Network security and contagion

We develop a theoretical model of security investments in a network of interconnected agents. Network connections introduce the possibility of cascading failures due to an exogenous or endogenous attack depending on the profile of security investments by the agents. We provide a tractable decomposition of individual payoffs into an own effect and an externality, which also enables us to characterize individual investment incentives recursively (by considering the network with one agent removed at a time). Using this decomposition, we provide characterization of equilibrium and socially optimal investment levels as a function of the structure of the network, highlighting the role of a new set of network centrality measures in shaping the levels of equilibrium and optimal investments. When the attack location is endogenized (by assuming that the attacker chooses a probability distribution over the location of the attack in order to maximize damage), similar forces still operate, but now because greater investment by an agent shifts the attack to other parts of the network, the equilibrium may involve too much investment relative to the social optimum.