Individual vs. overarching protection for minimizing the expected damage caused by an attack Gregory Levitin a,b,n , Kjell Hausken c , Yuanshun Dai a a Collaborative Autonomic Computing Laboratory, School of Computer Science, University of Electronic Science and Technology of China, China b The Israel Electric Corporation Ltd., P.O. Box 10, Haifa 31000, Israel c Faculty of Social Sciences, University of Stavanger, N-4036 Stavanger, Norway article info Article history: Received 4 November 2012 Received in revised form 28 April 2013 Accepted 24 May 2013 Available online 3 June 2013 Keywords: Vulnerability Defense Damage Individual protection Overarching protection Demand abstract The article considers a system consisting of identical elements which can be protected and attacked individually and collectively. The system is aimed at supplying a demand. If, following the attack, the cumulative performance of the elements becomes less than the demand the damage proportional to the unsupplied demand is inflicted. Additional damage is associated with the destruction of the equipment. To destroy any system element the attacker always must penetrate/destroy the collective (overarching) protection. Both the attacker and the defender have limited resources and can distribute them freely between the two types of attack and protection. The attacker chooses the resource distribution and the number of attacked elements to maximize the expected damage associated with equipment losses and unsupplied demand. The defender chooses the resource distribution and the number of protected elements to minimize the system destruction probability. The bi-contest minmax game is formulated and its solutions are presented and analyzed. The influence of the game parameters on the optimal defense and attack strategies is discussed. & 2013 Elsevier Ltd. All rights reserved. 1. Introduction Studying attack and defense interaction becomes the field of intensive research and finds many real applications ([1—3,13]). For many systems a balance has to be struck between protect- ing individual system elements and protecting the system as a whole. For example, a power generating plant may design protec- tion around its outer boundaries, or may design individual protections to varying degrees of the plant's various components (e.g. generators). Similarly, a country may protect its border against other countries (e.g. Chinese wall, US border towards Mexico), a city may design borders towards its surroundings, or assets (e.g. Fort Knox, water production plants) may be protected individually. Another example of combination of individual and common (overarching) protection is deploying anti-aircraft systems aimed at preventing the airborne attacks on objects located in some area and protecting these objects from strikes individually (by using bunkers, protective casings etc.) Hiding the targets is a special case of overarching protection as without detecting the targets the attacker cannot strike them. Overarching protection can alterna- tively be referred to as group, collective, or outer protection. When an attacker attacks a system that has both individual and overarching protection, it destroys the system only if it succeeds in destroying/penetrating the overarching protection and then suc- ceeds in destroying the individual protection. Thus, the defender enjoys the two-layer defense. However deploying the overarching protection may be very costly. Having limited defense resources the defender must distribute them optimally to achieve the lowest possible probability of system destruction. Early works on the balance between individual and overarching protection have been done by Powell [14] and Haphuriwat and Bier [5]. Powell considered the allocation of defensive resources between target hardening and border security, assuming discrete attacker target choice. Haphuriwat and Bier [5] considered the defender's optimal investment in protecting the targets individu- ally and collectively, assuming a conditional probability of a successful attack determined parametrically by a power-law func- tion. It was assumed that the attacker chooses a single target and spends all its resources on attacking this target. Levitin [9,11] and Levitin et al. [10] analyzed the importance of multilevel protec- tions and their optimal allocation in complex systems. Korczak et al. [7,8] analyzed multilevel protection against single and multiple destructive factors in multi-state systems. Accounting for strategic attackers, Golalikhani and Zhuang [4] allow the defender to protect any subset or arbitrary layers of targets due Contents lists available at SciVerse ScienceDirect journal homepage: www.elsevier.com/locate/ress Reliability Engineering and System Safety 0951-8320/$ - see front matter & 2013 Elsevier Ltd. All rights reserved. http://dx.doi.org/10.1016/j.ress.2013.05.024 n Corresponding author at: Collaborative Autonomic Computing Laboratory, School of Computer Science, University of Electronic Science and Technology of China, China. E-mail address: levitin@iec.co.il (G. Levitin). Reliability Engineering and System Safety 119 (2013) 117–125