Strategic Investment in Protection in Networked Systems

We study the incentives that agents have to invest in costly protection against cascading failures in networked systems. Applications include vaccination, computer security and airport security. Agents are connected through a network and can fail either intrinsically or as a result of the failure of a subset of their neighbors. We characterize the equilibrium based on an agent's failure probability and derive conditions under which equilibrium strategies are monotone in degree (i.e. in how connected an agent is on the network). We show that different kinds of applications (e.g. vaccination, malware, airport/EU security) lead to very different equilibrium patterns of investments in protection, with important welfare and risk implications. Our equilibrium concept is flexible enough to allow for comparative statics in terms of network properties and we show that it is also robust to the introduction of global externalities (e.g. price feedback, congestion).


Introduction
Many systems of interconnected components are exposed to the risk of cascading failures. The latter arises from interdependencies or interlinkage, where the failure of a single entity (or small set of entities) can result in a cascade of failures jeopardizing the whole system. This phenomenon occurs in various kinds of systems. Well-known examples include 'black-outs' in power grids, where overload redistribution following the failure of a single component can result in a cascade of failures that ripples through the entire grid (e.g. Rosas-Casals et al. (2007), Wang et al. (2010)). The internet and computer networks also exhibit this phenomenon-one manifestation being the spread of malware (e.g. Lelarge and Bolot (2008b), Balthrop et al. (2004)). Likewise, human populations are exposed to the spread of contagious diseases 3 .
Studying the incentives to guard against the risk of cascading failures in such interconnected systems has received attention in recent years. In early 2015, a measles epidemic spread across the western part of the United States. It was reported that one of the causes was the unwillingness of parents to vaccinate their children (e.g. The Economist (5 February 2015), The Economist (4 February 2015), Reuters (27 August 2015)). Indeed, some people may want to avoid the perceived risks of a vaccine's side effects and free-ride on the "herd immunity" provided by the vaccination of other people. This raises the following question: what are the incentives to vaccinate against a contagious disease? The same type of question can be asked about other systems subject to the risk of cascading failures. What are the incentives to invest in computer security solutions to protect against the spread of malware? A recent wave of terror attacks within the European union also illustrates the fact that the EU is an interconnected system of many countries. Each member country is thereby exposed to the decisions of other member countries regarding investments in security and intelligence. Indeed, an attacker entering the EU area can reach any location within it. Likewise, what incentives do airports have to invest in security equipment/personnel? How does the structure of interactions between individuals, computers, airports or countries affect those incentives?
There are mainly two streams of literature studying such strategic decisions in interconnected systems. One focuses on the role played by the structure through which agents interact (e.g. a network), while the other focuses on modeling different types of attacks on the system (e.g. random attacks, targeted attacks, strategic attacks).
In the first stream of literature, early work studying games of "interdependent security" (e.g. Heal and Kunreuther (2004) and Heal et al. (2006)) considered a broad set of applications ranging from airline security to supply chain management, but did not yet incorporate a complex network interaction structure. More recent work has studied heterogeneous interaction structures. For example, Galeotti and Rogers (2013) consider the problem of a social planner attempting to eradicate an infection from a population. They consider a simple network consisting of two types of agents interacting with others within and across their respective social groups. They then explore the influence of assortativity on the optimal actions of a decision maker. Other papers, like ours, explore the influence of a networked interaction structure on the agents' strategic decisions in more detail. This includes Lelarge and Bolot (2008a) studying the case of strategic immunization and Cabrales et al. (2014) exploring the setting of interconnected firms choosing investments in risky projects. More recently, Cerdeiro et al. (2015) explored the problem of designing the network topology that provides the proper incentives to the agents.
In the second stream of literature, papers like Dziubiński and Goyal (2017) and Acemoglu et al. (2016) explore strategic attack models, in which a defender chooses protection levels, while an attacker chooses the targets in an attempt to maximize the number of affected agents in the network.
In this paper, we develop a framework to study the incentives that agents have to invest in protection against cascading failures in networked systems. A set of interconnected agents can each fail exogenously (fully randomly) or as a result of a cascade of failures 4 (through infected connections). Depending on the application, failure can mean a human being contracting an infectious disease, a computer being infected by a virus or an airport/country being exposed to a security event (e.g. a suspicious luggage or passenger being checked in or being in transit). Each agent must decide on whether to make a costly investment in protection against cascading failures. This investment can mean vaccination, investing in computer security solutions or airport security equipment, to name a few important examples. Strategic decisions to invest in protection are based on an agent's intrinsic failure risk as well as on his belief about his neighbors and their probability of failure. In a complex networked system, forming such a belief can be challenging. For that reason, we employ a solution concept that considerably simplifies how agents reason about the network: agents do not observe the network, but simply know the number of connections they have. This is similar to the equilibrium concept used in Galeotti et al. (2010), Jackson and Yariv (2007) and Leduc et al. ((forthcoming). This equilibrium concept allows us to preserve the heterogeneity of the networked interaction structure (each agent can have a different degree, i.e. a different number of connections) while simplifying the computation of an equilibrium. It also conveniently allows for comparative statics in terms of the network structure (as captured by the degree distribution), as well as other model parameters. This allows us to measure such things as the effect of an increase in the level of connectedness on investments in protection.
We characterize the equilibrium for three broad classes of games: (i) games of total protection, in which agents invest in protection against both their intrinsic failure risk and the failure risk of their neighbors; (ii) games of self protection, in which agents invest in protection only against their intrinsic failure risk; and (iii) games of networked-risk protection, in which agents invest in protection only against the failure risk of their neighbors. The first and third classes define games of strategic substitutes, in which some agents free-ride on the protection provided by others. Applications covered by these classes of games include vaccination and standard computer security solutions (e.g. anti-virus). The second class defines a game of strategic complements, in which agents pool their investments in protection and this can result in coordination failures. Applications covered by this class of games include airport security, border security within the European union and other types of computer security solutions (e.g. two-factor authentication (2FA)).
Another of our contributions is to analyze the effect of the network structure on equilibrium behavior in those three classes of games. For example, in the case of vaccination, it is the agents who have more neighbors than a certain threshold who choose to vaccinate and the agents who are less connected who free-ride. The more connected agents thus bear the burden of vaccination, which can be seen as a positive outcome. In the case of airport security, on the other hand, it is agents who have fewer neighbors than a certain threshold who choose to invest in security equipment/personnel. Since the less connected airports are less likely to act as hubs that can transmit failures, this can be seen as an inefficient outcome. To our knowledge, we are the first to explicitly characterize such features, which are the consequence of network structure and can have important policy and welfare implications.
Finally, we study the case when the cost of protection is endogenized and allowed to depend on global demand. For instance, the price of vaccines or computer security solutions may increase (e.g. vaccines may be produced in limited supplies) if demand increases. It is important to understand the impact that this may have on agents' behavior as the introduction of such a global externality (e.g. see the global congestion case in Arribasa and Urbanoa (2014)) may conflict with the cascading failure process affecting an agent through his local connections. We characterize the equilibrium after introducing this price feedback and show that the results derived previously still hold with minor changes. Acemoglu et al. (2016) and Lelarge and Bolot (2008b) are perhaps the closest work to ours. The former paper, in a setting similar to ours, shows that under random and targeted attacks both over-and underinvestment (as compared to the socially optimal level) are possible. Furthermore, the authors show that optimal investment levels are defined by network centrality measures, whereas our characterization of equilibrium investment is based on degree centrality. Additionally, we further explore the role of the network structure in defining agents' incentives to invest in protection. In particular, we study comparative statics by varying the degree distributions of the underlying network. Lelarge and Bolot (2008b) also consider different types of protection against contagion risk in trees and sparse random graphs. As compared to their probabilistic approach, the equilibrium concept we use allows for a characterization of behavior in terms of an agent's degree. We also deal with a common (possibly endogenized) cost of investment as opposed to their randomized costs. Finally, our paper contributes to the rapidly expanding stream of literature on games on networks 5 . The paper is organized as follows: Section 2 introduces the concept of cascading failures in networked systems. Section 3 develops the game theoretic framework that allows us to study the problem in a tractable way while imposing a realistic cognitive burden on agents. Section 4 characterizes the equilibrium for the three broad classes of games previously mentioned. Implications for risk and welfare are discussed. Comparative statics results in terms of the network structure (as captured by the degree distribution) and other model parameters are also presented. An extension in which the cost of protection is endogenized is also studied. Section 5 concludes with a critical evaluation of our model and a discussion of possible extensions. For clarity of exposure, all the proofs are relegated to an appendix. This then leads to their neighbors' neighbors to become infected and so on.

Overview
In this section we will discuss how cascades of failures can propagate through networks. A cascade of failures is defined as a process involving the subsequent failures of interconnected components. A failure is a general term that may represent different kinds of costly events. Let us consider, for example, the spread of a disease in a human population. Initially, some individuals get infected through exogenous sources such as livestock, mosquitos or the mutation of a pathogen. These individuals can then transmit the disease through contacts with other humans. Let us suppose that an individual is sure to catch the disease if one of his neighbors is infected. Figure 1 illustrates this process. We can see the impact of network structure on contagion. Some people lying in certain components remain healthy whereas others are infected by their neighbors. We also see that individuals with a high number of contacts tend to facilitate contagion. This is a simplified model of contagion. A more realistic model could, for example, transmit the disease only to randomly selected neighbors, depending on its virulence. Now let us imagine that some individuals are vaccinated and therefore are not susceptible to becoming infected, neither by exogenous sources nor by contacts with other people. This will have an impact on the cascading process. Indeed, it will effectively 'cut' certain contagion channels, thereby impeding the spread of the disease. Figure 2 illustrates this. We see that the importance of the network structure becomes even more striking. In Fig. 2a), immunized individuals have been selected randomly, whereas in Fig. 2b) individuals with 4 or more contacts have been immunized. It is clear that those more connected individuals often act as hubs through which contagion can spread more easily. When these individuals are immunized, the effect of impeding the propagation of the disease tends to be much greater than when the immunized individuals are chosen at random.
In this example, the 'failure' of an individual means he becomes infected by the disease. In other applications, 'failure' can mean infection by malware. The nodes then no longer represent individuals but computers (or local subnetworks or autonomous systems). Antivirus software or other sorts of computer security solutions are means by which the spread of malware can be impeded. We saw in the simple example of Fig. 2 that the configuration of the vaccinated nodes was crucial to impeding contagion. An important question is to study the incentives that an individual may have to become vaccinated. How does the network structure affect his decision to become vaccinated? What roles other individuals play in influencing that decision through their own vaccination behavior?
Given the range of applications, we will talk of an investment in protection. This refers to an investment made by a node in order to protect itself against the risk of failure. In the next section, we build a model of strategic investment in protection against cascading failures in networked systems. We will refer to nodes as agents, since they make decisions regarding this investment in protection. More generally, we will be interested in how the network structure and the failure propagation mechanism influence those decisions through the externalities that they generate.

Network
A network, as the one described previously, can be formally defined as follows. There is a set of nodes (or agents) N = {1, 2, ..., n}. The connections between them are described by an undirected network that is represented by a symmetrical adjacency matrix g ∈ {0, 1} n×n , with g ij = 1 implying that i and j are connected. i can thus be affected by the failure of j and vice versa. By convention, we set g ii = 0 for all i ∈ N . The network realization g is drawn from the probability measure P : {0, 1} n×n → [0, 1] over the set of all possible networks with n nodes. We assume that P is permutation-invariant, i.e. that changing node labels does not change the measure. Each agent i has a neighborhood N i (g) = {j|g ij = 1}. The degree of agent i, d i (g), is the number of i's connections, i.e. d i (g) = |N i (g)|.

Informational Environment
We study an informational environment similar to the one presented in Galeotti et al. (2010). Agents are aware of their proclivity to interact with others, but do not know who these others will be when taking actions. Formally, this means that an agent knows only his degree d i . For example, a bank may have a good idea of the number of financial counterparties it has but not the number of counter-parties the latter have, let alone the whole topology of the interbank system. In applications to the spread of contagious diseases, an individual may know the number of people he interacts with, but not the number of people the latter interact with. Likewise, in the case of an email network, someone may know the number of contacts he has, but not the number of contacts his contacts have.
First, since P is permutation invariant (cf. Section 2.2), we can define the degree distribution of P as the probability a node has degree d in a graph drawn according to P ; we denote the degree distribution 6 by f (d) for d ≥ 1. Note that we are not interested in modeling agents of degree 0 (since they do not play a game) and we therefore always assume that f (0) = 0. We assume a countably infinite set of agents. An agent's type is his degree d and it is drawn i.i.d. according to the degree distribution f (d). Likewise, the degree of each of an agent's neighbors is drawn i.i.d. according to the density functionf (d). This is the edge-perspective degree distribution and can be written asf This expression follows from a standard calculation in graph theory (see Jackson (2008) for more details).f (d) is the probability that a neighbor has degree d. It therefore takes into account the fact that a higher-degree node has a higher chance of being connected to any agent and thus of being his neighbor. Thus agents reason about the graph structure in a simple way through the degree distribution.

Action Sets and Strategies
In order to protect himself against the risk of failure, we allow an agent i to make a costly investment in protection. This is a one-shot investment that can be made in anticipation of a cascade of failures, which may take place in the future. This investment in protection is represented by an action a i , which is part of a binary action set A = {0, 1}. The latter represents the set of possible investments in protection against failure: a i = 1 means that the agent invests in protection while a i = 0 means that the agent remains unprotected. In an application to computer security, a i can represent an investment in computer security solutions or anti-virus software. In applications to disease spread, a i can represent vaccination, whereas in the case of airport security, a i can represent an investment in security personnel or equipment. We assume throughout that A is the same for all agents. The exact effect of this action on an agent's actual failure risk will be formalized later in Definition 5.
Note that all agents have access to the same information about the network (only its degree distribution f (d)). An agent does not know his position in the network, only the number of neighbors he has (an agent's degree is his type). An agent i's behavior is thus governed only by his degree d i and not by his label i. We can then define a strategy in the following way.
Definition 1. A strategy µ : N + → [0, 1] is a scalar-valued function that specifies, for every d > 0, the probability that an agent of degree d invests in protection. We denote by M the set of all strategies.
Thus µ(d) is the symmetric mixed strategy played by an agent of degree d. Note that M = [0, 1] ∞ , the space of [0, 1]-valued sequences. Throughout, we endow M with the product topology and [0, 1] with the Euclidean topology.

Failure Probabilities and Utility Functions
We start with the following definition: Definition 2. An agent's intrinsic failure probability is denoted by p ∈ [0, 1].
We thus assume all agents can fail intrinsically with the same probability p. The interpretation of intrinsic failure depends on the application. In the context of malware, intrinsic failure means a computer becoming infected as a result of a direct hacking attack. In the context of the spread of contagious diseases, intrinsic failure means being infected by a virus through non-human sources, such as contact with livestock or insects. In the context of airport security, intrinsic failure can mean a suspicious luggage being checked in at the airport.
We now state a property of this network security game, which addresses how an agent reasons about the failure probability of his neighbors.
This setting is similar to that of Jackson and Yariv (2007), where each neighbor adopts a product or an opinion with a certain probability that depends on the strategy played by the population. Note that the dependence of a neighbor's failure probability T (µ) on the strategy µ played by other agents was made explicit. An agent's cascading failure probability can now be defined in terms of T (µ), as seen in the following definition.
Definition 3. For any d, let the function q d : [0, 1] → [0, 1] denote a degree-d agent's cascading failure probability, i.e. q d (T (µ)) is the probability that an agent of degree d will fail as a result of a cascade of failures, given that his neighbors each fail independently with probability T (µ). For any d, q d (T (µ)) is strictly increasing and continuous in T (µ). Moreover, we explicitly set q 0 (T (µ)) = 0 and thus an agent with no neighbor cannot fail as a result of a cascade of failures.
The actual expression for q d (T (µ)) depends on the type of cascade we are considering. We will consider only a situation where {q d } d is an increasing sequence of functions. That is, when d > d, then q d (T (µ)) > q d (T (µ)) for any T (µ) ∈ [0, 1]. In other words, the cascading failure risk is higher when an agent has more connections 7 . For convenience, we will sometimes write q d (T (µ)) simply as q d .
Since an agent of degree d either fails intrinsically with probability p or in a cascade with probability q d , we can define his total probability of failure as follows.
Definition 4 (Total probability of failure). The total probability of failure of an agent of degree d is Thus an agent can either fail intrinsically (i.e. by himself) or as a result of the failures of a subset of his neighbors. Those neighbors who have failed may have done so intrinsically or as a result of the failure of a subset of their own neighbors.
We study a static setting, in which agents make decisions simultaneously, in anticipation of a cascade of failures that may happen in the future. Therefore each agent is healthy when he chooses an action a ∈ A representing a costly investment in protection against failure. This is a good decision model for the applications that we cover. E.g., vaccines are taken by healthy individuals in anticipation of an epidemic that may spread in the future. Likewise, investments in computer security solutions are taken for healthy computers or autonomous systems in anticipation of the spread of malware, which may take place at a later date. Similar long-term security decisions are taken in other contexts, such as airport security, for example.
We now describe how this action affects an agent's failure probability.
Definition 5. Let the mapping B : [0, 1] × [0, 1] × A → [0, 1] denote the effective failure probability of an agent. We assume that B(p, q d , a) is continuous in all arguments, increasing in p and in q d and that it is decreasing in a.
Thus, B(p, q d , a) is the total failure probability of an agent (defined in (1)) when he has invested a in protection against failure. Note that this definition allows this action to operate separately on p and q d , as will be seen in Section 4. This will become useful as we study different kinds of protection. We can now state an agent's expected utility function, which will capture his decision problem.
A degree-d agent's expected utility function is given by where C > 0 is the cost of investing in protection, V > 0 is the value that is lost in the event of failure and B(·, ·, ·) is the effective failure probability (cf. Definition 5). This utility function captures the tradeoff between the expected loss V · B(p, q d (T (µ)), a) and the cost 8 C of investing in protection. Notice again that an agent's expected utility depends on the actions of others only through the cascading failure probability q d (T (µ)), since they will affect the probability of failure T (µ) of a randomly-picked neighbor. Note also that the expected utility function 9 U d (·, ·) depends on the agent's degree d but not on his identity i. Therefore, any two agents i and j who have the same degree have the same expected utility function. From the assumptions on B, U d is continuous in all arguments. An agent is risk-neutral and will thus maximize this expected utility function by choosing the appropriate action a. The game thus models security decisions under contagious random attacks in a network where each agent (node) knows only his own degree and the probability that a neighbor has a certain degree.
While the cascading failure probability q d can take many functional forms, we provide several examples which can all be modeled using the particular form q d (T (µ)) = 1−(1−rT (µ)) d . This functional form results from a contact process.
Malware or Virus Spread: Let a computer be infected by a direct hacking attack with probability p. Assume that malware (i.e. computer viruses) can spread from computer to computer according to a general contact process: if a neighbor is infected, then the computer will be infected with probability r. If each neighbor is infected with probability T (µ) and this infection spreads independently across each edge with probability r, then q d (T (µ)) = 1 − (1 − rT (µ)) d . This contact process can also serve as a model for the spread 8 The cost of investing in protection may represent the price of airport security equipment or computer security solutions. It may also represent the possible side-effects that may be associated with a vaccine (e.g. The Economist (4 February 2015)).
9 Note that we could write a degree-d agent's expected utility function as U (a, µ, d). We write it with d as a subscript simply because it is a convenient notation. of viruses among human populations. In this case, p is the probability of being infected by non-human sources (e.g. insects, livestock, etc.) and q d (T (µ)) is the probability of being infected by neighbors (i.e. other persons with whom the agent interacts). The parameter r models the virulence or infectiousness of the process: given that a neighbor is infected, r is the probability 10 that he will infect the agent.
Airport and European Union Security: The contact process described above can also be applied to airport or EU security. The exogenous failure (with probability p) can mean a security event such as the failure to stop a suspicious luggage from being checked in on a flight or a terrorist entering the European union from outside through one of the EU countries with weaker border control. In these scenarios, the agents represent airports or countries, and the edges linking them represent flights and connecting routes between countries. The suspicious luggage or terrorist can then cascade, i.e. travel to one or more other airports/countries, exposing them to security risks. q d (T (µ)) = 1−(1−rT (µ)) d can then model the risk of an entity coming into contact with a security threat coming from a neighboring country or airport.
In the next two sections we develop both the optimal response of an agent to the environment described previously, as well as the consistency check that T (µ) should satisfy given the strategic choices of the agents.

Consistency
We will now develop a consistency check that guarantees that a randomly-picked neighbor's failure probability T (µ) is consistent with the strategy µ played by the population.
( 3) In the above definition 11 , F(µ, α) is the failure probability of a randomly-picked neighbor given that agents play strategy µ and this neighbor's other neighbors fail with probability α. A fixed point α = F(µ, α) ensures that α is the same across all agents and consistent with µ. We consider F(µ, α) with the following property: Property 2. For any µ ∈ M, F(µ, α) has a unique fixed point in α.
Note that Property 2 is not particularly stringent. It is easy to verify in the contact process models of the examples described in Section 3.3.

Optimal Response
It is now straightforward to solve for the optimal strategy of an agent of degree d: an agent invests in protection, does not invest, or is indifferent if U d (1, µ) is greater than, less than, or equal to U d (0, µ), respectively. We thus have the following definition.
Definition 8. Let S d (T (µ)) ⊂ [0, 1] denote the set of optimal responses for a degree-d agent given T (µ); i.e.: We can now let S(T (µ)) ⊂ M denote the set of optimal strategies given T (µ); i.e., Note that at least one optimal response always exists and is essentially uniquely defined, except at those degrees where an agent is indifferent.

Equilibrium
We now formally define the equilibrium concept and state our first proposition.
This equilibrium definition ensures that both the optimality and consistency conditions are satisfied. Also note that to any equilibrium µ * , there corresponds a unique equilibrium neighbor failure probability α * = T (µ * ).
Proposition 1 (Existence). Any network security game that satisfies Properties 1 and 2 has a mean-field equilibrium.
An MFE is a symmetric equilibrium with the property that an agent's neighbors fail independently with the same probability T (µ * ) under µ * . An MFE is particularly easy to compute. In fact, α * = T (µ * ) is obtained from a one-dimensional fixed-point equation resulting from the composition of T and S, i.e. α * = T (S(α * )). µ * is then found from the map S(α * ) (cf. Definition 8). Allowing for correlations between the failures of neighbors would considerably complicate the analysis 12 .

Characterizing Equilibria
In this section, we will study three classes of games in which agents make decisions to invest in protection. We will start with games of total protection, in which an agent's investment decreases his total risk of failure. We will then proceed with games of self protection, in which an agent's investment in protection only protects him against his own intrinsic risk of failure. We will finally study an intermediate case: a game of networked-risk protection, in which an agent's investment in protection only protects him against the risk of failure of his neighbors

Games of Total Protection
In games of total protection, the investment protects both against the intrinsic failure risk and the cascading failure risk.
Examples of applications covered by this class are the spread of contagious diseases and the decision to vaccinate or malware and the investment in anti-virus or computer security solutions. Vaccination, for example, protects against both the risk of being infected by non-human (intrinsic failure risk) and human sources (cascading failure risk). It is also the case for standard anti-virus software featuring a firewall protection. This protects an agent against both direct hacking attacks (intrinsic failure risk) and malware spread through the Internet/e-mail networks (cascading failure risk).
We have the following definition: Definition 10 (Games of total protection). In a game of total protection, the effective failure probability has the following form for some k ∈ [0, 1] and In games of total protection, as can be seen in (5), an agent's investment in protection decreases his total probability of failure p + (1 − p)q d (T (µ)). The parameter k governs the effectiveness of the investment in protection. The higher k, the more an investment in protection reduces the failure probability.
Before stating our first theorem, we introduce the following definition.
Definition 11 (Upper-threshold strategy). A strategy µ is an upper-threshold strategy if there exists d U ∈ N + {∞}, such that: Thus, under an upper-threshold strategy, agents with degrees above a certain threshold invest in protection whereas agents with degrees below that threshold do not invest. Note that the definition above does not place any restriction on the strategy at the threshold d U itself; we allow randomization at this threshold.
Games of total protection are submodular. In other words, they are of strategic substitutes: the more other agents invest in protection (the lower T (µ)), the less an agent has an incentive to invest in protection. A nice property of games of total protection is that they have a unique equilibrium that is characterized by an upper-threshold strategy.
Theorem 1 (Total Protection). In a game of total protection, the equilibrium µ * is unique. Moreover, µ * is an upper-threshold equilibrium, i.e. µ * is an upper-threshold strategy.
The intuition behind this result is that, higher-degree agents are more exposed to cascading failures than lower-degree agents, thus making an investment in total protection relatively more rewarding. The implications of this theorem are important as higher-degree agents are more likely to act as hubs though which contagion can spread. This result can thus be seen as a satisfactory outcome since more connected agents have higher incentives to internalize the risk they impose on the system. In equilibrium, the total cost of protection is thus born by those who have a maximal effect on decreasing T (µ). For example, in the case of malware, agents with a higher level of interaction (higher degree) have a higher incentive to invest in computer security (i.e. anti-virus software). The same principle applies in the case of human-born viruses: individuals who interact more have a higher incentive to get vaccinated.
Note that in spite of the above, agents tend to underinvest in equilibrium compared to the socially optimal investment level. This is the result of free-riding and is in line with classical results of moral hazard in economics and the failure of agents to take into account negative externalities.
In the next section, we study the second class of games: Games of self protection.

Games of Self Protection
In games of self protection, the investment protects only against the intrinsic failure risk. Examples of applications covered by this class of games include airport security when luggage/passengers are only scanned at the originating airport. Airports then otherwise rely on each other's provision of security for transiting passengers/luggage. The same principle applies to security within the European Union, where travelers are only inspected at their point of entry. EU countries otherwise rely on each other's security for travelers within the EU.
Another important example is two-factor authentication (2FA) in computer networks. Consider an e-mail network and a provider such as Gmail. The latter allows its users to use such a two-factor authentication (2FA) feature. Users who take advantage of this option are asked to enter a security code sent to their mobile phone in addition to their password entered upon authentication. 2FA thus effectively protects against direct hacking attacks (a user's personal intrinsic risk). Indeed, access to the account with 2FA can only be granted conditional on the user having access to the mobile phone linked to this account. Yet, 2FA does not diminish the user's exposure to cascading failure risk (i.e. malware transmitted through the e-mail network): carelessly opening an infected e-mail attachment from a friend can fully compromise his account.
We now have the following definition: Definition 12 (Games of self protection). In a game of self protection, the effective failure probability has the following form for some k ∈ [0, 1] and In games of self protection, as can be seen in (7), an agent's investment in protection only decreases his intrinsic probability of failure p. It has no effect on his cascading failure probability q d (T (µ)). Again, the parameter k governs the effectiveness of the investment in protection corresponding to the action a.
Before stating our second theorem, we introduce the following definition.
Definition 13 (Lower-threshold strategy). A strategy µ is a lower-threshold strategy if there exists d L ∈ N + {∞}, such that: Under a lower-threshold strategy, agents with degrees below a certain threshold invest in protection whereas agents with degrees above that threshold do not invest. Note that the definition above does not place any restriction on the strategy at the threshold d L itself; we allow randomization at this threshold.
Games of self protection are supermodular. In other words, they are of strategic complements: the more other agents invest in protection (the lower T (µ)), the more an agent has an incentive to invest in protection. Since games of self protection are effectively coordination games, there can be multiple equilibria. The next result shows that any equilibrium can be characterized by a lower-threshold strategy. In other words, the thresholds are reversed when compared to games total protection (cf. Theorem 1).
Theorem 2 (Self Protection). In a game of self protection, any equilibrium µ * is a lowerthreshold equilibrium. That is, µ * is a lower-threshold strategy.
Higher cascade risk thus leads to lower incentives to invest in protection. This is because an agent remains exposed to the failure risk of others irrespectively of whether he invests in protection. An investment in protection thus has lower returns as the cascading failure risk increases. An agent's cascading failure risk increases in degree, and thus higher-degree agents invest less in protection than lower-degree agents. The intuition is that higher-degree agents are more exposed to cascading failure risk than lower-degree agents, thus making an investment in their own self protection relatively less rewarding.
In the example of airport security, an airport that interacts with a high number of other airports has smaller incentives to invest in its own security, since it remains exposed to a high risk of being hit by an event coming from a connecting flight. This, as before, is assuming that the passengers/luggage are only inspected at their point of origin and not at points of transit. In the example of two-factor authentication (2FA) in an email network, it is the users with a high number of contacts who have lower incentives to enable this security feature since they remain exposed to infected email attachments from their many contacts.
The fact that, in games of self-protection, the incentives are reversed has important implications. In fact, the more connected (higher-degree) agents have a lesser incentive to invest in protection even though they are more vulnerable and more dangerous, i.e. they are hubs through which cascading failures can spread. More central agents thus have lower incentives to internalize the risk they impose on the system, pointing to an inefficient outcome. Moreover, in equilibrium, the total cost of protection is born by lower-degree agents: those who have the smallest effect on decreasing T (µ).

Games of Networked-Risk Protection
In games of networked-risk protection, the investment protects only against the cascading failure risk. It does not protect against intrinsic failure risk.
Examples of applications include protection against many sexually transmitted diseases. For instance, the use of condoms protects against the transmission of HIV/AIDS through sexual partners. Nevertheless, such practices leave agents exposed to the external risk of being infected through a medical mistake in a hospital (e.g. with an infected syringe).
We have the following definition: Definition 14 (Games of networked-risk protection). In a game of networked-risk protection, the effective failure probability has the following form for some k ∈ [0, 1] and We now show that a game of networked-risk protection is structurally equivalent to a game of total protection. Corollary 1. A game of networked-risk protection is structurally equivalent to a game of total protection. Particularly, an equilibrium strategy µ * in any game of networked-risk protection is unique and is characterized by an upper threshold.
It is easy to see that agents have lesser incentives to invest than in the case of a game of total protection. Indeed, the marginal utility of investing in the latter case is always V pk higher, because an investment also protects against the intrinsic failure risk. We thus conclude that µ * tp µ * np , where µ * tp and µ * np are the investment profiles in games of total and networked-risk protection, respectively. In other words, if an agent of some degree invests in the case of networked-risk protection, then he will necessarily also invest in the case of total protection. In the interest of space, we skip further in-depth discussion of the results in this section as they mainly replicate the results of Section 4.1.

Welfare, Risk and Comparative Statics
The next proposition states when the equilibrium expected utility and effective failure risk of an agent are monotone in degree.
Proposition 2 (Risk and Welfare I). Let a d ∈ µ * (d): • (i) The equilibrium expected utility U d (a d , µ * ) is non-increasing in d.
• (ii) In a game of self protection, the equilibrium effective failure probability B(p, q d (T (µ * )), a d ) is non-decreasing in d.
Note that there is no analogue to Part (ii) for games of total protection or networked-risk protection. The equilibrium effective failure probability can be non-monotone in degree. Indeed, the upper-threshold strategy means that higher-degree agents invest in protection and may thus have a lower effective failure probability than lower-degree agents.
We will now state a welfare result for games of self protection. These games are easier to analyze because they are of strategic complements. In games of self-protection, agents effectively pool their investments in protection and, as said earlier, there can be multiple equilibria. These equilibria can however be ordered by level of investment. Suppose there are m possible equilibria. Then, they can be ordered in the following way . We then have a second welfare result.
Proposition 3 (Welfare II). In a game of self protection, let µ * k µ * l be two equilibria ordered by level of investment. Then µ * l weakly Pareto-dominates µ * k . This result is not trivial. It effectively states that in the high-investment equilibrium, the decrease in risk resulting from higher investments outweighs the cost of those investments. This is due to the positive externality stemming from the effect of pooled investments in protection, which reduce all agents' failure risk.
We can focus our attention on the minimum-investment equilibrium µ * and the maximuminvestment equilibriumμ * . In the former, T (µ * ) is actually maximal since agents invest least, while in the latter, T (μ * ) is actually minimal since agents invest most. From Proposition 3, agents playing the minimum-investment equilibrium can be thus considered a coordination failure.
In Fig. 3, we illustrate Theorems 1 and 2 on a complex network. We see how the upper (resp. lower) threshold nature of equilibria in games of total (resp. self) protection affects the spread of cascading failures differently.
We now state a result comparing the welfare in games of total and self protection.
, µ) be the utilitarian welfare under strategy µ. Specifically, we denote by W tp (·) the utilitarian welfare in a game of total protection and by W sp (·) the utilitarian welfare in a game of self protection, when all other model parameters are held fixed. Then W tp (µ * ) > W sp (μ * ), where µ * is the unique equilibrium in a game of total protection andμ * be the maximum-investment equilibrium in a game of self protection. The above proposition states that the unique equilibrium in a game of total protection welfare-dominates the higher-investment equilibrium in a game of self protection. This result is mainly due to the fact that the return on investment in a game of total protection is higher than in a game of self protection, since it protects against the total risk of failure (not just the intrinsic risk of failure).
An advantage of our informational setting is that we can relate equilibrium behavior to network properties as captured by the edge-perspective degree distributionf (d). We can then ask questions such as "does a higher level of connectedness 13 increase or decrease the incentives to invest in protection?" This is examined in the next proposition.
Proposition 5 (Shifting Degree Distribution). Let µ * andμ * be the minimum-and maximuminvestment equilibria in a game of self protection, when the edge-perspective degree distribution isf . Then, a first-order distributional shift 14f f results in µ * µ * andμ * μ * and thus in T (µ * ) ≥ T (µ * ) and T (μ * ) ≥ T (μ * ). Thus in a game of self protection, a higher level of connectedness leads to lower incentives to invest in protection: each of the new maximum-and minimum-investment equilibria are weakly dominated by the corresponding equilibria in the less connected network. The intuition behind this result is that an agent is more likely to be connected to a high-degree neighbor (high contagion risk and unprotected). This increases the agent's cascading failure risk and therefore lowers the incentive to invest in self protection. We note that in equilibrium, the corresponding neighbor failure probabilities are larger, i.e. T (µ * ) ≥ T (µ * ) and T (μ * ) ≥ T (μ * ).
Note that there is no straightforward analogue to Proposition 5 in the case of total protection or networked-risk protection. In fact shiftingf (d) may in this case increase the probability of having a protected neighbor or an unprotected one, depending on the extent of the shift inf (d) and on the threshold d U in the upper-threshold strategy. A shift inf (d) could thus potentially have non-monotone effects.
When cascading failures follow a contact process as in the examples of Section 3.3, it is interesting to study the effect of a change in the infectiousness parameter r on equilibria. The following two propositions illustrate that a change in r has opposite effects, depending on whether the game is one of self protection or total protection. Proposition 6 (Varying Infectiousness). Suppose cascading failures follow a contact process with infectiousness parameter r, as in the examples of Section 3.3. Let µ * andμ * be the minimum-and maximum-investment equilibria in a game of self protection and let µ * be the unique equilibrium in a game of total (or networked-risk) protection. Then, an increase r > r in infectiousness results in: • (i) µ * µ * andμ * μ * and thus in T (µ * ) ≥ T (µ * ) and T (μ * ) ≥ T (μ * ).
13 Note that by a higher level of connectedness, we mean an edge-perspective degree distribution placing higher mass on higher-degree nodes. We do not mean the presence of short paths between any two nodes.
Part (i) says that in a game of self protection, when cascading failures follow a contact process, a higher level of infectiousness creates lower incentives for agents to invest in protection: the initial increase in T (µ) caused by higher infectiousness causes an even greater increase in T (µ) as a result of strategic interactions. The situation is very different in a game of total (or networked-risk) protection, as shown in Part (ii), where a higher level of infectiousness creates higher incentives for agents to invest in protection. This investment in protection is however not enough to counter the increase in rT (µ) caused by a higher level of infectiousness. This is because agents free-ride on the protection provided by others and thus an increase in rT (µ) cannot be completely compensated.
The next result examines the effect of an increase in the parameter k, which governs the extent of the protection resulting from an investment.
Proposition 7 (Varying the Quality of Protection). Let µ * andμ * be the minimum-and maximum-investment equilibria in a game of self protection and let µ * be the unique equilibrium in a game of total (or networked-risk) protection with parameter k. Then, k > k results in: • (i) µ * µ * andμ * μ * , and thus in T (µ * ) ≤ T (µ * ) and T (μ * ) ≤ T (μ * ).
Thus in a game of self protection, an increase in the protection quality results in a higher investment and a reduction in a neighbor's probability of failure. Strategic interactions thus further add to the benefits of an improvement in the protection technology. On the contrary, in a game of total (or networked-risk) protection, such an increase in the protection quality results in a lower investment. However, it still results in a reduction of a neighbor's probability of failure, which is due entirely to the increase in protection quality.

Endogenizing the Cost of Protection
So far, we have only examined network effects. That is, a utility function depends on other agents only through the failure probability of one's neighbors. In reality, global feedback effects might also influence an agent's utility. By 'global feedback effects', we mean effects that impact an agent's utility in other ways than through its neighbors on the network. For instance, prices of vaccines, computer security solutions or airport security equipment might be affected by demand (i.e. by µ). Likewise, if protection is provided under the form of insurance 15 , the insurance premium might depend on the overall failure level in the population, which itself depends on the overall level of investment in protection. Such price feedback effects, in addition to network effects, are also considered in Jackson and Zenou (2014). Gagnon and Goyal (2017) also build a model in which agents' utilities are affected both by their neighbors on a social network and by effects unrelated to that network.
In this section, we introduce such global feedback effects to the model developed in the previous sections. We focus on global feedback through the cost of protection, which can take the form of a price to be paid.
We will introduce the following function, which maps a strategy µ to the corresponding probability that a randomly-picked agent invests in protection: Definition 15. Let the function G : M → [0, 1] be defined as: Thus to each strategy µ corresponds a fraction G(µ) of agents who invest in protection. Furthermore, it is easy to notice that this function G increases in µ.
We will explore a setting in which the cost of protection is influenced by global demand. Namely, when the cost of protection depends monotonically on total demand: C g = C · g(G(µ)), where g(·) is either an increasing or a decreasing continuous function of the total fraction of people G(µ) willing to invest in protection. In the following examples, we outline two situations that can be modeled by the function g(·).
Example 1 (g(·) increasing). This case corresponds to the situation where the product is scarce or there are global congestion effects. For instance, a vaccine might be produced in limited quantity and thus, the more people demand it, the harder it may be to obtain it, which will have an increasing effect on price.
Example 2 (g(·) decreasing). This corresponds to the case of economies of scale. For instance, a new airport security technology might require significant initial R & D investments. Producing it in large numbers may thus lead to a lower cost per unit, which may lower the price.
We will slightly modify a degree-d agent's expected utility function in order to introduce the global feedback effect: Note that the cascading failure probability q d (T (µ)) does not depend explicitly on the global fraction of agents who invest in protection, as it is solely driven by network effects, i.e. through an agent's neighborhood. It is also important to mention that the introduction of a global externality does not affect the definition of T (µ). The latter function was defined to be the failure probability of a randomly-picked neighbor, which does not depend explicitly on the total fraction of agents investing in protection G(µ).
We will now modify the optimality condition in order to ensure that this fraction G(µ) arises in equilibrium. We can redefine the set of optimal responses as follows: Definition 16. Let S d (T (µ), G(µ)) ⊂ [0, 1] denote the set of optimal responses for a degree-d agent given T (µ) and G(µ); i.e.: Let S(T (µ), G(µ)) ⊂ M denote the set of optimal strategies given T (µ) and G(µ); i.e., We now only need to slightly modify the equilibrium condition: Definition 17 (Mean-Field Equilibrium with Endogenized Cost of Protection). A strategy µ * constitutes a mean-field equilibrium (MFE) if µ * ∈ S(T (µ * ), G(µ * )).
It turns out that the main results that were stated in the previous sections of the paper are robust to the introduction of this global externality. We summarize those more general results in the following proposition.
Proposition 8 (Network Security Game with Endogenized Cost of Protection).
• (i) (Existence): There exists a mean-field equilibrium in the game with endogenized cost or protection.
• (ii) (Threshold Strategies): The threshold characterization of equilibria is robust to the endogenization of the cost of protection. The equilibrium is of: (1) an upperthreshold nature for a game of total protection and networked-risk protection; (2) a lower-threshold nature for a game of self protection.
• (iii) (Uniqueness): In a game of total protection or of networked-risk protection, the mean-field equilibrium µ * is unique if g(·) is an increasing function.
As before, there can be multiple equilibria for games of self protection.

Conclusion
In this paper, we developed a framework to study the strategic investment in protection against cascading failures in networked systems. Agents connected through a network can fail either intrinsically or as a result of a cascade of failures that may cause their neighbors to fail. We studied three broad classes of games covering a wide range of applications. We showed that equilibrium strategies are monotone in degree (i.e. in the number of neighbors an agent has on the network) and that this monotonicity is reversed depending on whether (i) an investment in protection insulates an agent against the risk of failure of his neighbors (games of total protection and games of networked-risk protection) or (ii) only against his own intrinsic risk of failure (games of self protection). The first case covers the important examples of vaccination, anti-virus software as well as protection against sexually-transmitted diseases.
Here it is the more connected agents who have higher incentives to invest in protection. The second case, on the other hand, covers examples such as airport/EU security as well as other types of computer security solutions such as two-factor authentication (2FA). Here it is the less connected agents who have higher incentives to invest in protection. Our analysis reveals that it is the nature of strategic interactions (strategic substitutes/complements), combined with a network structure that leads to such strikingly different equilibrium behavior in each case, with important implications for the system's resilience to cascading failures.
Our model is simple and the incomplete information framework that we use allows for a tractable treatment. The unobservability of the network is a credible assumption for many applications. In the applications of vaccination or computer security, agents typically do not know the topology of the social network or email network, for example. They merely know the number of connections that they have. Our equilibrium concept then predicts the behavior of the agents based on their level of interaction with the population (their degree).
The property that neighbors fail independently imposes a realistic cognitive burden on agents and allows for a tractable way to express an agent's expected cascading failure probability. This property is similar to the local tree-like assumption used in other models such as Lelarge and Bolot (2008a) and is valid for large or relatively sparse networks. In spite of its advantages, this property may no longer be realistic for small or dense networks. However, as long as an agent's cascading failure probability is monotone in degree (which may still be approximately the case, even in some smaller/denser networks), our monotonicity results could hold, at least approximately.
In the case of airport security or EU security, the topology of the network of airports or countries can credibly be known and influence the decisions of the agents. It would be interesting to extend our analysis to the case where agents know the topology of the network. While it is likely that equilibrium behavior would still be monotone in the level of interaction of the agents with the rest of the population, degree centrality may no longer be the appropriate measure. It would be interesting to see if in this case, one could somehow relate equilibrium behavior to some other measure of network centrality as in Acemoglu et al. (2016). Such extensions are left for future work.
Kakutani's fixed point theorem requires that Φ have a compact domain, which is trivial since [0, 1] is compact. Further, Φ(α) must be nonempty; again, this is straightforward, since both S and T have nonempty image.
Next, we show that Φ(α) has a closed graph. We first show that S has a closed graph, when we endow the set of strategies with the product topology on [0, 1] ∞ . This follows easily: if α n → α, and µ n → µ, where µ n ∈ S(α n ) for all n, then µ n (d) → µ(d) for all d. Expressing utility as a function of α, i.e. U d (a, α) = −V · B(p, q d (α), a) − C · a, we see that U d (1, α) and U d (0, α) are continuous, and it follows that µ(d) ∈ S d (α), so S has a closed graph. Note also that with the product topology on the space of strategies, T is continuous: if µ n → µ, then T (µ n ) → T (µ) by the bounded convergence theorem.
To complete the proof that Φ has a closed graph, suppose that α n → α, and that α n → α , where α n ∈ Φ(α n ) for all n. Choose µ n ∈ S(α n ) such that T (µ n ) = α n for all n. By Tychonoff's theorem, [0, 1] ∞ is compact in the product topology; so taking subsequences if necessary, we can assume that µ n converges to a limit µ. Since S has a closed graph, we know µ ∈ S(α). Finally, since T is continuous, we know that T (µ) = α . Thus α ∈ Φ(α), as required.
Theorem 1. For convenience, since the expected utility U d (a, µ) depends on µ only through α = T (µ), we may write it as a function of α as follows.
Consider the incremental expected utility for an agent of degree d, i.e.
We will first show that any equilibrium is an upper-threshold strategy. Consider ∆U d (α) as a function of the continuous variable d over the connected support [1, ∞). From (A.2), we can write Since q d (α) is non-decreasing in d, for any α ∈ (0, 1), ∆U d (α) is a non-decreasing function of d. It follows that the inverse image of (−∞, 0) is ∅ if ∆U 1 (α) > 0 or an interval [1, x) where x ≥ 1 otherwise. The integers in such intervals (i.e. ∅ N + or [1, x) N + ) represent the degrees of agents for whom not investing in protection is a strict best response, i.e. {d : S d (α) = {0}}. It follows that the degrees of agents for whom investing in protection is a strict best response (i.e. {d : S d (α) = {1}}) are located at the rightmost extremity of the degree support.
Thus we may write µ(d) = 1, for all d > d U and µ(d) = 0, for all d < d U . This is valid for any best-responding strategy µ and it is therefore valid for any equilibrium strategy µ * .
We now prove equilibrium uniqueness. We prove it in a sequence of steps: Step 1: For all d ≥ 1, ∆U d (α) is strictly increasing in α ∈ [0, 1]. This follows directly from Definition 3.
Step 2: For all d ≥ 1, and α > α, S d (α ) S d (α). 16 This follows immediately from Step 1 and the definition of S d in Definition 8.
It then follows from the threshold nature of the equilibrium strategy µ * that to α * , there corresponds a unique µ * ∈ S(α * ) such that α * = T (µ * ).
Theorem 2. For convenience, we do as in the proof of Theorem 1 and write the expected utility U d (a, α) as a function of α.
In a game of self protection, consider now ∆U d (α) as a function of the continuous variable d over the connected support [1, ∞). From (7) and (2), we can write Since q d (α) is non-decreasing in d, for any α ∈ (0, 1), ∆U d (α) is a non-increasing function of d. It follows that the inverse image of (−∞, 0) is an interval [1, ∞) if ∆U 1 (α) < 0 or an interval (x, ∞) where x ≥ 1 otherwise. The integers in such intervals (i.e. [1, ∞) N + or (x, ∞) N + ) represent the degrees of agents for whom not investing in protection is a strict best response, i.e. {d : S d (α) = {0}}. It follows that the degrees of agents for whom investing in protection is a strict best response (i.e. {d : S d (α) = {1}}) are located at the leftmost extremity of the degree support.
Thus we may write µ(d) = 1, for all d < d L and µ(d) = 0, for all d > d L . This is valid for any best-responding strategy µ and it is therefore valid for the equilibrium strategy µ * .
Corollary 1. The result follows from comparing the incremental expected utility of an agent of degree d in the case of networked-risk protection (see (A.3) below) with the one in the case of total protection (see (A.2) in the proof of Theorem 1): By comparing (A.3) to (A.2), it is easy to see that the incremental utility of investing in protection is V pk > 0 higher in the case of total protection. Otherwise, ∆U d (α) is increasing in d and a similar argument as in the proof of Theorem 1 leads to the conclusion that the equilibrium strategy µ * is of an upper-threshold nature.
U d (a, α, ω) = −V · B(p, q d (α), a) − C · g(ω) · a (A.14) For a game of total protection, the incremental expected utility for an agent of degree d is ∆U d (α, ω) = V · (p + (1 − p)q d (α)) k − C · g(ω) (A.15) We will consider the case when g(ω) is an increasing function. As in the proof of Theorem 1, we will conduct the analysis in 4 steps.
Step 3: For any strategies µ , µ such that µ (d) ≥ µ(d), ∀d ≥ 1, then G(µ ) ≥ G(µ) and T (µ ) ≤ T (µ). As we have noted before, the global externality does not have a direct impact on F(µ, α) and thus the behavior of T (µ) remains as in step 3 of the proof of Theorem 1.
Thus, we showed that in a game of total protection with both endogenized cost (with g(·) increasing), any MFE must be unique. Uniqueness in the case of a game of networkedrisk protection follows by its structural equivalence to a game of total protection (Corollary 1).