• Home
  • Resources
    • Find Resources by Topic Tags
    • Cybersecurity Policy Chart
    • CSIAC Reports
    • Webinars
    • Podcasts
    • Cybersecurity Digest
    • Standards & Reference Docs
    • Journals
    • Certifications
    • Acronym DB
    • Cybersecurity Related Websites
  • Services
    • Free Technical Inquiry
    • Core Analysis Task (CAT) Program
    • Subject Matter Expert (SME) Network
    • Training
    • Contact Us
  • Community
    • Upcoming Events
    • Cybersecurity
    • Modeling & Simulation
    • Knowledge Management
    • Software Engineering
  • About
    • About the CSIAC
    • The CSIAC Team
    • Subject Matter Expert (SME) Support
    • DTIC’s IAC Program
    • DTIC’s R&E Gateway
    • DTIC STI Program
    • FAQs
  • Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer
Login / Register

CSIAC

Cyber Security and Information Systems Information Analysis Center

  • Resources
    • Find Resources by Topic Tags
    • Cybersecurity Policy Chart
    • CSIAC Reports
    • Webinars
    • Podcasts
    • Cybersecurity Digest
    • Standards & Reference Docs
    • Journals
    • Certifications
    • Acronym DB
    • Cybersecurity Websites
  • Services
    • Free Technical Inquiry
    • Core Analysis Task (CAT) Program
    • Subject Matter Expert (SME) Network
    • Training
    • Contact
  • Community
    • Upcoming Events
    • Cybersecurity
    • Modeling & Simulation
    • Knowledge Management
    • Software Engineering
  • About
    • About the CSIAC
    • The CSIAC Team
    • Subject Matter Expert (SME) Support
    • DTIC’s IAC Program
    • DTIC’s R&E Gateway
    • DTIC STI Program
    • FAQs
  • Cybersecurity
  • Modeling & Simulation
  • Knowledge Management
  • Software Engineering
/ Journal Issues / Games People Play Behavior and Security / Toward Realistic Modeling Criteria of Games in Internet Security

Toward Realistic Modeling Criteria of Games in Internet Security

Published in Journal of Cyber Security and Information Systems
Volume: 2 Number: 2 - Games People Play Behavior and Security

Author: Jonathan Spring
Posted: 02/09/2016 | Leave a Comment

There have been various attempts to apply game theory to various aspects of security situations. This paper is particularly interested in security as relates to computers and the Internet. While there have been varying levels of success in describing different aspects of security in game-theoretic terms, there has been little success in describing the problem on a large scale that would be appropriate for making decisions about enterprise or Internet security policy decisions. This report attempts to provide such a description.

We propose that there are three types of players in the game: the computer user, the malicious actor, and the security architect. This paper is not about how to “win” the game of Internet security or a prescription of the clever strategy — as game theorists make clear, “the search for effective decisions is not a central problem of game theory” [29]. The aim of this paper is two-fold, one for theorists and one for practitioners. For game theorists, this paper provides a more accurate description of the actual dynamics of security-related interactions on the Internet. For practitioners, we will provide a framework to clarify existing motivations and intuitions about the current situation and why it is, or is not, working. Hopefully this perspective on the dynamics of the situation will enable more effective decisions and guide the search for clever solutions using other fields of study.

This paper does not focus on building mathematical tools for analysis. We focus on the description of the game. The three players — user, rogue, and architect — all have competing interests. The main interactions are thus: (1) The user and architect negotiate a suitable system configuration which includes trade-offs between productivity (of the user), security (architect’s goal), and cost; this is a non-zero sum game. This occurs on a much slower time scale than the other two interactions. (2) The rogues attempt to steal resources from the user; this feature is also not a zero-sum game, and so presents some interesting challenges. (3) The third interaction is between the architects and the rogues. Although these two parties are defined as diametrically opposed, their interaction is also not zero-sum.

With these interactions laid out, we make the following important observation about the game itself: the user can ignore, or even be complicit with, the rogue without immediate loss. This fact makes it harder to convince the user to work with the architect to improve security. There are other interesting points to consider related to the game: (1) The game is modeled with three players, and we assert that at least this many players is necessary to maintain fidelity with the real Internet; (2) perfect security cannot be promised, even in principle, because the features of the game are such that there is no guaranteed method to compute a globally-optimal strategy (three player game, the fact that it is non-zero-sum, and the fact that there is imperfect information).

1 Introduction

Game theory was founded as a sub-discipline of mathematics in the mid-20th century. It is a description of how rational decision makers compete. However, this paper is not about how to “win” the game of Internet security or a prescription of the clever strategy — as game theorists make clear, “the search for effective decisions is not a central problem of game theory” [29]. What game theory can illuminate is how an interaction proceeds, certain rules about the outcome given the inputs, and to help an analyst clarify a situation by reducing a complex situation to a more compact description.

For the purposes of this paper, we will assume the payoffs to the players are already defined. How to do this is non-obvious. However, a process such as the model described in [35] provides a plausible method for arriving at the payoffs, measured in monetary resources lost or gained.

Game theory assumes we have rational decision makers. Kahneman’s psychological work, and the resulting behavioral economics literature, demonstrate that people are not purely rational. This has important ramifications for actually selecting policies that will be effective, however from our abstract point of view it just means we might have to adjust our payoff values to account for the fact that people may value something more or less than is rational. As such, we will leave this issue aside for now.

When describing the game, we will describe the payoff matrices to the extent possible — which values are positive or negative, their relative magnitudes, etc. However, our goal is not to formulate games to the level of detail that analytic or numeric solutions are possible. There is still much work to be done before that can be achieved. The goal of this paper is to provide the shape of a game as it relates to information security on the Internet.

Pages: Page 1 Page 2 Page 3 Page 4 Page 5

Previous Article:
« How Does an Analyst Select M&S to...
Next Article:
BECO: Behavioral Economics of Cyberspace Operations »

References

[1] : 2013 Data Breach Investigations Report (DBIR), 2014. URL http://www.verizonenterprise.com/DBIR/2013/.

[2] : Black Tulip: Report of the investigation into the DigiNotar Certificate Authority breach, 2012.

[3] Devdatta Akhawe, Adrienne Porter Felt: “Alice in Warningland: A Large-Scale Field Study of Browser Security Warning Effectiveness”, 22nd USENIX Security Symposium, 2013. URL http://www.cs.berkeley.edu/~devdatta/papers/alice-in-warningland.pdf.

[4] R. J. Anderson: Security Engineering: A guide to building dependable distributed systems. Wiley, 2008.

[5] R. Anderson, C. Barton, R. Böhme, R. Clayton, M.J.G. van Eeten, M. Levi, T. Moore, S. Savage: “Measuring the cost of cybercrime”, 11th Workshop on the Economics of Information Security, 2012. URL http://weis2012.econinfosec.org/papers/Anderson_WEIS2012.pdf.

[6] Steven J Brams: Negotiation Games: Applying game theory to bargaining and arbitration. Routledge, 2003.

[7] Huseyin Cavusoglu, Birendra Mishra, Srinivasan Raghunathan: “A model for evaluating IT security investments”, Communications of the ACM, pp. 87—92, 2004.

[8] Adam Cummings, Todd Lewellen, David McIntire, Andrew Moore, Randall Trzeciak: Insider Threat Study: Illicit Cyber Activity Involving Fraud in the U.S. Financial Services Sector, 2012. URL http://www.sei.cmu.edu/library/abstracts/reports/12sr004.cfm.

[9] David Drummond: A new approach to China. Google Official Blog, 2010.

[10] L. Dolanskỳ: “Present state of the Lanchester theory of combat”, Operations Research, pp. 344—358, 1964.

[11] Ellen Messmer: “RSA’s SecurID security breach: What should you do?”, Network World, 2011. URLhttp://www.networkworld.com/news/2011/031811-rsa-securid-breach.html.

[12] Ellen Messmer: “RSA’s SecurID security breach: What should you do?”, Network World, 2011. URLhttp://www.networkworld.com/news/2011/031811-rsa-securid-breach.html.

[13] Drew Fudenberg, Jean Tirole: Game theory. 1991. MIT Press, 1991.

[14] Herbert Gintis: Game theory evolving: A problem-centered introduction to modeling strategic behavior. Princeton University Press, 2000.

[15] Kuno JM Huisman: Technology Investment: a game theoretic real options approach. Kluwer Academic Pub, 2001.

[16] John Gilmore: DES (Data Encryption Standard) Review at Stanford University, 2005. URL http://www.toad.com/des-stanford-meeting.html.

[17] C. Kanich, N. Weaver, D. McCoy, T. Halvorson, C. Kreibich, K. Levchenko, V. Paxson, G.M. Voelker, S. Savage: “Show Me the Money: Characterizing Spam-advertised Revenue”, 20th USENIX Security Symposium, 2011. URLhttps://www.usenix.org/legacy/event/sec11/tech/full_papers/Kanich.pdf.

[18] Ioanna Kantzavelou, Sokratis Katsikas: “A game-based intrusion detection mechanism to confront internal attackers”, Computers & Security, pp. 859—874, 2010.

[19] MK Lauren: Describing Rates of Interaction between Multiple Autonomous Entities: An Example Using Combat Modelling, 2001.

[20] S.D. Moitra: Managing Risk from Cybercrime: Internet Policy and Security Management for Organizations. Max-Planck-Institut f. ausländisches und internationales Strafrecht, 2008.

[21] Tyler Moore, Richard Clayton: “Evil searching: Compromise and recompromise of internet hosts for phishing”, Financial Cryptography and Data Security, pp. 256—272, 2009.

[22] Roger B Myerson: Game theory: analysis of conflict. Harvard University Press, 1997.

[23] John F Nash Jr: “Non-cooperative games”, The Annals of Mathematics, pp. 286—295, 1951.

[24] John F Nash Jr: “The bargaining problem”, Econometrica: Journal of the Econometric Society, pp. 155—162, 1950.

[25] G. Owen: Game theory. Emerald Group Publishing, 1995.

[26] Anatol Rapoport: N-person game theory: Concepts and applications. Courier Dover Publications, 1970.

[27] Anatol Rapoport: Two-person game theory: The essential ideas. Courier Dover Publications, 1966.

[28] E. Rasmusen: Games and Information: An Introduction to Game Theory. Blackwell, 2007.

[29] R. Rasmussen, G. Aaron: Global phishing survey: trends and domain name use in 2Q2012, 2012.

[30] Sankardas Roy, Charles Ellis, Sajjan Shiva, Dipankar Dasgupta, Vivek Shandilya, Qishi Wu: “A survey of game theory as applied to network security”, System Sciences (HICSS), 2010 43rd Hawaii International Conference on, pp. 1—10, 2010.

[31] J.M. Spring: “Modeling Malicious Domain Name Take-down Dynamics: Why eCrime Pays”, IEEE eCrime Researchers Summit, 2013. URLhttp://resources.sei.cmu.edu/library/asset-view.cfm?assetID=88265.

[32] T Spyridopoulos, G Karanikas, T Tryfonas, G Oikonomoug: “A Game Theoretic Defence Framework Against DoS/DDoS Cyber Attacks”, Computers & Security, pp. 39—50, 2013.

[33] John Von Neumann, Oskar Morgenstern: The theory of games and economic behavior. Princeton university press, 1944.

[34] E Weinan, Bjorn Engquist, Xiantao Li, Weiqing Ren, Eric Vanden-Eijnden: “Heterogeneous multiscale methods: a review”, Communications in computational physics, pp. 367—450, 2007.

[35] William Casey, Jose A. Morales, Thomson Nguyen, Jonathan Spring, Rhiannon Weaver, Evan Wright, Leigh Metcalf, Bud Mishra: “Cyber Security via Signaling Games: Toward a Science of Cyber Security”, ICDCIT, pp. 34-42, 2014. URL http://dx.doi.org/10.1007/978-3-319-04483-5_4.

[36] Quanyan Zhu, Linda Bushnell, Tamer Basar: “Game-theoretic analysis of node capture and cloning attack with multiple attackers in wireless sensor networks”, Decision and Control (CDC), 2012 IEEE 51st Annual Conference on, pp. 3404—3411, 2012.

Endnotes

1An agent may both use one system and be the architect of another; most software developers fit this description. However the roles of user and architect qua roles do not overlap.

Author

Jonathan Spring
Jonathan Spring
Jonathan Spring is a member of the technical staff with the CERT Threat Analysis Group of the Software Engineering Institute, Carnegie Mellon University. He began working for the CERT program in 2009. He is the co-author of an information security textbook, “Introduction to Information Security: A Strategic-Based Approach,” and also serves as an adjunct professor at the University of Pittsburgh’s School of Information Sciences. His research topics include monitoring cloud computing, DNS traffic analysis, and game theory. He holds a Master’s degree in information security and a Bachelor’s degree in philosophy from the University of Pittsburgh. Jonathan can be reached at netsa-contact@cert.org.

Reader Interactions

Leave a Comment Cancel

You must be logged in to post a comment.

sidebar

Blog Sidebar

Featured Content

The DoD Cybersecurity Policy Chart

The DoD Cybersecurity Policy Chart

This chart captures the tremendous breadth of applicable policies, some of which many cybersecurity professionals may not even be aware, in a helpful organizational scheme.

View the Policy Chart

Featured Subject Matter Expert (SME): Cully Patch

An internal CSIAC SME with a passion for learning, teaching, and supporting the warfighter, Mr. Cully Patch has been a member of the CSIAC staff for 5 years. Cully was instrumental in leading the development and instruction of an extensive course on DoD Cybersecurity Analysis and Reporting (DoDCAR) - a threat-based approach to addressing system cybersecurity. As a senior program manager for cybersecurity and intelligence, Mr. Patch has extensive experience in providing cybersecurity training and education to both university students and military operators. Cully is a retired US Air Force military officer with career accomplishments in the fields of research, Intelligence, cybersecurity operations, planning, and technical course instruction. CSIAC is honored to have Mr. Patch as a subject matter expert, where he leads teams of technologists through problem solving, training program development, scientific and technical information generation, and analysis of complex system requirements.

View SME's Contributed Content

CSIAC Report - Smart Cities, Smart Bases and Secure Cloud Architecture for Resiliency by Design

Integration of Smart City Technologies to create Smart Bases for DoD will require due diligence with respect to the security of the data produced by Internet of Things (IOT) and Industrial Internet of Things (IIOT). This will increase more so with the rollout of 5G and increased automation "at the edge". Commercially, data will be moving to the cloud first, and then stored for process improvement analysis by end-users. As such, implementation of Secure Cloud Architectures is a must. This report provides some use cases and a description of a risk based approach to cloud data security. Clear understanding, adaptation, and implementation of a secure cloud framework will provide the military the means to make progress in becoming a smart military.

Read the Report

CSIAC Journal - Data-Centric Environment: Rise of Internet-Based Modern Warfare “iWar”

CSIAC Journal Cover Volume 7 Number 4

This journal addresses a collection of modern security concerns that range from social media attacks and internet-connected devices to a hypothetical defense strategy for private sector entities.

Read the Journal

CSIAC Journal M&S Special Edition - M&S Applied Across Broad Spectrum Defense and Federal Endeavors

CSIAC Journal Cover Volume 7 Number 3

This Special Edition of the CSIAC Journal highlights a broad array of modeling and simulation contributions – whether in training, testing, experimentation, research, engineering, or other endeavors.

Read the Journal

CSIAC Journal - Resilient Industrial Control Systems (ICS) & Cyber Physical Systems (CPS)

CSIAC Journal Cover Volume 7 Number 2

This edition of the CSIAC Journal focuses on the topic of cybersecurity of Cyber-Physical Systems (CPS), particularly those that make up Critical Infrastructure (CI).

Read the Journal

Recent Video Podcasts

  • Securing the Soft Underbelly of a Supercomputer with BPF Probes Series: The CSIAC Podcast
  • Defense Modeling and Simulation (M&S) Catalog: Art of the Possible Series: CSIAC Webinars
  • Explore the Innovare Advancement Center Series: The CSIAC Podcast
  • Cybersecurity Maturity Model Certification (CMMC): The Road to Compliance Series: The CSIAC Podcast
  • Deep Learning for Radio Frequency Target Classification Series: CSIAC Webinars
View all Podcasts

Upcoming Events

Thu 29

Data Connectors Phoenix Virtual Cybersecurity Summit

April 29
Organizer: Data Connectors
636-778-9495
May 17

SANS Purple Team Summit & Training 2021

May 17 - May 28
Organizer: SANS Institute
May 27

DockerCon LIVE 2021

May 27 @ 06:00 - 14:00 EDT
May 28

LayerOne 2021

May 28 - May 30
Oct 18

IEEE Secure Development Conference

October 18 - October 21
Organizer: Institute of Electrical and Electronics Engineers (IEEE)
View all Events

Footer

CSIAC Products & Services

  • Free Technical Inquiry
  • Core Analysis Tasks (CATs)
  • Resources
  • Events Calendar
  • Frequently Asked Questions
  • Product Feedback Form

About CSIAC

The CSIAC is a DoD-sponsored Center of Excellence in the fields of Cybersecurity, Software Engineering, Modeling & Simulation, and Knowledge Management & Information Sharing.Learn More

Contact Us

Phone:800-214-7921
Email:info@csiac.org
Address:   266 Genesee St.
Utica, NY 13502
Send us a Message
US Department of Defense Logo USD(R&E) Logo DTIC Logo DoD IACs Logo

Copyright 2012-2021, Quanterion Solutions Incorporated

Sitemap | Privacy Policy | Terms of Use | Accessibility Information
Accessibility / Section 508 | FOIA | Link Disclaimer | No Fear Act | Policy Memoranda | Privacy, Security & Copyright | Recovery Act | USA.Gov

This website uses cookies to provide our services and to improve your experience. By using this site, you consent to the use of our cookies. To read more about the use of our site, please click "Read More". Otherwise, click "Dismiss" to hide this notice. Dismiss Read More
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled

Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.

Non-necessary

Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.

SAVE & ACCEPT