Resilience in Information Stewardship

Christos Ioannidis
David Pym
Julian Williams
Iffat Gheyas
13th Annual Workshop on the Economics of Information Society (WEIS), Pennsylvania State University, June 23-24 2014

Information security is concerned with protecting the confidentiality, integrity, and availability of information systems. System managers deploy their resources with the aim of maintaining target levels of these attributes in the presence of reactive threats. Information stewardship is the challenge of maintaining the sustainability and resilience of the security attributes of (complex, interconnected, multi-agent) information ecosystems. In this paper, we present, in the tradition public economics, a model of stewardship which addresses directly the question of resilience. We model attacker-target-steward behaviour in a fully endogenous Nash equilibrium setting. We analyse the occurrence of externalities across targets and assess the steward's ability to internalise these externalities under varying informational assumptions. We apply and simulate this model for the case of a critical national infrastructure.