Rii j , i, j ∈ N , represent the risk dependence network of player i in the IoT, and the value of Rii j indicates the strength of risk influence of player j on player i which is given as a prior. The first term 12 R

i ii u

2 i in (2) is the cost

of security management with an increasing marginal price. The second term ri ui denotes the corresponding payoff of cyber risk reduction. Then, the first two terms capture the fact that increasing a certain level of cyber security becomes more difficult in a secure network than a less secure one. The last term

∑N j =1, j �=i R

i i j ui u j is the aggregated security risk effect

from connected users of player i . Specifically, the structure of F i3 in ui and u j indicates that the risk measure J

i of player i decreases linearly with respect to user j ’s action. Hence, in the established model, larger investment from a user helps reduce cyber risk influence in a linear way. We have following assumption on the security influence parameters.

Assumption 1: Riii > ∑

j �=i, j ∈N R i i j , ∀i ∈ N .

Assumption 1 has a natural interpretation which indicates that the security of a user is mainly determined by his own strategy rather than other users’ decisions in the IoT network. Moreover, based on the heterogeneous influence networks

Authorized licensed use limited to: University of the Cumberlands. Downloaded on June 23,2021 at 19:20:28 UTC from IEEE Xplore. Restrictions apply.

CHEN AND ZHU: INTERDEPENDENT STRATEGIC SECURITY RISK MANAGEMENT WITH BOUNDED RATIONALITY 2961

characterized by Assumption 1, each node designs its own security investment strategy which enables the decentralized decision-making. The strategies of nodes are interdependent due to the coupling between their cost functions shown in (2).

Through the first order optimality condition (FOC), we obtain

Riii ui − ∑

j �=i, j ∈N Rii j u j − ri = 0, ∀i ∈ N . (3)

Putting (3) in a matrix form yields ⎡

⎢ ⎢ ⎢ ⎣

R111 −R112 · · · −R11N −R221 R222 · · · −R22N

... ...

. . . ...

−R NN 1 −R NN 2 · · · R NN N

⎤

⎥ ⎥ ⎥ ⎦

⎡

⎢ ⎢ ⎢ ⎣

u1 u2 ...

u N

⎤

⎥ ⎥ ⎥ ⎦

=

⎡

⎢ ⎢ ⎢ ⎣

r1 r2 ...

r N

⎤

⎥ ⎥ ⎥ ⎦

⇔ Ru = r,

(4)

where r := [ri ]i∈N , u := [ui ]i∈N . For convenience, we denote this security management game

by G. One solution concept of game G is Nash equilib- rium (NE) which is defined as follows.

Definition 1 (Nash Equilibrium of Game G [3]): The strt- egy profile u∗ = [u∗i ]i∈N constitutes a Nash equilibrium of game G if J i (ui , u∗−i ) ≥ J i (u∗i , u∗−i ), ∀i ∈ N , ∀ui ∈ Ui .

The NE of game G yields strategic security management policies of players under the condition that they can perceive all the cyber risks in the IoT network.

B. Bounded Rational Security Management Game

In reality, the users in IoT are connected with numerous other agents. For example, a single household can be con- nected with a number of other houses in terms of various types of IoT products in the smart communities. Therefore, when making security management strategies, each user may not be capable to observe all its connected neighbors. Instead, a user can only respond to a selected number of other players’ decisions. Then, this bounded rational response mechanism creates a cognitive network formation process for the players in the network. Specifically, player i ’s irrationality is captured by a vector mi := [mij ] j �=i, j ∈N , mij ∈ [0, 1], which stands for the attention network that player i builds. When mij = 0, user i pays no attention to user j ’s behavior; when mij = 1, user i observes the true value of security management u j of user j . The value that mij admits between 0 and 1 can be interpreted as the trustfulness of user i on the perceived u j . Another interpretation of mij can be the probability that user i observes the behavior of user j at each time instance on the security investment over a long period. Hence, the decision of player j perceived by player i becomes ucij = mij u j . Then, player i minimizes the modified cost function with bounded rationality defined as:

J̃ i (ui , u ci −i , m

i ) = 1 2

Riii u 2 i − ri ui −

∑

j �=i, j ∈N mij R

i i j ui u j

= 1 2

Riii u 2 i − ri ui −

∑

j �=i, j ∈N Rii j ui u

ci j , (5)

where J̃ i : R+ × RN −1+ × [0, 1]N −1 → R. The FOC of (5) gives Riii ui −

∑ j �=i, j ∈N R

i i j u

ci j − ri =

0, ∀i ∈ N , which is equivalent to ⎡

⎢ ⎢ ⎢ ⎣

R111 −m12 R112 · · · −m1N R11N −m21 R221 R222 · · · −m2N R22N

... ...

. . . ...

−m N1 R NN 1 −m N2 R NN 2 · · · R NN N

⎤

⎥ ⎥ ⎥ ⎦

⎡

⎢ ⎢ ⎢ ⎣

u1 u2 ...

u N

⎤

⎥ ⎥ ⎥ ⎦

=

⎡

⎢ ⎢ ⎢ ⎣

r1 r2 ...

r N

⎤

⎥ ⎥ ⎥ ⎦

⇔ Rs u = r. (6) The bounded rational best-response of player i , i ∈ N , then

becomes

ui = B Ri (uci−i ) = 1

Riii

⎛

⎝ ∑

j �=i, j ∈N Rii j u

ci j + ri

⎞

⎠ , (7)

where ucij = mij u j . We denote the security management game of players with

limited attention by G̃. Comparing with the solution concept NE of game G, the one of game G̃ is generalized to bounded rational Nash equilibrium (BRNE). The formal definition of BRNE is as follows.

Definition 2 (Bounded Rational Nash Equilibrium of Game G̃): With given cognition vectors mi , ∀i ∈ N , the strategy profile u∗ = [u∗i ]i∈N constitutes a BRNE of game G̃ if J̃ i (ui , u∗−i , mi ) ≥ J̃ i (u∗i , u∗−i , mi ), ∀i ∈ N , ∀ui ∈ Ui .

Note that the cognitive network each user built has an impact on the BRNE of game G̃. Hence, how the users determine the cognition vector mi , i ∈ N , becomes a critical issue. In the ensuing section, we introduce the cognitive network formation of players in the IoT.

C. Cognitive Network Formation

Due to the massive connections in IoT, each user builds a sparse cognitive network containing the agents to observe. To this end, the real cost of user i by taking the bounded rationality into account becomes

J i (B Ri (uci−i ), u−i )

= 1 2 Riii

⎛

⎝ ∑

j �=i, j ∈N Rii j u

ci j + ri

⎞

⎠

2

− ∑

k �=i,k∈N

⎡

⎣ 1

Riii Riik uk

⎛

⎝ ∑

j �=i, j ∈N Rii j u

ci j + ri

⎞

⎠

⎤

⎦

− ri Riii

⎛

⎝ ∑

j �=i, j ∈N Rii j u

ci j + ri

⎞

⎠

= 1 2

∑

j �=i, j ∈N

∑

k �=i,k∈N

1

Riii Rii j R

i ik u

ci j u

ci k −

1

2 Riii (ri )

2

− ∑

k �=i,k∈N

⎛

⎝ ∑

j �=i, j ∈N u

ci j R

i i j

⎞

⎠ 1

Riii Riik uk

− ∑

k �=i,k∈N

1

Riii ri R

i ik uk .

Authorized licensed use limited to: University of the Cumberlands. Downloaded on June 23,2021 at 19:20:28 UTC from IEEE Xplore. Restrictions apply.

2962 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 14, NO. 11, NOVEMBER 2019

Incorporating the cognition vector mi into the real cost of player i further yields

J i (B Ri (u ci −i ), u−i )

= 1 2

∑

j �=i, j ∈N

∑

k �=i,k∈N mij

1

Riii Rii j R

i ik m

i k u j uk −

1

2 Riii (ri )

2

− ∑

k �=i,k∈N

∑

j �=i, j ∈N mij

1

Riii Rii j R

i ik u j uk

− ∑

k �=i,k∈N

1

Riii ri R

i ik uk . (8)

Recall that each user aims to minimize the security risk based on the risks he perceives. Thus, by considering the real cost induced by the bounded rationality constraint, the strategic cognitive network formation problem of player i can be formulated as

mi∗ = arg min mij , j �=i, j ∈N

J i (B Ri (uci−i ), u−i ) + αi ‖mi ‖1

= arg min mij , j �=i, j ∈N

1

2

∑

j �=i, j ∈N

∑

k �=i,k∈N

1

Riii Rii j R

i ik u j uk m

i j m

i k

− ∑

j �=i, j ∈N

∑

k �=i,k∈N

1

Riii Rii j R

i ik uk u j m

i j + αi ‖mi ‖1

= arg min mij , j �=i, j ∈N

1

2 mi

T �i mi − eTN −1�i mi + αi ‖mi ‖1,

where �i := [�ij k ] j �=i,k �=i, j ∈N ,k∈N , �ij k = 1Riii R i i j R

i ik u j uk ,

eN −1 is an N − 1-dimensional column vector with all one entries, and αi is a weighting factor capturing the unit cost of cognition of player i and it can be tuned to match with experimental data. The term ‖mi ‖1 is a convex relaxed version of ‖mi ‖0 which approximately maintains the sparse property of player i ’s cognitive network [26], [27]. The integrated term αi ‖mi ‖1 can be interpreted as the cognitive cost of user i .

Therefore, for player i , we need to solve the following constrained optimization problem:

min mij , j �=i, j ∈N

1

2 mi

T �i mi − eTN −1�i mi + αi ‖mi ‖1

s.t. 0 ≤ mij ≤ 1, j �= i, j ∈ N , (Risk perception), (9) where the constraints mij ∈ [0, 1], ∀ j �= i , indicate the risk perception behavior of user i .

The number of cognitive links that player i can form is generally a positive integer, i.e., ‖mi ‖1 = βi ∈ N+. Note that βi here and αi in (9) have the same interpretation which both quantify the cognition ability of player i . Then, by choosing αi strategically, the problem in (9) is equivalent to the following problem:

min mij , j �=i, j ∈N

1

2 mi

T �i mi − eTN −1�i mi

s.t. 0 ≤ mij ≤ 1, j �= i, j ∈ N , (Risk perception), ‖mi ‖1 = βi , (Limited attention), (10)

where βi ∈ N+ ≤ N − 1 is the total number of links that player i can form in his cognitive network, quantifying his

Fig. 2. IoT user and cognitive network-of-networks. Users make strategic security management decisions in the IoT network as well as determine their cognitive networks. The security management game in layer G 2 and the cognitive network formation game in layer G 1 are interdependent which create a games-of-games framework.

limited attention. Simulation studies in Section V reflect that considering ‖mi ‖1 = βi yields sparser cognitive networks. Note that we still solve (9) by selecting a proper αi which yields equivalent (9) and (10).

D. Gestalt Nash Equilibrium

The formulated security management under bounded ratio- nality problem boasts a games-of-games structure. The users make decisions strategically in the IoT network as well as form their cognitive networks selfishly. The security man- agement game and cognitive network formation game are interdependent. Therefore, the cognitive and IoT user layers shown in Fig. 2 constitute a network-of-networks framework. In this paper, we aim to design an integrated algorithm to design the cognitive networks and determine the security risk management decisions of users in a holistic manner.

To this end, we present the solution concept, Gestalt Nash equilibrium, of the bounded rational security risk management game as follows.

Definition 3 (Gestalt Nash Equilibrium): The Gestalt Nash equilibrium (GNE) of the security risk management game under bounded rationality is a profile (mi∗, u∗i ), ∀i ∈ N , that satisfies

J̃ i (u∗i , u ∗ −i , m

i∗)≤ J̃ i (ui , u∗−i , mi ), ∀ui ∈Ui , ∀mi ∈ [0, 1]N −1. At the GNE, all the players in the network do not change their action ui and cognition vector m

i , ∀i ∈ N , simultaneously. Remark: The strategic security management profile

u∗ = [u∗i ]i∈N at GNE is also a BRNE. In the following, we aim to analyze the GNE of the game

and compute it by designing algorithms.

III. PROBLEM ANALYSIS

We first analyze the convergence of the bounded rational best-response dynamics of players in Section II-B. Then, we quantify the risk of bounded perception due to limited attention of players. We further reformulate the cognitive network formation problem presented in Section II-C.

A. Bounded Rational Best Response Dynamics

Based on Section II-B, the bounded rational best-response dynamics of player i under cognitive network mi , i ∈ N , can

Authorized licensed use limited to: University of the Cumberlands. Downloaded on June 23,2021 at 19:20:28 UTC from IEEE Xplore. Restrictions apply.

CHEN AND ZHU: INTERDEPENDENT STRATEGIC SECURITY RISK MANAGEMENT WITH BOUNDED RATIONALITY 2963

be written as

ui,k+1 = B Ri (uci−i,k ) = 1

Riii

⎛

⎝ ∑

j �=i, j ∈N Rii j u

ci j,k + ri

⎞

⎠ , (11)

where ucij,k = mij u j,k and k denotes the iteration index. Then, we obtain the following convergence result of security management strategy updates of users under given cognition networks.

Lemma 1: Under Assumption 1, the sparse best-response dynamics (11) for all players converge to a unique BRNE.

Proof: In the sparse cognition networks, Riii >∑ j �=i, j ∈N m

i j R

i i j , ∀i ∈ N , since mij ∈ [0, 1]. Then,

Rs defined in (6) is strictly diagonal dominant by rows, and u admits a unique solution. In addition, both Gauss-Seidel and Jacobi types of best-response dynamics (11) converges [28].

Note that Assumption 1 is a sufficient condition. In some cases, the best-response dynamics (11) may still converge when Assumption 1 does not hold. We focus on the scenarios under Assumption 1 in this paper which exhibit a natural security dependence interpretation.

B. Risk of Bounded Perception

When making security strategies in the IoT, the risk of bounded perception (RBP) of users due to irrationality/limited attention is defined as follows.

Definition 4 (RBP): With the cognition vector mi , the RBP of player i , i ∈ N , is defined as L i (m

i , u−i ) = J i (B Ri (uci−i ), u−i ) − J i (B Ri (u−i ), u−i ), (12)

where L i : Mi × U−i → R. Note that RBP is defined over the real-world cost func-

tions (2), quantifying the security loss of the users due to limited attention. We further present the following lemma.

Lemma 2: Under the bounded rational model, each user in the network has a degraded security level comparing with the one obtained from the model containing fully rational users. The RBP of player i , i ∈ N , with bounded rationality is

L i (m i , u−i ) =

1

2

∑

j �=i, j ∈N

∑

k �=i,k∈N (1 − mij )(1 − mik )

× 1 Riii

Rij i R i ik u j uk .

Proof: See Appendix VI. Remark: Note that the RBP of each player is nonnegative

from Lemma 2, since the coefficients and security investments are nonnegative and the cognition variable admits a value between 0 and 1. Intuitively, if player i is able to perceive all the cyber risks in the network, i.e., mij = 1, ∀ j �= i, j ∈ N , then the RBP is L i (m

i , u−i ) = 0. In this scenario, the bounded rational model degenerates to the fully rational one. This indicates that, with more observations, the IoT users can design security management strategies better to lower their security risks. This fact also leads to the conclusion that more

information (better cognitive ability) is beneficial for the users in our security management game. The result in Lemma 2 is further illustrated and corroborated through case studies in Section V.

C. Problem Reformulation

We can rewrite the constrained optimization program (9) as

min mij , j �=i, j ∈N

Qi (m i ) : = 1

2 mi

T �i mi − eTN −1�i mi

+αi ‖mi ‖1 + ιC (mi ), (13) where Qi : [0, 1]N −1 → R ∪ {+∞}, C := {mi |0 ≤ mij ≤ 1, j �= i, j ∈ N }, and ιC is an indicator function, i.e.,

ιC (x ) = {

0, if x ∈ C, +∞, otherwise. (14)

For convenience, we decompose the function Qi into three parts and define

f i1 (m i ) = 1

2 mi

T �i mi − eTN −1�i mi , (Security loss),

f i2 (m i ) = αi ‖mi ‖1, (Cognition cost),

f i3 (m i ) = ιC (mi ), (Feasible risk perception),

(15)

where f i1 : RN −1 → R, f i2 : RN −1 → [0, +∞) and f i3 : R

N −1 → {0, +∞}. Specifically, for user i ∈ N , f i1 quantifies a modified security loss; f i2 captures the cognition cost; and f i3 ensures a feasible risk perception over the IoT.

The optimization problem (13) is quite challenging to solve. First, note that the convexity of f i1 depends on the characteristics of matrix �i . Specially, when �i is positive definite, then f i1 is convex in m

i . When �i is not definite, then solving the quadratic program is an NP hard problem. Second, the l1 norm-based function f

i 2 and the indicator function f

i 3 are

nonsmooth and not differentiable, though they are convex. The traditional gradient-based optimization tools are not sufficient to deal with this type of optimization problem in (13) [29]. To this end, we aim to design a proximal algorithm to solve this problem.

IV. COMPUTING GNE VIA ALGORITHM DESIGN

In this section, our goal is to design an algorithm to solve problem (13). We further characterize the closed form solutions for a special case with homogeneous agents for comparison during case studies in Section V. In addition, we present an integrated algorithm that computes the GNE of the bounded rational security management game.

A. Basics of Proximal Operator

To address (13), we leverage the tools from proximal operator theory. We first present the definition of proximal operator as follows.

Definition 5 (Proximal Operator [30]): Let g ∈ �0, where �0 denotes the set of proper lower semicontinuous convex

Authorized licensed use limited to: University of the Cumberlands. Downloaded on June 23,2021 at 19:20:28 UTC from IEEE Xplore. Restrictions apply.

2964 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 14, NO. 11, NOVEMBER 2019

functions. The proximal mapping associated to g is defined as

proxλg(x ) = arg min l

g(l) + 1 2λ

‖l-x‖2. (16) Note that the proximal mapping is unique, since the optimiza- tion problem in (16) is convex. Specifically, for function f i2 in (15), we have

[ proxλ f i2

(x ) ]

j =

⎧ ⎪⎨

⎪⎩

x j − λαi , x j ≥ λαi , 0, |x j | < λαi , x j + λαi , x j ≤ −λαi ,

for j �= i, j ∈ N , which can be put in a compact form as [31] proxλ f i2

(x ) = (x − λαi eN −1)+ − (−x − λαi eN −1)+. (17) In addition, proxλ f i3

(x ) = projC (x ), C = [0, 1]N −1, which is equivalent to

[ proxλ f i3

(x ) ]

j = [projC (x )

] j =

⎧ ⎪⎨

⎪⎩

1, if x j > 1,

x j , if 0 ≤ x j ≤ 1, 0, if x j < 0,

where “proj” denotes the projection operator. The following lemma characterizes the aggregated proximal

operator of functions f i2 and f i 3 which is useful in designing

the proximal algorithm. Lemma 3: Functions f i2 and f

i 3 defined in (15), ∀i ∈ N ,

satisfy the property: proxλ( f i2 + f i3 ) = projC ◦ proxλ f i2 . Proof: We proof for single dimensional case, i.e., C =

[0, 1], and the analysis can be generalized for higher dimen- sional cases. By definition, we obtain

proxλ( f i2 + f i3 )(x ) = arg minl f i 2 (l) + f i3 (l) + 12λ ‖l-x‖2

= arg minl∈C f i2 (l) + 12λ ‖l-x‖2.

Let l∗ = argl (

∂ (

f i2 (l)+ 12λ ‖l-x‖2 )

∂ x = 0 )

= proxλ f i2 (x ). In addi- tion, function f i2 (l) + 12λ ‖l-x‖2 is decreasing in l < l∗ and increasing in l ≥ l∗. Remind that C = [0, 1] is a closed set. Hence, when 0 ≤ l∗ ≤ 1, proxλ( f i2 + f i3 )(x ) = l

∗; when l < l∗, proxλ( f i2 + f i3 )(x ) = 0; and when l > l

∗, proxλ( f i2 + f i3 )(x ) = 1. In all three cases, we obtain proxλ( f i2 + f i3 )(x ) = projC (l

∗) = projC (proxλ f i2

(x )). Lemma 3 indicates that we can deal with the convex terms

of cognitive cost and feasible risk perception jointly. The security loss term f i1 is addressed in the ensuing section.

B. Design of Proximal Algorithm

Recall that f i2 and f i 3 , ∀i ∈ N , are nonsmooth and not

differentiable. To characterize the optimal cognition vector in f i2 and f

i 3 , we first present the definition of subdifferential of

a function which can be nonconvex and nonsmooth as follows. Definition 6 (Subdifferential [32]): Let f : Rn → R be a

proper and lower semicontinuous function.

1) The domain of f is denoted by dom f := {x ∈ Rn : f (x ) < +∞}.

2) For x ∈ dom f , the Fréchet subdifferential of f at x is the set of vectors p ∈ Rn , denoted by ∂̂ f (x ), that satisfy

lim inf y �=x ,y→x

1

‖y-x‖ [ f (y) − f (x ) − 〈 p, y − x 〉] ≥ 0.

3) The limiting-subdifferential (or subdifferential) of f at x ∈ dom f , denoted by ∂ f (x ), is defined by ∂ f (x ) :=

{ p ∈ Rn : ∃xn → x , f (xn) → f (x ),

pk ∈ ∂̂ f (xn) → p } .

Remark: Based on the subifferential, a necessary condition for x ∈ Rn being a minimizer of f is

∂ f (x ) � 0. (18) Note that the points satisfying (18) are called critical points of f . Our goal is to find a critical point m̄i ∈ dom Qi that can be characterized by the necessary FOC: 0 ∈ ∂ Qi (m̄i ).

Note that f i1 is continuously differentiable with Lipschitz continuous gradient, i.e.,

‖∇ f i1 (x ) − ∇ f i1 (y)‖ ≤ L i ‖x-y‖, ∀x , y ∈ RN −1, where L i is the Lipschitz constant of f

i 1 . Specifically,

∇ f i1 (mi ) = �i mi − �i eN −1, which further yields ‖∇ f i1 (x ) − ∇ f i1 (y)‖

= ‖�i (x − y)‖ ≤ L i ‖x-y‖, ∀x , y ∈ RN −1. (19) The main steps in solving (13) for a general �i of user i

are designed as follows:

yik = x ik + t ik−1 t ik

(zik − x ik ) + t ik−1 − 1

t ik (x ik − x ik−1), (20)

zik+1 = projC (

proxλiy f i2 (yik − λiy ∇ f i1 (yik ))

) , (21)

vik+1 = projC (

proxλix f i2 (x ik − λix ∇ f i1 (x ik ))

) , (22)

t ik+1 = (

1 + √

4(t ik ) 2 + 1

)

/2, (23)

x ik+1 = {

zik+1, if Qi (z i k+1) ≤ Qi (vik+1),

vik+1, Otherwise, (24)

where the step constants λix and λ i y satisfy 0 < λ

i x < 1/L i

and 0 < λiy < 1/L i , respectively. If the algorithm converges, the values of x ik , y

i k , z

i k and v

i k are the same which give the

optimal cognition vector mi . Remark: Note that (22) serves as a monitor of the update

in (21). Together with the condition in (24), each player updates their cognitive network when there is a sufficient decrease of the security management cost.

Before presenting the convergence results of the algorithm (20)-(24), we first characterize a critical property of function Qi (m

i ) defined in (13). Definition 7 (Kurdyka-Łojasiewicz (KL) Property [33]):

A function f : Rn → (−∞, +∞] has the KL property at x ∗ ∈ dom ∂ f := {x ∈ Rn : ∂ f (x ) �= ∅} if there exists η ∈ (0, +∞], a neighborhood U of x ∗, and a desingularising function φ ∈ �η, such that

Authorized licensed use limited to: University of the Cumberlands. Downloaded on June 23,2021 at 19:20:28 UTC from IEEE Xplore. Restrictions apply.

CHEN AND ZHU: INTERDEPENDENT STRATEGIC SECURITY RISK MANAGEMENT WITH BOUNDED RATIONALITY 2965

∀x ∈ U ∩ {x ∈ Rn : f (x ∗) < f (x ) < f (x ∗) + η}, the following KL inequality holds,

φ′( f (x ) − f (x ∗))dist(0, ∂ f (x )) ≥ 1, (25)

where �η includes a class of function φ : [0, η) → R+ satisfying: (1) φ is concave and φ ∈ C 1((0, η)); (2) φ is continuous at 0 with φ(0) = 0; and (3) φ′(x ) > 0, ∀x ∈ (0, η). In addition, dist(0, ∂ f (x )) := inf {‖z‖ : z ∈ ∂ f (x )}.

Note that a proper lower semicontinuous function f having the KL property at each point of dom ∂ f is called a KL function. KL inequality (25) ensures that, by choosing a proper desingularising function φ, we can reparameterize the values of function f near its critical points to avoid flatness. Thus, φ has an impact on the convergence rate of the designed algorithm which will be presented in Theorem 1. KL property is general in functions. Notably, the semi-algebraic functions satisfy the KL property [33]. Some examples include real polynomial functions, indicator functions of semi-algebraic sets and ‖ · ‖ p with p ≥ 0. Furthermore, the semi-algebraic property preserves under composition, finite sums and prod- ucts of semi-algebraic functions [34].

Lemma 4: Functions f i1 , f i 2 and f

i 3 in (15) satisfy the KL

property, and thus Qi in (13) is a KL function. In addition, the desingularising function φ(u) can be chosen as φ(u) = κ θ

uθ for some θ ∈ (0, 12 ] and κ > 0. Proof: We know that f i1 , f

i 2 and f

i 3 are semi-algebraic

functions, and thus Qi satisfies the KL property [33]. Remind that when mi /∈ C := {mi |0 ≤ mij ≤ 1, j �= i, j ∈ N }, Qi (m

i ) → +∞. Based on Definition 6, we obtain dom ∂ Qi = C . Therefore, Qi (mi ) is analytic over dom ∂ Qi . In addition, the desingularising function of real-analytical functions satisfying inequality (25) can be chosen as φ(u) = u1−δ, where δ ∈ [ 12 , 1) [34].

Based on Lemma 4, we present the convergence result of the designed algorithm (20)-(24) in Theorem 1.

Theorem 1: The algorithm given by (20)-(24) converges to a critical point with rates related to the parameters κ and θ , where κ and θ are defined in Lemma 4. Specifically, there exists a k0 such that ∀k > k0,

Qi (xk ) − Q∗i ≤ (

κ

(k − k0)(1 − 2θ )d2 ) 1

1−2θ ,

where Q∗i is the function value achieved at critical points of {xk }, d2 = min

{ 1

2d1κ , σ (Qi (v0) − Q∗i )2θ−1

} , d1 = 2α( 1λx +

L)2/(1 − 2α), and σ = κ1−2θ (

2 2θ −1 2θ −2 − 1

) .

Proof: See Appendix B. For a special case where f i1 is convex, the following

simplified steps (26)-(29) can be adopted to accelerate the computation. The monitoring update step vk+1 is omitted due to the convexity of f i1 . This algorithm is slightly different with the one in [35] in terms of the projection step. Since Qi is convex, then algorithm (26)-(29) converges to a unique optimal

Algorithm 1 Cognitive Network Formation for Player i

1) Input f i1 , f i 2 and C = [0, 1]N −1

2) Initialize parameters zi0, x i 0, x

i 1, t

i 0, t

i 1, λ

i x and λ

i y

3) for k = 1, 2, . . . do 4) if f i1 is convex 5) Update yik , z

i k+1, v

i k+1, t

i k+1 and x

i k+1 through (26)-

(29) 6) else 7) Update yik , z

i k+1, v

i k+1, t

i k+1 and x

i k+1 through (20)-

(24) 8) end 9) end for

10) Return mi = x ik

solution.

yik = x ik + t ik−1 t ik

(zik − x ik ) + t ik−1 − 1

t ik (x ik − x ik−1), (26)

zik+1 = projC (

proxλiy f i2 (yik − λiy ∇ f i1 (yik ))

) , (27)

t ik+1 = (

1 + √

4(t ik ) 2 + 1

)

/2, (28)

x ik+1 = {

zik+1, if Qi (z i k+1) ≤ Qi (x ik ),

x ik , Otherwise. (29)

Similar to (20)-(24), when the algorithm (26)-(29) converges, the values of x ik , y

i k and z

i k are the same which give the optimal

cognition vector mi . Homogeneous Users Case: When the agents in the IoT

network are homogeneous, i.e., Riii = R j j j , R

i i j = R

j j i ,

ri = r j = r , βi = β j = β ≤ N − 1, ∀i, j ∈ N , we can characterize the closed form solutions of decisions ui and m

i , ∀i ∈ N . Specifically, we obtain, ∀i ∈ N ,

mi∗j = β

N − 1 , ∀ j �= i, j ∈ N , u∗i =

r

R1 − β R2 , (30)

where R1 = Riii and R2 = Rij k for j �= i and k �= i . The results indicate that, at GNE, the cognitive network that each user i forms, i ∈ N , is symmetric, i.e., the allocated attention to other users j �= i by user i is the same. In addition, with a larger β, the users spend more effort on the security management at GNE. This can be interpreted as follows: with a better perception of cyber risks in the IoT, the users becomes better informed of the risks and make best effort to reduce the security loss.

C. Integrated Algorithm and Discussions

For clarity, we summarize the combined algorithm includ- ing the strategic security decision-makings of players in the IoT networks and their corresponding cognitive network for- mations together in Algorithm 2. The integrated algorithm exhibits an alternating pattern between the best-response of security management and the strategic cognitive network for- mation of IoT users.

Authorized licensed use limited to: University of the Cumberlands. Downloaded on June 23,2021 at 19:20:28 UTC from IEEE Xplore. Restrictions apply.

2966 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 14, NO. 11, NOVEMBER 2019

Algorithm 2 Strategic Risk Management with Bounded Ratio- nality

1) Initialize parameters in the game G, cognition cost αi , cognitive networks mi , ∀i ∈ N

2) Do Best response dynamics:

3) Based on mi , i ∈ N , player i determines their best-response strategy through (11) iteratively until reaching a BRNE Cognitive network formation:

4) Each player i , i ∈ N , forms their cognitive network mi through Algorithm 1

5) Until [mi ]i∈N and [ui ]i∈N converge 6) Return mi and ui , ∀i ∈ N , which form a GNE

We next discuss some observations obtained from the algorithm. The steps zik+1 and v

i k+1 in (21) and (22) of the

algorithm can be simplified further. Here, we only analyze zik+1, and the procedure follows for v

i k+1. First, we have

∇ f i1 (yik ) = �i (yik − eN −1). Then, [yik − λiy ∇ f i1 (yik )] j = [yik − λiy �i (yik − eN −1)] j ≥ 0, ∀ j �= i, j ∈ N . Thus, based on (17), we obtain

zik+1 = projC (

yik − λiy �i (yik − eN −1) − λiy αi eN −1 )

= projC (

yik + λiy (�i (eN −1 − yik ) − αi eN −1) )

.

The update of player i ’s attention on player j at step k + 1, j �= i , can be expressed as

[zik+1] j = proj[0,1] ⎛

⎝[yik ] j + λiy ⎛

⎝ Rii j Riii

u j ∑

p �=i, p∈N Rii p u p

( 1 − [yik ] p

) − αi

)) .

When Rii j Riii

u j ∑

p �=i, p∈N R i i p u p

( 1 − [yik ] p

) ≥ αi which is equivalent to

∑ p �=i, p∈N R

i i p u p[yik ] p ≤

∑ p �=i, p∈N R

i i p u p −

Riii Rii j u j

αi , we know that [zik+1] j ≥ [zik ] j . The player i ’s attention on player j increases at step k + 1, since there remains extra cognition resources to be allocated which corresponds to a phenomenon called filling the inattention. In addition, a smaller cognition cost αi yields a larger upper bound for∑

p �=i, p∈N R i i p u p[yik ] p, and hence player i can pay more

attention to other players which again leads to the observation of filling the inattention.

In the IoT network, user j ’s decision has an impact on the strategy of user i . To illustrate the discovery, we consider two groups of IoT users, and one group of users have more incentive to secure the devices, i.e., their security investment is larger. Then, from user i ’s perspective, his attention on user j is influenced by the term Riii /(R

i i j u j ). When user j lies

in the group of a higher investment u j , then the upper bound ∑

p �=i, p∈N R i i p u p −

Riii Rii j u j

αi is larger. Therefore, each IoT user

will allocate more cognition resources to the users in the group

with a higher security standard which exposes the phenomenon of emergence of partisanship.

In a heterogeneous IoT network, the system parameters Rii j , Riii , and decisions ui are generally different. Then, for player

i ∈ N , the term R i i j

Riii u j

∑ p �=i, p∈N R

i i p u p, j �= i, j ∈ N ,

identifies the most influential agents in the network. Moreover, the critical agents to pay attention to for each user almost overlap, resulting the phenomenon of attraction of the mighty during the cognitive network formation.

We illustrate the discovered phenomena in Section V.

V. CASE STUDIES

We use case studies of IoT-enabled smart communities shown in Fig. 1 to corroborate the designed algorithms and illustrate the security management of bounded rational agents in this section.

A. Effectiveness of Algorithm 1

First, we verify the effectiveness of Algorithm 1. Specifi- cally, we choose N = 10, α = 100 and generate a 9×9 random matrix which is not definite for �i . Thus, f i2 in (15) is not convex. The iterative updates through the designed proximal algorithm are presented in Fig. 3 which reveal fast conver- gence to the steady state. In addition, the algorithm yields a sparse cognition vector m = [1, 0, 0, 0, 0.41, 1, 0, 0.30, 0.26]. To investigate the robustness of the algorithm, we study the same network as in Fig. 3(a) with different initial conditions. The results are shown in Figs. 3(b) and 3(c). We can verify that the steady states in Figs. 3(b) and 3(c) are the same as the ones in Fig. 3(a) which corroborate the robustness of the algorithm to initial conditions. To further verify the algorithm, we also investigate the network containing different numbers of agents. The results with 7 and 15 agents are presented in Figs. 3(d) and 3(e). Both results indicate that the designed algorithm is reliable in computing the sparse steady strategy. After conducting sufficient number of case studies, we conclude that the algorithm is effective with probability 1 under arbitrary number of agents.

B. Homogeneous Smart Homes

In this case study, we consider N = 10 homogeneous households in the smart community, i.e., all the parameters are the same for each agent. Specifically, the parameters are chosen as follows: Rij k = 20 unit/k$2 if j = k = i , otherwise Rij k = 1 unit/k$2, ∀i ; ri = 25 unit/k$, ∀i ∈ N and αi = α, ∀i , is chosen to satisfy β = ‖mi ‖1 = 3. The selected parameters indicate that the security level of a household is mainly determined by its own security management policy rather than the ones of connected households. Recall that we have obtained the analytical solutions for homogeneous case in (30) which yield mij = 13 , ∀ j �= i, j ∈ N and ui = 2517 = 1.47k$. Thus, each agent allocates attention resource equally to their connected neighbors. Fig. 4 presents the results by using Algorithm 2, where the step index represents an iteration between two components of cognitive network formation and

Authorized licensed use limited to: University of the Cumberlands. Downloaded on June 23,2021 at 19:20:28 UTC from IEEE Xplore. Restrictions apply.

CHEN AND ZHU: INTERDEPENDENT STRATEGIC SECURITY RISK MANAGEMENT WITH BOUNDED RATIONALITY 2967

Fig. 3. Performance of Algorithm 1 on a nonconvex f i2 in (15). (a), (d), and (e) show the results with 10, 7 and 15 agents in the network, respectively. The network configurations in (a), (b), and (c) are the same, but their initial conditions are different. The algorithm yields the same result for cases in (a), (b), and (c) which shows the robustness of the algorithm. (a) N = 10, case 1. (b) N = 10, case 2. (c) N = 10, case 3. (d) N = 7. (e) N = 15

security investment. We can conclude that the rational decision yields less cost for players compared with their irrational deci- sion counterparts due to the bounded rationality. Furthermore, the algorithm gives the same cognitive network structure as the one obtained from the analytical results which corroborates the proposed integrated algorithm.

C. Emergence of Partisanship

We next investigate a smart community including two groups of agents denoted by G1 and G2, respectively. Specif- ically, G1 includes 5 agents, G1 = {1, . . . , 5}, and G2 contains 10 agents, G2 = {6, . . . , 15}. The parameters are the same as those in Section V-B except that for agents in G1, ri = 40 unit/k$, ∀i ∈ G1, to distinguish two groups of users. Thus, the agents in G1 have more incentives to secure their IoT products than those in G2. Fig. 5 shows the results. For agents in G1, the cognitive network is char- acterized by mi = [0.75, . . . , 0.75, 0, . . . , 0], i ∈ G1, and for agents in G2, m j = [0.6, . . . , 0.6, 0, . . . , 0], j ∈ G2.

Fig. 4. (a) and (b) are the rational decision of players and the corresponding cost, respectively. (c) and (d) are the counterparts of (a) and (b) with bounded rationality. (e) illustrates the formed cognitive networks which is symmetric in this homogeneous case.

Therefore, with limited cognition, all agents only pay attention to the security decisions made by smart homes in G1 which yields the phenomenon of partisanship. We also verify that the RBP increases due to the bounded rationality.

D. Filling the Inattention

Under the setting of Section V-C, we further assume that the agents have better cognitive ability and can perceive more cyber risks in the smart community in a way that β = ‖mi ‖1 = 8. Other parameters are the same as those in Section V-C. Fig. 6 presents the results. Specifically, we obtain mi = [1, . . . , 1, 0.4, . . . , 0.4] for i ∈ G1 and m j = [1, . . . , 1, 0.33, . . . , 0.33] for j ∈ G2, which show that the agents in G1 play a critical role in the security risk management of smart community. Furthermore, with more cognition resource, the agents in G2 that are not paid attention to previously in Section V-C are considered by other house- holds. This phenomenon is termed as filling the inattention.

E. Attraction of the Mighty

The critical agents in the IoT-enabled smart community are those households whose security management policies will be

Authorized licensed use limited to: University of the Cumberlands. Downloaded on June 23,2021 at 19:20:28 UTC from IEEE Xplore. Restrictions apply.

2968 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 14, NO. 11, NOVEMBER 2019

Fig. 5. (a) shows the bounded rational strategy of players, indicating that players in G 1 have a lower cost. (b) depicts the RBP which corroborates that the security risk of users increases under the bounded rational model comparing with the fully rational one. (c) and (d) illustrate the formed sparse cognitive networks. In (d), blue and green dots are agents in G 1 and G 2, respectively, and the red ones are representatives in each group. In the network, all agents only allocate cognition resource to smart homes in G 1 at GNE, leading to the emergence of partisanship.

Fig. 6. (a) shows the bounded rational decisions, and (b) presents the RBP which is positive. (c) and (d) illustrate the formed cognitive networks. This case study indicates that players in G 1 are more critical that those in G 2 in the cognitive networks. In addition, cognition resource is further allocated to the users in G 2 which reveals the phenomenon of filling the inattention.

taken into account by the other agents during their decision makings. Specifically, the nodes who often appear in the cognitive networks of other nodes can be regarded as critical agents. In the following case study, we aim to identify the critical agents in a smart community with N = 10 households using Algorithm 2. To model the heterogeneity of smart homes, we choose Rij k = 3 sin(i )+20 unit/k$2 for j = k = i . Otherwise, Rij k = 1 unit/k$2, ∀i ; ri = 15 + 2i unit/k$

Fig. 7. In this heterogeneous case with 10 users, the formed cognitive network shown in (e) is sparse for each smart home. Note that the red rectangular in each subplot of (e) denotes the user that forms his cognitive network with the lines standing for links. Under the bounded rational model, the algorithm can successfully detect the critical agents (attraction of the mighty) in the IoT network which are 5th, 9th and 10th users in this case. (a) Rational strategy. (b) Cost under rational strategy. (c) Bounded rational strategy. (d) RBP. (e) Cognitive network.

for i ∈ N ; and other parameters are the same as those in Section V-B. The results are shown in Fig. 7. Specifically, Fig. 7(e) shows the established cognitive network of each player. For example, during the cognitive network formation, player 1 chooses to observe the strategies of players 5, 9, and 10 in the network, and player 5’s cognitive network includes players 6, 9, and 10. Furthermore, agents 5, 9 and 10 present in all agents’ cognitive networks, and hence they constitute a critical community in this smart home network. In addition, agent 6 also plays a critical role in agents 5, 9 and 10’s cognitive networks. Therefore, the behavior of agents paying attention to a specific set of households can be described by the attraction of mighty. This case study demonstrates that Algorithm 2 is able to identify the critical components in the smart communities.

VI. CONCLUSION

In this paper, we have investigated the security man- agement of users with limited attention over IoT networks through a two-layer framework. The proposed Gestalt Nash

Authorized licensed use limited to: University of the Cumberlands. Downloaded on June 23,2021 at 19:20:28 UTC from IEEE Xplore. Restrictions apply.

CHEN AND ZHU: INTERDEPENDENT STRATEGIC SECURITY RISK MANAGEMENT WITH BOUNDED RATIONALITY 2969

equilibrium (GNE) has successfully characterized the bilevel decision makings, including the security management policies and the cognitive network formations of users. Under the security interdependencies, users with a better cognition ability can reduce their cyber risks by making mature decisions. Furthermore, the designed proximal-based algorithm for the computation of GNE has revealed some phenomena that match well with the real-life observations, including the emergence of partisanship and attraction of the mighty. The future work would be extending the framework to incorporate hidden information of unperceived cyber risks of IoT users and design mechanisms to mitigate security loss. Another interesting research direction is to extend the current model to scenarios when a set of users are not fully strategic in minimizing their own risks and analyze the impact of this class of users’ misbehavior on the network security risk.

APPENDIX A PROOF OF LEMMA 2

Proof: Based on (8), we can compute the RBP of node i as

L i (m i , u−i )

= J i (B Ri (uci−i ), u−i ) − J i (B Ri (u−i ), u−i )

= 1 2

∑

j�=i j ∈N

∑

k �=i k∈N

mij Riii

Rij i R i ik m

i k u j uk −

1

2

∑

k�=i k∈N

∑

j �=i j ∈N

mij Riii

Rij i R i ik u j uk

+ 1 2

∑

j�=i j ∈N

∑

k�=i k∈N

1

Riii Rij i R

i ik u j uk −

1

2

∑

k �=i k∈N

∑

j �=i j ∈N

mij Riii

Rij i R i ik u j uk .

Further, we can rewrite ∑

j �=i, j ∈N ∑

k �=i,k∈N 1

Riii Rij i R

i ik u j uk =

∑ j �=i, j ∈N

∑ k �=i,k∈N m

i j

1 Riii

Rij i R i ik u j uk +

∑ j �=i, j ∈N (1 −

mij ) ∑

k �=i,k∈N (1 − mik ) 1Riii R i j i R

i ik u j uk +

∑ j �=i, j ∈N (1 −

mij ) ∑

k �=i,k∈N m i k

1 Riii

Rij i R i ik u j uk . Therefore, we obtain

L i (m i , u−i ) =

1

2

∑

j �=i, j ∈N

∑

k �=i,k∈N mij

1

Riii Rij i R

i ik m

i k u j uk

+ 1 2

∑

j�=i, j ∈N (1−mij )

∑

k�=i,k∈N mik

1

Riii Rij i R

i ik u j uk

− 1 2

∑

k �=i,k∈N

∑

j �=i, j ∈N mij

1

Riii Rij i R

i ik u j uk

+ 1 2

∑

j �=i, j ∈N (1 − mij )

∑

k �=i,k∈N (1 − mik )

1

Riii

×Rij i Riik u j uk = 1

2

∑

j �=i, j ∈N

∑

k �=i,k∈N (1 − mij )(1 − mik )

1

Riii

×Rij i Riik u j uk .

APPENDIX B PROOF OF THEOREM 1

Proof: The main idea of the proof follows [36] with several differences. Especially the imposed conditions for showing convergence in [36] are different. In addi- tion, our algorithm contains projections and an aux- iliary parameter vk+1 during updates. First, based on Definition 5, vk+1 = projC

( proxλx f i2

(xk − λx ∇ f i1 (xk )) )

= arg minx ∈C 〈∇ f i1 (xk ), x − xk 〉 + 12λx ‖x − xk ‖2 + f

i 2 (x ). Then,

〈∇ f i1 (xk ), vk+1 − xk 〉 + 12λx ‖vk+1 − xk ‖2 + f i 2 (vk+1) ≤ f i2 (xk ).

Based on the Lipschitz continuous condition of f i1 , we obtain

Qi (vk+1) ≤ f i2 (vk+1) + f i1 (xk ) + f i3 (xk ) + 〈∇ f i1 (xk ), vk+1 − xk 〉

+ L i 2

‖vk+1 − xk ‖2

≤ f i2 (xk ) − 〈∇ f i1 (xk ), vk+1 − xk 〉 − 1

2λx ‖vk+1 − xk ‖2

+ f i1 (xk ) + f i3 (xk )+〈∇ f i1 (xk ), vk+1 −xk 〉+ L i 2

‖vk+1 −xk ‖2

= Q(xk ) − (

1

2λx − L i

2

)

‖vk+1 − xk ‖2. (31)

When Qi (zk+1) ≤ Qi (vk+1), xk+1 = zk+1, Qi (xk+1) = Qi (zk+1) ≤ Qi (vk+1), and when Qi (zk+1) > Qi (vk+1), xk+1 = vk+1, Qi (xk+1) = Qi (zk+1). Hence,

Qi (xk+1) ≤ Qi (vk+1) ≤ Qi (xk ). (32)

Based on (31) and (32),

Qi (vk+1) ≤ Qi (vk ) − (

1

2λx − L i

2

)

‖vk+1 − xk ‖2. (33)

In addition,

dist(0, ∂Qi(vk+1)) ≤ (

1

λx + L i

)

‖vk+1 − xk ‖. (34)

Furthermore, {xk } and {vk } have the same accumulation points. Let � be the set containing all the accumulation points of {xk }. Note that Qi admits the same value Q

∗ i at all accumula-

tion points in � due to the non-increasing Qi (vk ). Then, Qi (vk ) ≥ Q∗i and Qi (vk ) → Q∗i . If there exists an n such that Qi (vn ) = Q∗i , the algorithm converges. If Qi (vk ) ≥ Q∗i , ∀k, then there exists a k̃1 such that Qi (vk ) < Q∗i + η for k > k̃1. Since dist(vk , �) → 0, there exists a k̃2 such that dist(vk , �) < � for k > k̃2. Thus, when k > k0 = max{k̃1, k̃2}, vk ∈ {v, dist(vk , �) < �} ∩ {Q∗i < Qi (v) < Q∗i + η}. Based on the KL property in Definition 7, there exists a concave function φ such that

φ′(Qi (vk ) − Q∗i )dist(0, ∂ Qi (vk )) ≥ 1. (35)

Define rk := Qi (vk ) − Q∗i , and we further assume that rk > 0, ∀k. Otherwise, the algorithm converges in finite steps

Authorized licensed use limited to: University of the Cumberlands. Downloaded on June 23,2021 at 19:20:28 UTC from IEEE Xplore. Restrictions apply.

2970 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 14, NO. 11, NOVEMBER 2019

by definition. Then, ∀k > k0, 1 ≤ φ′(Qi (vk ) − Q∗i )dist(0, ∂ Qi (vk ))

≤ (

φ′(rk ) (

1

λx + L i

)

‖vk − xk−1‖ )2

≤ (φ′(rk ))2 (

1

λx + L i

)2 Qi (vk−1) − Qi (vk ) 1

2λx − L i2

= d1(φ′(rk ))2(rk−1 − rk ), (36) where d1 = 2α( 1λx + L)2/(1 −2α). Besides, φ admits the form φ(u) = κ

θ uθ . Then, (36) can be rewritten as

1 ≤ d1κ 2r 2(θ−1)k (rk−1 − rk ). (37) Lemma 4 indicates that 0 < θ ≤ 12 , then, we have −1 ≤ θ −1 < − 12 and −1 < 2θ −1 < 0. When rk−1 > rk , we obtain r

2(θ−1) k−1 < r

2(θ−1) k and r

2θ−1 0 < r

2θ−1 1 < . . . < r

2θ−1 k .

In addition, define ζ (u) = κ1−2θ u2θ−1, and then ζ ′(u) = −κu2θ−2. When r 2(θ−1)k ≤ 2r 2(θ−1)k−1 , then ∀k > k0,

ζ (rk ) − ζ (rk−1) = κ ∫ rk

rk u2(θ−1)d u ≥ κr 2(θ−1)k−1 (rk−1 − rk )

≥ 1 2 κr 2(θ−1)k−1 (rk−1 − rk ) ≥

1

2κd1 .

When r 2(θ−1) k > 2r

2(θ−1) k−1 , then r

2θ−1 k > 2

2θ −1 2(θ −1) r 2θ−1k−1 , and

ζ (rk ) − ζ (rk−1) = κ

1 − 2θ (r 2θ−1 k − r 2θ−1k−1 )

> κ

1 − 2θ (2 2θ −1

2(θ −1) − 1)r 2θ−1k−1 > κ

1 − 2θ (2 2θ −1

2(θ −1) − 1)r 2θ−10 .

Let σ = κ1−2θ (2 2θ −1

2(θ −1) − 1) and d2 = min{ 12κd1 , σ r 2θ−1 0 },

then ∀k > k0, ζ (rk ) − ζ (rk−1) ≥ d2, and ζ (rk ) ≥ ζ (rk ) − ζ (rk0 ) ≥

∑k t =k0 +1 ζ (rt ) − ζ (rt −1) ≥ (k − k0)d2. Hence,

r 2θ−1k ≥ d2κ (k −k0)(1−2θ ), leading to rk ≤ κd2(k−k0 )(1−2θ) 1

1−2θ . Therefore, we obtain Qi (xk ) − Q∗i ≤ Qi (vk ) − Q∗i = rk = (

κ d2(k−k0 )(1−2θ)

) 1 1−2θ

.

REFERENCES

[1] (2015). Gartner. Accessed: Jun. 19, 2017. [Online]. Available: http:// www.gartner.com/newsroom/id/3165317

[2] R. West, “The psychology of security,” Commun. ACM, vol. 51, no. 4, pp. 34–40, 2008.

[3] T. Basar and G. J. Olsder, Dynamic Noncooperative Game Theory, vol. 23. Philadelphia, PA, USA: SIAM, 1999.

[4] X. Gabaix, “A sparsity-based model of bounded rationality,” Quart. J. Econ., vol. 129, no. 4, pp. 1661–1710, Sep. 2014.

[5] R. Zhang, Q. Zhu, and Y. Hayel, “A bi-level game approach to attack-aware cyber insurance of computer networks,” IEEE J. Sel. Areas Commun., vol. 35, no. 3, pp. 779–794, Mar. 2017.

[6] Q. Zhu, Z. Yuan, J. B. Song, Z. Han, and T. Basar, “Interference aware routing game for cognitive radio multi-hop networks,” IEEE J. Sel. Areas Commun., vol. 30, no. 10, pp. 2006–2015, Nov. 2012.

[7] H. Takabi, J. B. Joshi, and G.-J. Ahn, “Security and privacy challenges in cloud computing environments,” IEEE Secur. Privacy, vol. 8, no. 6, pp. 24–31, Nov./Dec. 2010.

[8] J. Chen and Q. Zhu, “Resilient and decentralized control of multi-level cooperative mobile networks to maintain connectivity under adversar- ial environment,” in Proc. IEEE 55th Conf. Decis. Control (CDC), Dec. 2016, pp. 5183–5188.

[9] H. Wu and W. Wang, “A game theory based collaborative security detection method for Internet of Things systems,” IEEE Trans. Inf. Forensics Security, vol. 13, no. 6, pp. 1432–1445, Jun. 2018.

[10] J. Chen and Q. Zhu, “Optimal contract design under asymmetric information for cloud-enabled Internet of controlled things,” in Proc. 7th Int. Conf. Decis. Game Theory Secur. New York City, NY, USA: Springer, Nov. 2016, pp. 329–348.

[11] H. Abie and I. Balasingham, “Risk-based adaptive security for smart IoT in ehealth,” in Proc. 7th Int. Conf. Body Area Netw., Feb. 2012, pp. 269–275.

[12] H. Kunreuther and G. Heal, “Interdependent security,” J. Risk Uncer- tainty, vol. 26, nos. 2–3, pp. 231–249, Mar. 2003.

[13] J. Chen and Q. Zhu, “Security as a service for cloud-enabled internet of controlled things under advanced persistent threats: A contract design approach,” IEEE Trans. Inf. Forensics Security, vol. 12, no. 11, pp. 2736–2750, Nov. 2017.

[14] Z. Xu and Q. Zhu, “A cyber-physical game framework for secure and resilient multi-agent autonomous systems,” in Proc. IEEE Conf. Decis. Control (CDC), Dec. 2015, pp. 5156–5161.

[15] J. Pawlick, S. Farhang, and Q. Zhu, “Flip the cloud: Cyber-physical signaling games in the presence of advanced persistent threats,” in Proc. Int. Conf. Decis. Game Theory Secur. London, U.K.: Springer, Nov. 2015, pp. 289–308.

[16] M. O. Jackson and Y. Zenou, “Games on networks,” in Handbook of Game Theory, vol. 4. Oxford, U.K.: North Holland, 2014.

[17] M. D. König, C. J. Tessone, and Y. Zenou, “Nestedness in networks: A theoretical model and some applications,” Theor. Econ., vol. 9, no. 3, pp. 695–752, 2014.

[18] J. Chen, T. Corinne, and Q. Zhu, “A dynamic game analysis and design of infrastructure network protection and recovery,” ACM SIGMETRICS Perform. Eval. Rev., vol. 45, no. 2, pp. 125–128, Sep. 2017.

[19] O. Baetz, “Social activity and network formation,” Theor. Econ., vol. 10, no. 2, pp. 315–340, May 2015.

[20] J. Chen and Q. Zhu, “Interdependent network formation games with an application to critical infrastructures,” in Proc. Amer. Control Conf. (ACC), Jul. 2016, pp. 2870–2875.

[21] L. Huang, J. Chen, and Q. Zhu, “A large-scale Markov game approach to dynamic protection of interdependent infrastructure networks,” in Proc. Int. Conf. Decis. Game Theory Secur. Springer, Oct. 2017, pp. 357–376.

[22] L. Huang, J. Chen, and Q. Zhu, “A factored MDP approach to opti- mal mechanism design for resilient large-scale interdependent critical infrastructures,” in Proc. Workshop Modeling Simulation Cyber-Phys. Energy Syst. (MSCPES), Apr. 2017, pp. 1–6.

[23] Q. Zhu, C. Fung, R. Boutaba, and T. Basar, “GUIDEX: A game-theoretic incentive-based mechanism for intrusion detection networks,” IEEE J. Sel. Areas Commun., vol. 30, no. 11, pp. 2220–2230, Dec. 2012.

[24] G. Gigerenzer and R. Selten, Request Full-Text Bounded Rationality: The Adaptive Tool-Box. Cambridge, MA, USA: MIT Press, 2002.

[25] A. Ellis, “Foundations for optimal inattention,” J. Econ. Theory, vol. 173, pp. 56–94, Jan. 2018.

[26] E. J. Candes and T. Tao, “Near-optimal signal recovery from random projections: Universal encoding strategies?” IEEE Trans. Inf. Theory, vol. 52, no. 12, pp. 5406–5425, Dec. 2006.

[27] R. G. Baraniuk, “Compressive sensing,” IEEE Signal Process. Mag., vol. 24, no. 4, pp. 118–121, Jul. 2007.

[28] Y. Saad, Iterative Methods for Sparse Linear Systems, Philadelphia, PA, USA: SIAM, 2003.

[29] J. Nocedal and S. Wright, Numerical Optimization. New York, NY, USA: Springer, 2006.

[30] H. H. Bauschke and P. L. Combettes, Convex Analysis and Monotone Operator Theory in Hilbert Spaces. Cham, Switzerland: Springer, 2011.

[31] N. Parikh et al., “Proximal algorithms,” Found. Trends Optim., vol. 1, no. 3, pp. 127–239, 2014.

[32] R. T. Rockafellar and R. J.-B. Wets, Variational Analysis, vol. 317. Heidelberg, Germany: Springer, 2009.

[33] H. Attouch, J. Bolte, P. Redont, and A. Soubeyran, “Proximal alternating minimization and projection methods for nonconvex problems: An approach based on the Kurdyka-Łojasiewicz inequality,” Math. Oper. Res., vol. 35, no. 2, pp. 438–457, May 2010.

[34] J. Bolte, S. Sabach, and M. Teboulle, “Proximal alternating linearized minimization for nonconvex and nonsmooth problems,” Math. Program., vol. 146, nos. 1–2, pp. 459–494, Aug. 2014.

[35] A. Beck and M. Teboulle, “Fast gradient-based algorithms for con- strained total variation image denoising and deblurring problems,” IEEE Trans. Image Process., vol. 18, no. 11, pp. 2419–2434, Nov. 2009.

[36] P. Frankel, G. Garrigos, and J. Peypouquet, “Splitting methods with vari- able metric for Kurdyka–Łojasiewicz functions and general convergence rates,” J. Optim. Theory Appl., vol. 165, no. 3, pp. 874–900, Jun. 2015.

Authorized licensed use limited to: University of the Cumberlands. Downloaded on June 23,2021 at 19:20:28 UTC from IEEE Xplore. Restrictions apply.

CHEN AND ZHU: INTERDEPENDENT STRATEGIC SECURITY RISK MANAGEMENT WITH BOUNDED RATIONALITY 2971

Juntao Chen (S’15) received the B.Eng. degree (Hons.) in electrical engineering and automation from Central South University, Changsha, China, in 2014. He is currently pursuing the Ph.D. degree with the Laboratory for Agile and Resilient Complex Systems, Department of Electrical and Computer Engineering, Tandon School of Engineering, New York University, NY, USA.

His research interests include cyber-physical systems, security and resilience, dynamic decision-making over networks, mechanism design,

artificial intelligence, and network science.

Quanyan Zhu (SM’02–M’14) received the B.Eng. degree (Hons.) in electrical engineering from McGill University in 2006, the M.A.Sc. degree from the University of Toronto in 2008, and the Ph.D. degree from the University of Illinois at Urbana–Champaign (UIUC) in 2013. After stints at Princeton Univer- sity, he is currently an Assistant Professor with the Department of Electrical and Computer Engineering, New York University. His current research interests include resilient and secure interdependent critical infrastructures, Internet of Things, cyber-physical

systems, game theory, machine learning, and network optimization and control. He is a recipient of many awards, including the NSF CAREER Award, the NYU Goddard Junior Faculty Fellowship, the NSERC Postdoctoral Fellowship (PDF), the NSERC Canada Graduate Scholarship (CGS), and the Mavis Future Faculty Fellowships. He spearheaded and chaired the INFOCOM Workshop on Communications and Control on Smart Energy Systems (CCSES) and the Midwest Workshop on Control and Game Theory (WCGT). He has served as the General Chair for the 7th Conference on Deci- sion and Game Theory for Security (GameSec) in 2016, the 9th International Conference on NETwork Games, COntrol and OPtimisation (NETGCOOP) in 2018, and the 5th International Conference on Artificial Intelligence and Security (ICAIS 2019) in 2019.

Authorized licensed use limited to: University of the Cumberlands. Downloaded on June 23,2021 at 19:20:28 UTC from IEEE Xplore. Restrictions apply.