Meeting a demand vs. enhancing protections in homogeneous parallel systems

ARTICLE IN PRESS Reliability Engineering and System Safety 94 (2009) 1711–1717

Contents lists available at ScienceDirect

Reliability Engineering and System Safety journal homepage: www.elsevier.com/locate/ress

Meeting a demand vs. enhancing protections in homogeneous parallel systems Gregory Levitin a,, Kjell Hausken b a b

The Israel Electric Corporation Ltd., Haifa, Israel Faculty of Social Sciences, University of Stavanger, Norway

a r t i c l e in fo

abstract

Article history: Received 9 December 2008 Received in revised form 5 May 2009 Accepted 13 May 2009 Available online 27 May 2009

The article considers defense resource allocation in a system exposed to planned and forced losses. The defender distributes its limited resource between deploying identical system elements and their protection from attacks. Planned losses arise if there are not enough elements to meet the demand. Forced losses arise if an external attack reduces the performance below the demand. The attacker distributes its effort evenly among all the elements or among elements from a chosen subset. The vulnerability of each element is determined by an attacker–defender contest success function. The expected damage caused by the attack is proportional to the system performance reduction below a planned level of demand satisfaction. & 2009 Elsevier Ltd. All rights reserved.

Keywords: Risk Vulnerability Planned losses Forced losses Optimization Defense Attack Protection Redundancy

1. Introduction Classical reliability theory considers providing redundancy and improving reliability of elements as measures of system reliability enhancement. When the defense of systems exposed to intentional attacks is concerned, the separation of elements and their protection against malicious impacts become essential elements of the defense strategy. The defender must make a decision about distribution of the system defense resources among different defensive measures. This article considers a situation when a defender deploys costly separated identical system elements and protects them to minimize the losses associated with not meeting the demand. The protection is a technical or organizational measure aimed at the reduction of the destruction probability of system elements in the case of attack. Losses may be planned or forced. Planned losses are those where the producer decides not to meet the demand. This can occur when the penalty of doing so is acceptable, or the production costs to meet the demand are high. Forced losses are those where a determined adversary seeks to destroy the elements by attacking them which reduce their

 Corresponding author.

E-mail address: [email protected] (G. Levitin). 0951-8320/$ - see front matter & 2009 Elsevier Ltd. All rights reserved. doi:10.1016/j.ress.2009.05.011

performance. The attack may occur during war, during times of unrest which turns violent, by terrorists, or by non-violent political maneuvers.1 An example of planned losses is the damage associated with limited delivery of electricity during times of hardship or scarcity, or when substitutes such as oil, gas, coal, and wood are available. More generally, we think our model applies for any good for which there is a demand, assuming the good is costly to deploy and that it delivers a performance (something of value). Examples are energy, telecommunications, water supply, grid computing services [4] etc. Planned and forced losses differ across these goods, which can be determined empirically including the effect of intentional attacks on people, on environment, and on public image etc. [5]. Incurring planned and forced losses entail different kinds of assessments. The former involves deploying few elements so that the demand is not met, which may be advisable (or not too deplorable) when the losses associated with not meeting the 1 The terms ‘‘attack’’ and ‘‘defense’’ are to be understood as metaphors. As [1] puts it in p. 28, ‘‘falling also into the category of interference struggles are political campaigns, rent-seeking maneuvers for licenses and monopoly privileges [2], commercial efforts to raise rivals’ costs [3], strikes and lockouts, and litigation—all being conflictual activities that need not involve actual violence.’’ Attack and defense are subcategories of appropriative and defensive competitions. We prefer to use the narrower and therefore more precise words attack and defense, which can be substituted with synonyms such as struggle, conflict, battle, etc.

ARTICLE IN PRESS 1712

G. Levitin, K. Hausken / Reliability Engineering and System Safety 94 (2009) 1711–1717

Nomenclature

Basic definitions

R r T t A a x v g F N M Q q Hs

Element separated lowest-level part of a system, characterized by its performance and vulnerability Performance quantitative measure of task performing intensity of element or system (capacity, productivity, processing speed, task completion time, etc.) Protection technical or organizational measure exerted by the defender aimed at the reduction of the destruction probability of a system element in the case of an attack Attack action exerted by the attacker to damage the system by destroying it or its parts Element vulnerability conditional probability of the element destruction given it is attacked Planned losses losses associated with the system’s inability to meet a demand when no attack occurs Forced losses losses associated with reduction of system performance caused by an attack Effort amount of force aimed at destruction or protection of a system element

m cp cf

a Lp Lf

entire attacker’s resource entire defender’s resource attacker’s effort per attacked element defender’s protection effort per protected element unit cost of attack effort unit cost of protection effort cost of deploying one element element vulnerability performance of single element system demand number of elements in the system number of protected elements number of attacked elements number of attacked elements that are protected probability of destructing exactly s elements in the system attacker-defender contest intensity unit cost of planned losses unit cost of forced losses losses cost ratio: a ¼ cf/cp planned losses expected forced losses

demand are acceptable. The latter involves losses caused by a determined adversary attacking the system with the intention of reducing its performance. The defender needs to strike a delicate tradeoff between planned and forced losses when determining how many elements to deploy. This tradeoff depends on the relative costs of two kinds of losses. The optimal strategies depend on the cost of deployment, the resources of the defender and attacker, the unit costs of defense and attack efforts, the contest intensity, the demand, the relative unit cost of planned and forced losses, and a variety of other parameters. Consider as an example an electric power company that plans to supply electricity to new customers in some area. The company has a limited budget that should be divided between deployment of new generating units (and corresponding power transmission and distribution networks) and protecting the units (elements). The system performance in this case is determined by the electric power the system can supply to the customers. The planned losses arise if the company decides to deploy units with cumulative performance (power) insufficient to meet the customers’ demand. This will urge some customers to use in alternative more expensive sources of energy and causes increased power costs for them (the company that is in charge of the power supply in the entire area pays compensation to these customers that is associated with planned losses). The forced losses arise when some generating units are destroyed by an attack and some customers lose the power supply abruptly. In the case of unplanned loss of supply, the customers experience blackout that causes forced losses, which are usually much greater than the planned losses. When the company increases the number of new generating units the cumulative generating power increases and the planned unsupplied demand decreases. On the other hand the growth of the number of units causes reduction of the budget remaining for their protection. This causes an increase of the units’ vulnerability and as a result, an increase in the expected forced losses. Determining risk reduction strategies applying reliability theory has usually assumed a static external threat [6–11]. In [12–14] it was assumed that the defender minimizes the success probability and expected damage of an attack, whereas in [15] the

defender attempts to make the cost of a successful attack beyond the capabilities of the attacker without decreasing the chance of successful attacks. The expected damage for any distribution of the attacker’s and the defender’s effort in complex multistate systems was determined in [16]. The September 11, 2001 attack illustrated that major threats today involve strategic attackers. There is a need to proceed beyond earlier research and assume that both the defender and the attacker of a system are fully strategic optimizing agents (see [17] for an analysis where one agent defends each component in a system, [18,19] for interdependence between components, and [20] for defense and attack of series and parallel systems). This article assumes that successful attack on each element totally destroys this element. Only damage caused by the attack is considered without taking into account the elements’ failures. This simplification allows a clear understanding of the qualitative interrelation between the redundancy and the protection. Section 2 presents the model. Section 3 assumes that the defender protects all the elements equally and the attacker attacks all the elements equally. Section 4 assumes that the defender protects a subset of the elements and the attacker attacks a subset of the elements. Section 5 concludes.

2. The model We consider a system that is built from identical parallel elements with the same functionality each having the performance g. The entire system performance is equal to the sum of the performances of all its available elements. All the elements are separated so that only one element can be destroyed by single attack. The existing demand is F. If the number of elements is not enough to meet the demand (NgoF) the defender has planned losses Lp proportional to the demand deficiency [16] Lp ¼ cp maxf0; F  Ngg:

(1)

When the system performance decreases as a result of an attack, the forced losses are proportional to the extent of

ARTICLE IN PRESS G. Levitin, K. Hausken / Reliability Engineering and System Safety 94 (2009) 1711–1717

performance reduction below the demand F (when the demand is initially satisfied NgZF) or below the planned cumulative performance Ng (NgoF). For any N, the forced losses Lf take the form Lf ¼ cf maxf0; minfNg; Fg  ðN  kÞgg

(2)

if exactly k out of N elements are destroyed by the attack. When the demand is met (FoNg), forced losses are cf max{0,F-(Nk)g} When the demand is not met (F4Ng), forced losses are cf kg. Eqs. (1) and (2) give three scenarios. First, demand is met both without and with an attack, i.e. Lp ¼ Lf ¼ 0 since (Nk)g4F, and there are neither planned nor forced losses. Second, demand is met without an attack, Lp ¼ 0 since Ng4F, but not with a destructive attack which causes Lf ¼ cf (F(Nk)g) since (Nk)goF, and there are no planned losses, only forced losses. Third, demand is met neither without an attack, which causes Lp ¼ cp(FNg) since NgoF, nor with an attack which causes Lf ¼ cf kg since (Nk)goF, and there are both planned and forced losses. The scenario that demand is not met without an attack, but is met with an attack, is not possible. The total attacker’s resource is R. The cost of the attacker’s effort unit is A. The defender’s resource is r. This resource is distributed between protection and deployment of elements. The resource needed to deploy one element is x, so we assume rZNx and NZ1. The cost of the protection effort unit is a. For example, the attacker’s and the defender’s resources R and r can be measured as available budgets, whereas the attack and the protection efforts T and t can be measured as the cumulative destructive power of attacking weapons and the strength of protection shields respectively. The cost of effort units A and a and the available resources influence the corresponding efforts allocated to system elements. As it is shown in [25], the vulnerability of complex objects should be represented by a multidimensional index that characterizes different types of possible damages and the associated risk with the system. In this paper we assume that the system elements are so simple that they can be totally destroyed by any successful attack (for example a section of a power station boiler is totally destroyed if it is perforated in any place by any type of destructive factor caused by an attack). Therefore we define element vulnerability as a scalar index equal to the conditional probability of element destruction given the element is attacked (alternatively, it can be defined as the success probability of attack against the element). The element vulnerability depends on attack and protection efforts allocated to this element. The vulnerability can be determined by the attacker–defender contest success function modeled with the common ratio form [21–23] as v¼

Tm , T þ tm m

(3)

where T and t are respectively the efforts of the attacker and the defender allocated to each element (qv/qT40, qv/qto0), and m is the contest intensity. Ref. [26] discusses m and how it may change through a process where a system is separated into multiple elements to ensure redundancy. The contest intensity may increase or decrease which affects the separation efficiency and expected damage for systems with various kinds of demand requirements and performance redundancy. A benchmark intermediate value is m ¼ 1, which means that the investments have proportional impact on the vulnerability. This intermediate value is realistic when the agents have corresponding defense and attack technologies not giving undue advantage to one agent, and when neither economies nor diseconomies of scale for defense and attack are involved. 0omo1 gives a disproportional advantage of investing less than one’s opponent. m41 gives a disproportional advantage of investing more effort than one’s

1713

opponent (economies of scale). Hence decreasing m below 1 gives a more egalitarian contest, while increasing m above 1 gives a more competitive contest. In the extreme case m ¼ 0, the efforts t and T have equal impact on the vulnerability regardless of their size, which gives 50% vulnerability. Then defense and attack do not matter since the vulnerability depends on factors outside the agents’ control, such as system characteristics, natural events, or an outside actor empowered to exclude any role for defense and attack. We do not model such other factors and set the vulnerability to 50% in this case. Conversely, the other extreme case m ¼ N gives a step function where ‘‘winner-takes-all’’. For example, assume a system located behind a secure vault. In some such contests over entry to the vault there is one winner, which is the agent exerting marginally more effort than the other agent. If the defender wins, he continues to guard the vault with 100% system safety. If the attacker wins, he enters the vault destroying the system 100%. The parameter m is a characteristic of the contest which can be illustrated by the history of warfare. Low intensity occurs for components that are defendable, predictable, and where the individual ingredients of each components are dispersed, i.e. physically distant or separated by barriers of various kinds. Neither the defender nor the attacker can get a significant upper hand. An example is the time prior to the emergence of cannons and modern fortifications in the fifteenth century. Another example is entrenchment combined with the machine gun, in multiple dispersed locations, in World War I [1]. High m occurs for components that are less predictable, easier to attack, and where the individual ingredients of each component are concentrated, i.e. close to each other or not separated by particular barriers. This may cause ‘‘winner-take-all’’ battles and dictatorship by the strongest. Either the defender or the attacker may get the upper hand. The combination of airplanes, tanks, and mechanized infantry in World War II allowed both the offense and the defense to concentrate firepower more rapidly, which intensified the effect of force superiority. The contest success function was initially used in rent seeking and expresses agents’ success in securing a rent dependent on efforts exerted [2]. Higher effort gives higher success, but is also costly. Traditional reliability theory focused on how reliable a system is, which depends on internal failure rates, technology, weather conditions, and other factors which have typically been of a non-intentional nature. As an intentional adversary gets introduced to reliability theory, with objectives opposite to that of the system defender, conflict becomes inevitable and natural to extend reliability theory to model this conflict. In the authors’ view this becomes a question about resource expenditures, i.e. how much effort to exert to ensure, versus not ensure, that the element survives the attack. The contest success function in (1), especially with the intensity parameter m, provides substantial flexibility for how the element’s vulnerability depends on the resources expended by the defender and the attacker. For example, the defender may construct the system protection with more solid material, may insulate the system better, and may design protective shields of multiple kinds to reduce its vulnerability. If the attacker expends the same amount of resources as before the defender’s improvements, the element will have more chances to survive, contrary to the attacker’s objective. Hence the attacker faces the dilemma between accepting this reduced vulnerability and expending more resources to increase the vulnerability. More resources means to design a more solid attack with increased probability of being successful even against the more solidly defended system, and increased probability of breaking through the multiple protective shields. In some situations the attacker cannot direct the attack exactly against certain targets (for example, low precision missile attack

ARTICLE IN PRESS 1714

G. Levitin, K. Hausken / Reliability Engineering and System Safety 94 (2009) 1711–1717

against a group of separated targets) and the defender cannot protect only a subset of targets (for example in the case of antiaircraft defense in the area where the targets are located). In such situations one should assume that both the attacker and the defender distribute their efforts evenly among all elements. It was shown in [20] that even resource distribution is optimal for both the attacker and the defender in homogeneous parallel systems in the case when the both agents have full information about resource distributions of each other. Indeed, the defender cannot leave unprotected elements if the attacker can easily observe this and destroy these elements with negligible effort. The case of even resource distribution is considered in Section 3. On the contrary, if the information about the protected elements is unavailable to the attacker, it may be beneficial for the defender to protect some of the system elements concentrating more resources on protecting this subset. The attacker can also prefer to attack a subset of the elements to achieve effort superiority or avoid effort inferiority for each of the attacked elements. Section 4 considers the case when the defender chooses a subset of elements to protect and the attacker chooses a subset of elements to attack.

3. The defender and the attacker distribute their effort evenly among all elements Consider the case when the defender distributes its resource r between deployment of N elements and their protection (the protection investment is evenly distributed among the elements). The cost of single element is x. The effort allocated at protection of each element is t ¼ (rNx)/(aN) ¼ (r/Nx)/a. The attacker attacks all N elements and distributes its resource evenly among them. The effort allocated at attacking each element is T ¼ R/(NA). The vulnerability of each element is Tm ½R=ðNAÞm ¼ T m þ t m ½R=ðNAÞm þ ½ðr=N  xÞ=am Rm 1 ¼ m ¼ , R þ m ðr  NxÞm 1 þ m ðr=R  Nx=RÞm

also F4Ng, analysis of 1-out-of-N (Frg) system is out of scope for this paper. Consider an example of a power system that should supply a demand F ¼ 1 by deploying generating units with capacity g ¼ 0.1 each. Each deployed unit is protected by a casing. The strength of the casing (protection effort) depends on protection budget allocated to each unit. Fig. 1 presents the normalized losses as a function of cost x of deploying one generating unit for e ¼ r ¼ R ¼ m ¼ 1, a ¼ 2, and different values of the number N of units. The planned losses max{0,FNg} are, respectively, 0.9, 0.5, 0.2, 0, 0, 0, for these six values of N, independent of x, and the forced losses come in addition. Total losses increase in the cost of each element. The advantage of many units (more than 10 in this case) is no planned losses. This causes a low level of total losses when the cost of deployment is low. But, losses increase more steeply with many elements, so with high cost not too many elements should be deployed. The defender needs to strike a delicate tradeoff between the planned and the forced losses when determining N. It can be seen from Fig. 1 that for the considered parameters and deployment options, 1oNo20 is never beneficial. Indeed, for xo0.033, L* is minimal when N ¼ 20, whereas for xZ0.033, L* is minimal when N ¼ 1. Figs. 2–4 present the normalized losses as a function of N for e ¼ r ¼ R ¼ 1, x ¼ 0.05, g ¼ 0.2 and different values of the demand F, the contest intensity m, and the losses cost ratio a.

v¼

(4)

where e ¼ A/a. The damage caused by an attack is associated with reduction of the cumulative system performance in the case of destruction of some elements. If the number of destroyed elements is k, the forced performance reduction is d ¼ maxf0; minfNg; Fg  gðN  kÞg.

Fig. 1. Normalized losses as a function of x for different values of N.

(5)

The expected forced losses can be obtained as Lf ¼

 N  X N vk ð1  vÞNk maxf0; minfNg; Fg  gðN  kÞg. k k¼0

(6)

The total losses are L ¼ Lp þ Lf ¼ cp maxf0; F  Ngg ! N X N þ cf vk ð1  vÞNk maxf0; minfNg; Fg  gðN  kÞg. k k¼0

(7)

We can normalize the losses and obtain n

L ¼ L=cp ¼ maxf0; F  Ngg ! N X N þa vk ð1  vÞNk maxf0; minfNg; Fg  gðN  kÞg. k k¼0

(8)

Since our focus in this paper is the tradeoff between planned and forced losses, where planned losses require not only F4g but

Fig. 2. Normalized losses as a function of N for different values of F (e ¼ r ¼ R ¼ m ¼ 1, a ¼ 1.5, x ¼ 0.05, and g ¼ 0.2).

ARTICLE IN PRESS G. Levitin, K. Hausken / Reliability Engineering and System Safety 94 (2009) 1711–1717

It can be seen that for any combination of the model parameters one can find the number of elements N that minimizes the expected losses. Therefore, the optimal defenders strategy is to find the number of elements that minimizes its expected losses Nða; x; g; m; FÞ ¼ argðLn ðN; a; x; g; m; FÞ ! minÞ.

1715

attack even if such resource distribution leads to increase of the planned unsupplied demand. The greater the contest intensity the more beneficial is allocating the defenders’ resources to system protection. This explains the reduction of optimal N with the growth of m. The minimal achievable normalized expected losses grow with both a and m.

(9)

Fig. 5 shows the numerically obtained optimal value of N and the corresponding normalized expected losses as functions of the losses cost ratio a and the contest intensity m. It can be seen that with increase in a, the optimal number of elements decreases and eventually drops to one. Indeed, when a increases and the cost of the forced losses becomes dominating the defender should spend all its resources in protecting the smaller system against the

4. The defender protects a subset of elements, the attacker attacks a subset of elements If Frg, the attacker has to destroy all N elements in order to cause unsupplied demand. In the case when F4g, unsupplied demand can be caused by partial destruction of the system. To increase the expected damage the attacker can decide to attack QoN elements concentrating more effort on attacking each one of the chosen Q elements (the attacker’s effort per target increases from R/(NA) to R/(QA)). The defender can also decide to protect M out of N elements allocating the effort t ¼ (rNx)/(Ma) to each one if the attacker has no information about the defense effort distribution among the elements and chooses the attacked elements randomly. In this case both the attacker and the defender have free choice variables that determine their strategies: the defender chooses N and M whereas the attacker chooses Q. The defender builds the system over time. The attacker takes it as given when it chooses its attack strategy. Therefore, we analyze a two periods game where the defender moves in the first period, and the attacker moves in the second period. Hence the optimal defender strategy (N, M) can be found as a solution of a minmax game in which the defender should chose N and M that minimize the expected losses, given that for any N and M the attacker chooses Q that maximizes the expected losses:

Fig. 3. Normalized losses as a function of N for different values of m (e ¼ r ¼ R ¼ 1, a ¼ 1.5, x ¼ 0.05, g ¼ 0.2, and F ¼ 3).

N; M ¼ argfDðN; M; Q n ¼ argfDðN; M; Q Þ ! maxgÞ ! ming. N;M

(10)

Q

When the attacker chooses Q, it knows the defender’s strategy (N, M), but does not know which M elements are protected. Therefore the attacker chooses Q out of N elements to attack at random. For any given defense strategy (N, M), there are M protected and NM unprotected elements in the system. When the attacker attacks Q elements, the number of attacked protected elements can vary from max{0, QN+M} to min{Q, M}. According to the hypergeometric distribution, the probability that the attacker attacks exactly q protected elements and Qq unprotected elements is ! ! M NM q pðqÞ ¼ Fig. 4. Normalized losses as a function of N for different values of a (e ¼ r ¼ R ¼ 1, m ¼ 0.5, x ¼ 0.05, g ¼ 0.2, and F ¼ 3).

N

N

m=0.2 m=0.5 m=1 m=2 m=5

12 8 4 0 1

1.5

2 a

2.5

.

(11)

Q

20 16

Q q ! N

3

3.2 3 2.8 2.6 2.4 2.2 2 1.8 1.6 1.4

m=0.2 m=0.5 m=1 m=2 m=5

1

1.5

2 a

2.5

3

Fig. 5. Optimal number of elements and corresponding normalized losses as functions of cost ratio a for different values of m (e ¼ r ¼ R ¼ 1, x ¼ 0.05, g ¼ 0.2, and F ¼ 3).

ARTICLE IN PRESS 1716

G. Levitin, K. Hausken / Reliability Engineering and System Safety 94 (2009) 1711–1717

The vulnerability of each protected element is m

is r ¼ 1, the demand is F ¼ 3 and the contest is highly intensive m ¼ 5 (slight effort superiority determines the outcome of attack on each element). Assume that the attacker’s budget is R ¼ 0.5 and the effort unit costs are equal: e ¼ 1. Fig. 6 presents the optimal number of elements N and the corresponding normalized losses as functions of a for the cases when both the defender and the attacker allocate their resources evenly among all the units (M ¼ Q ¼ N) and when they choose M and Q in accordance with the minmax solution (optimal N, M, and Q are obtained by the presented enumerative procedure). Fig. 7 presents the optimal values of M and Q. It can be seen that for relatively low losses cost ratio a, the optimal number of units increases in the case of optimal M and Q, whereas it decreases for large a and becomes smaller than the optimal number of elements for M ¼ Q ¼ N. When the forced losses cost is much greater than the planned losses cost (high a ), the defender can afford to deploy only one single generating unit and spends all the remaining resources in protecting this unit from the attack. For low a, the defender benefits from the minmax strategy (the damage in the case of optimal M and Q is lower than in the case of M ¼ Q ¼ N) and for high a the attacker benefits from the minmax strategy (the damage in the case of optimal M and Q is greater than in the case of M ¼ Q ¼ N). Therefore, when the cost of forced losses exceeds the cost of planned losses the defender should try to avoid the minmax game. This can be done by urging the attacker to distribute its resources among all the generating units (for example, by disinforming the attacker and convincing it that the system has a 1 out-of-N structure or that the forced losses are relatively small).

m

T ðR=QAÞ ¼ T m þ t m ðR=QAÞm þ ½ðr  NxÞ=ðMaÞm Rm ¼ m . R þ m ½ðr  NxÞQ =Mm

v¼

(12)

The probability that exactly k elements are destroyed out of q protected elements that are attacked is   q vk ð1  vÞqk . wðq; kÞ ¼ (13) k All the attacked unprotected elements are destroyed with probability 1. Therefore, if the attacker attacks exactly q protected elements and Qq unprotected elements, it destroys k elements (0rkrq) with probability w(q, k) and Qq elements with probability 1. The total number of destroyed elements is k+Qq, where random k varies from 0 to q. Note that different q and k can produce the same total number of the destroyed elements s when k ¼ s+qQ. The probability of destruction of exactly s elements can be obtained as minfM;Q X g

Hs ¼

pðqÞwn ðq; s þ q  Q Þ

for s ¼ 0; 1; . . . ; Q ;

(14)

q¼maxf0;Q NþMg

where ( wn ðq; zÞ ¼

wðq; zÞ 0

if 0  z  q; otherwise:

For any demand F and number of elements N we can obtain the normalized expected losses as Ln ¼ maxf0; F  Ngg þ a

Q X

Hs maxf0; minfNg; Fg  gðN  kÞg.

15

s¼0

(15)

12

1. Assign Lmin ¼ N; 2. for each N ¼ 1,y,Nmax (where Nmax is the greatest integer that does not exceed r/x) 2.1 for each M ¼ 1,y,N 2.1.1 assign Lmax ¼ 0; 2.1.2 for each Q ¼ 1,y,N obtain L*(N, M, Q) using (9)–(13) and if LmaxoL*(N, M, Q) assign Lmax ¼ L*(N, M, Q); 2.1.3 if LmaxoLmin assign Lmin ¼ Lmax, M* ¼ M, N* ¼ N.

9 M,Q

The optimal values of M and N can be obtained by the following enumerative procedure.

6 3 M

Q

0 0

Consider again the example of deploying generating units with capacity g ¼ 0.2 and cost x ¼ 0.05, when the defender’s budget

0.5

1

1.5 a

2

2.5

3

Fig. 7. Optimal M and Q as a function of cost ratio a (e ¼ r ¼ R ¼ 1, x ¼ 0.05, g ¼ 0.2, m ¼ 5, and F ¼ 3).

15

3

12

2.5 2

N

L*

9 6

1.5 1

3

0.5 M=Q=N

optimal M,Q

optimal M,Q

0

0 0

0.5

1

1.5 a

2

2.5

3

0

0.5

1

1.5 a

2

M=Q=N 2.5

3

Fig. 6. Optimal number of elements and corresponding normalized losses AS a function of cost ratio a for the cases when M and Q are chosen optimally (minmax strategy) and when M ¼ Q ¼ N (e ¼ r ¼ 1, R ¼ 0.5, x ¼ 0.05, g ¼ 0.2, m ¼ 5, and F ¼ 3).

ARTICLE IN PRESS G. Levitin, K. Hausken / Reliability Engineering and System Safety 94 (2009) 1711–1717

5. Conclusions We consider a situation when the defender deploys costly separated identical system elements and protects them to minimize the losses associated with amount of the unsupplied demand. The losses may be planned or forced. Planned losses are those where the producer decides not to meet the demand. This can occur when the penalty of doing so is acceptable, or the production costs to meet the demand are high. Forced losses are those where a determined adversary seeks to destroy the elements by attacking them which reduces the entire system performance. The attacker distributes its effort evenly among all the N elements or among elements from a chosen subset. The vulnerability of each element is determined by an attacker–defender contest success function. The expected damage caused by the attack is proportional to the system performance reduction below a planned level of demand satisfaction. We first analyze the case when the defender and the attacker distribute their efforts evenly among all elements. The paper illustrates how the defender strikes a balance between the planned and the forced losses when determining the optimal number of elements to deploy. We thereafter analyze the case when the defender protects an optimal number M of elements, and the attacker attacks an optimal number Q of elements. For both cases we present algorithms for expected losses evaluation and optimization of the defense and the attack strategies. Solutions are illustrated numerically. We find that the optimal number of elements deployed is a decreasing function of the contest intensity m and the losses cost ratio a ¼ cf/cp for forced and planned losses. When the defender protects an optimal subset of elements and the attacker attacks an optimal subset of elements, the optimal number of protected elements M also decreases in a, whereas the optimal number of attacked elements can behave non-monotonically. When the losses cost ratio a is low the defender benefits from the minmax strategy (the damage in the case of optimal M and Q is lower than in the case of M ¼ Q ¼ N) and when this ratio is high the attacker benefits from the minmax strategy (the damage in the case of optimal M and Q is greater than in the case of M ¼ Q ¼ N). The model presented in this paper can be easily generalized to the case when the losses constitute any function of the unsatisfied demand. In many cases a small amount of the unsatisfied demand can be acceptable, whereas the increase in the unsatisfied demand can lead to severe consequences. This can be modeled by replacing the linear planned and forced losses with non-linear functions. For example, convexly (concavely) increase in losses are descriptive when not meeting the demand becomes increasingly (decreasingly) cost-dependent on the degree to which the demand is not met. Another extension of the model can consider the series– parallel systems with non-identical elements, which causes an

1717

uneven distribution of the efforts among the elements. To solve the resource optimization problem one can use the approach presented in [24]. References [1] Hirshleifer J. Anarchy and its breakdown. Journal of Political Economy 1995;103(1):26–52. [2] Tullock G. The welfare costs of tariffs, monopolies, and theft. Western Economic Journal 1967;5:224–32. [3] Salop SC, Scheffman DT. Raising rivals’ costs. A.E.R. Papers and Proceedings 1983;73:267–71. [4] Zou X, Dai YS, Pan Y. Trust and security in collaborative computing. Hackensack, NJ, USA: World Scientific; ISBN:981-270-368-3. [5] Michaud D, Apostolakis G. Methodology for ranking the elements of watersupply networks. Journal of infrastructure systems 2006;12(4):230–42. [6] Levitin G. Optimal multilevel protection in series–parallel systems. Reliability Engineering and System Safety 2003;81:93–102. [7] Levitin G. Optimal allocation of multi-state elements in linear consecutively connected systems with vulnerable nodes. European Journal of Operational Research 2003;150:406–19. [8] Levitin G, Lisnianski A. Optimal separation of elements in vulnerable multistate systems. Reliability Engineering and System Safety 2001;73:55–66. [9] Levitin G, Lisnianski A. Optimizing survivability of vulnerable series–parallel multi-state systems. Reliability Engineering and System Safety 2003;79: 319–31. [10] Levitin G, Dai Y, Xie M, Poh KL. Optimizing survivability of multi-state systems with multi-level protection by multi-processor genetic algorithm. Reliability Engineering and System Safety 2003;82:93–104. [11] Gordon LA, Loeb M. The economics of information security investment. ACM Transactions on Information and System Security 2002;5(4):438–57. [12] Bier VM, Abhichandani V. Optimal allocation of resources for defence of simple series and parallel systems from determined adversaries. In: Proceedings of the engineering foundation conference on risk-based decision making in water resources X. Santa Barbara, CA: American Society of Civil Engineers; 2002. [13] Bier VM, Nagaraj A, Abhichandani V. Protection of simple series and parallel systems with components of different values. Reliability Engineering and System Safety 2005;87:315–23. [14] Bier VM, Oliveros S, Samuelson L. Choosing what to protect: strategic defense allocation against an unknown attacker. Journal of Public Economic Theory 2007;9(4):563–87. [15] Azaiez N, Bier VM. Optimal resource allocation for security in reliability systems. European Journal of Operational Research 2007;181:773–86. [16] Levitin G. Optimal defense strategy against intentional attacks. IEEE Transactions on Reliability 2007;56(1):148–57. [17] Hausken K. Probabilistic risk analysis and game theory. Risk Analysis 2002;22(1):17–27. [18] Kunreuther H, Heal G. Interdependent security. The Journal of Risk and Uncertainty 2003;26(2/3):231–49. [19] Hausken K. Income, interdependence, and substitution effects affecting incentives for security investment. Journal of Accounting and Public Policy 2006;25(6):629–65. [20] Hausken K. Strategic defense and attack for series and parallel reliability systems. European Journal of Operational Research 2008;186(2):856–81. [21] Hausken K. Production and conflict models versus rent seeking models. Public Choice 2005;123:59–93. [22] Skaperdas S. Contest success functions. Economic Theory 1996;7:283–90. [23] Tullock G. Efficient rent-seeking. In: Buchanan JM, Tollison RD, Tullock G, editors. Toward a theory of the rent-seeking society. College Station: Texas A. & M. University Press; 1980. p. 97–112. [24] Hausken K, Levitin G. Minmax defense strategy for complex multi-state systems. Reliability Engineering & System Safety 2009;94:577–87. [25] Haimes YY. On the definition of vulnerabilities in measuring risks to infrastructures. Risk Analysis 2006;26(2):293–6. [26] Hausken K, Levitin G. Efficiency of even separation of parallel elements with variable contest intensity. Risk Analysis 2008;28(5):1477–86.