Game Theory Applications In Cyber Security

Author Casey Allen

Game pieces on a board with one die

Information assets are under constant threat of cyber-attack. According to researchers from the University of Maryland Clark School of Engineering such attacks occur every 39 seconds (Cukier, 2007). The perpetrators of these attacks do not discriminate in terms of who they target. Businesses both large and small, public sector agencies at every level of government, non-profit and religious organizations, and even individuals themselves are targets of interest for cyber criminals. As the likelihood and impact of cyber-attacks continues to rise organizations have begun to realize the necessity of investing in skilled professionals and robust technological controls to protect their digital assets. The principles of game theory “can offer insights into any economic, political, or social situation that involves individuals who have different goals or preferences” (Myerson, 1997). The broad applicability of its principles makes game theory an effective Rosetta Stone for technical and non-technical stakeholders alike to evaluate cyber defense strategies.

In game theory, any “game” will consist of two or more rational players whose actions are determined based on whatever strategy maximizes the payoffs they can expect to receive from playing the game. A “player” may be in individual, but for the purposes of exploring game theory principles as they relate to cyber security we can also think of a player as a team, or a collective of individuals united by their efforts in pursuit of a common goal. Let’s look at an example game where Player 1 is Team Defense, the cyber security professionals within a legitimate business (Company X) whose job it is to protect the organization’s information assets, and Player 2 is Team Offense, a criminal enterprise intent on compromising those same assets. We can visualize this game using a simple matrix where the strategies of Player 1 are shown as rows and the strategies for Player 2 are shown as columns. At the intersection of each player’s strategies the payoffs (E) are shown with Player 1’s value on the left and Player 2’s on the right:

Each player in our example game has two strategies to choose from. Team Defense must choose whether to implement a security control to protect an information asset (Strategy A) or to accept the risk of attack unmitigated (Strategy B). Team Offense must choose whether to attack that same asset (Strategy C) or to leave it alone (Strategy D). For the purposes of our example game we will assume that if Team Defense chooses to defend the asset it will be successful. Likewise, we will assume that if Team Offense attacks an undefended asset it will be successful.

Using our knowledge of the game’s players we can make some assumptions as to the various kinds of tradeoffs each player may consider when selecting their strategy. We can summarize the factors Team Defense will consider when choosing its strategy as follows:

• Value of the asset to the organization

• Building and maintaining consumer trust

• Legal and regulatory compliance

• Resources required for implementation and maintenance

• Usability (ease with which legitimate users can perform their work)

Similarly, we can summarize some of the factors Team Offense will consider when choosing its strategy:

• Value of the asset if compromised

• Resources required to execute an attack

• Specialized skills required to plan and execute an attack

• Importance of keeping their custom-built exploits (TTP) a secret

• Risk of being caught (fines, incarceration, etc.)

Although this is an extremely oversimplified example of how cyber warfare games play out in real life the logic of how game theory principles can be useful in making strategic decisions is beginning to take shape. Now that we have our players and strategies defined, we can begin to examine what the payoffs for each player might look like in our example game:

We can use the row and column names of our matrix to refer to each of the possible outcomes of this game. In the (Defend, Attack) game Team Defense chooses to implement a control to protect an information asset, and Team Offense chooses to