My friends know that my curiosity leads me to various places of the human knowledge oicumena. This time I was walking across the game theory where I’ve stumbled upon a “Prisoner’s dilemma”. I was struck to see how this dilemma is similar to the situation we have with threat announcements in particular – and with information security industry in general.
But let me explain what a “prisoner’s dilemma” is (for those of you who are not yet familiar with this concept for any reason). Imagine a situation that there are two suspects in custody. One of them (let’s name her Alice) is approached by investigators and asked to testify against the other (let’s name him Bob). In exchange, the officers incentivize her that her sentence will be lowered to one year, while her testimony will make sure that Bob spends three years in prison. Of course, the same offer goes to Bob. But if they both testify, one against the other, they provide so much evidence so both become convicted for a two-year sentence each. To the contrary, if they both refused to testify, they would get a minimal punishment of one year – as prosecutor would have not enough evidence for a longer sentence (*). A matrix of choice is the following:
|
Sentence (Alice, Bob), in years |
Alice |
||
|
Testifies |
Remains silent |
||
|
Bob |
Testifies |
Alice – 2 years, Bob – 2 years |
Alice – 3 years, Bob – 1 year |
|
Remains silent |
Alice – 1 year, Bob – 3 years |
Alice – 1 year, Bob – 1 year |
|
So, if Alice and Bob have had no previous agreement about cooperating against the prosecutors, their rational strategy would be to testify against one another – as spending just one year in prison is better than spending three. Thus, they both testify and receive a two-year sentence, while if they both kept silent, they could have received a lesser sentence. The trick is that each actor, A and B, is selfish and does what he or she thinks is best for him or her. And this leads to worse results for the both.
The power of this simple theory is that there are numerous examples of this dilemma happening here and there. In the days of Cold War, NATO and Warsaw Pact countries had a similar dilemma: to arm or to disarm. From each side’s point of view, disarming while their opponent continued to arm would have led to military inferiority and possible annihilation. Conversely, arming when their opponent disarmed would have led to superiority. If both sides chose to arm, neither could afford to attack the other, but the cost of developing and maintaining a nuclear arsenal were huge. If both sides chose to disarm, war would be avoided and there would be no costs. Although the ‘best’ overall outcome is for both sides to disarm – so that economies of the countries in both blocks could flourish, the rational behavior led the both to arm, and this is indeed what happened.
Now, back to information security industry. When we’re trying to sell our products and solutions, we have a dilemma – to generate FUD (fear, uncertainty, doubt) – or not. We are, essentially, in the “arms race” with other security vendors – who generates more FUD, wins more attention and, depending on the monetization skills, gains more revenue. But FUD generation requires effort, money – and, to make things worse, the effect wears off. Common people get used to hearing news about hacks, breaches and other nasty cyber things. Journalists and bloggers are tired, too. Brian Krebs, quoted in this article, said: «I have to admit even I get sick of these stories. At some level you have to ask: ‘Does this breach really matter’?”
And, as with prisoner’s dilemma, the solution is similar: cooperation. How to do it properly – is an open question.
______________________________________________________________________________________
(*) To be precise, this is a description of a non-strict Prisoners’ dilemma, where “selfish” payoff is equal to “cooperated”. In a strict Prisoner’s dilemma setting the payoff for being selfish and testifying against another person in custody has to be greater than payoff of keeping silent. I’ve done this on purpose to illustrate the similarity of the Prisoner’s dilemma to information security industry.