Is it better to require organizations to make investments into security posture? Or to protect their wealth with cyber insurance? Without the ability to answer such questions scientifically, it is difficult to know a priori which policies will provide the most benefit.
To allow for an quantitative experiment-based approach towards crafting cyber policy, we create a large-scale economic model of cybersecurity using game theory and multi-agent simulation.
We use an iterated game with three classes of agents: Defender, Attackers, and Insurers. All agents are given some initial wealth (assets) and a set of choices (strategy sets), and choose each round the strategy that minimizes their expected losses. Defenders are also initialized with a security posture
which rises or falls depending on investments made to security.
At the start of each round of simulation, all agents choose the strategy that maximizes expected utility for the upcoming round.
Click Run
below to evaluate the model and observe its outputs.
You may also adjust each of our model's 20 inputs (all empirically derived).