Virtual Security Testbed Helps Policymakers Prepare for Real-World Threats

We’ve all heard this advice: change your passwords regularly, install antivirus software, and watch out for suspicious emails. But what we are finding is that despite these protective efforts at the individual level, a cybersecurity crisis isn’t something individuals can solve alone. A new study underscores that improving digital security requires more than better personal habits—it calls for collective action and coordinated policy, much like the approaches taken to address public health or climate change.

Image

A Columbia Engineering team led by computer scientist Simha Sethumadhavan developed a detailed economic model that simulates how individuals, companies, and attackers make decisions within the cybersecurity ecosystem. It is a virtual “rehearsal space” where policymakers and researchers can test the impact of new rules, such as mandatory security standards or revised incentives for cyber insurance, before applying them in the real world.

The model blends economic theory with computational simulation to explore how defenders (like companies or individuals) and bad actors (like hackers or cybercriminals) interact in a digital environment. In this virtual world, agents make realistic, utility-maximizing decisions, mirroring how stakeholders could respond to incentives, costs, and threats. The result? A high-fidelity sandbox where researchers and policymakers can safely test the impact of different cybersecurity policies, from insurance mandates to spending requirements.

“It’s a way to test real-world security policies in a controlled environment,” said Sethumadhavan, professor of computer science at Columbia Engineering. “This permits us to explore the consequences of different decisions without putting actual systems or people at risk.”

The team is slated to present this research at the USENIX Security Symposium Aug. 13-15 in Seattle.

Security–a collective effort

The model yielded striking results: individual efforts to improve security are not enough. In fact, when each agent in the system acts in their best interest, overall outcomes worsen. More substantial results came only when minimum security standards were applied across the board, mirroring challenges seen in public goods problems like pollution or vaccination, where individual incentives often conflict with the collective good. Just as people may avoid the cost of reducing emissions or getting vaccinated while still benefiting from others who do, in cybersecurity, actors may underinvest in protection, hoping others’ efforts will be enough. 

The simulation also revealed a "weakest link" dynamic in cybersecurity: when one defender cuts corners, the entire ecosystem becomes more vulnerable. This means attackers can exploit less secure players to access even well-protected targets. The presence of poorly secured systems doesn’t just make them vulnerable; it creates fuel for attackers to escalate and target increasingly better-defended systems. Even the best locks won’t help if your neighbor leaves the door wide open.

“We see patterns that resemble herd immunity,” noted Adam Hastings, the study’s lead author and a former PhD student in the Sethumadhavan lab at Columbia Engineering.

One of the model’s most striking findings is that weak links in the system—those with poor defenses—can put even well-protected players at risk. This isn’t just a metaphor; the simulation revealed this dynamic organically, without being explicitly programmed to do so, say the researchers. The research underscores that cybersecurity is most effective when protections are widespread, not limited to a vigilant few. 

“One weak defender puts everyone at risk, even the strong ones,” added Hastings, who will be joining the faculty at Fordham University in the fall of 2025.

Real-world impact across sectors

The model and its interactive tool offer value to a range of users. Researchers studying the economics of cybersecurity or game theory can use it to explore complex dynamics in a simulated environment. Policymakers, too, can benefit by testing the effects of regulatory changes before implementing them in the real world. The tool is also a valuable educational resource for students and instructors looking for a more hands-on, engaging way to understand security policy design.

By providing a “what-if” platform for intervention testing, the tool helps optimize how resources are allocated, improve decision-making at the policy level, and reduce the risks and costs of trial-and-error approaches in live settings.

“Although this research is centered on policy, its ripple effects reach far beyond government or academia,” said Hastings. “Smarter, top-down strategies mean cybersecurity budgets are used more efficiently, fewer resources are wasted on ineffective solutions, and everyone, from businesses to everyday individuals, enjoys stronger, more reliable protection. In the end, a more secure ecosystem benefits us all.”

Lead Photo Credit: SkillUp/shutterstock.com

About The Study

Conference: 34th USENIX Security Symposium on August 13-15, 2025

Title: Voluntary Investment, Mandatory Minimums, or Cyber Insurance: What Minimizes Losses? Adam Hastings, Simha Sethumadhavan