[1] : 2013 Data Breach Investigations Report (DBIR), 2014. URL

[2] : Black Tulip: Report of the investigation into the DigiNotar Certificate Authority breach, 2012.

[3] Devdatta Akhawe, Adrienne Porter Felt: “Alice in Warningland: A Large-Scale Field Study of Browser Security Warning Effectiveness”, 22nd USENIX Security Symposium, 2013. URL

[4] R. J. Anderson: Security Engineering: A guide to building dependable distributed systems. Wiley, 2008.

[5] R. Anderson, C. Barton, R. Böhme, R. Clayton, M.J.G. van Eeten, M. Levi, T. Moore, S. Savage: “Measuring the cost of cybercrime”, 11th Workshop on the Economics of Information Security, 2012. URL

[6] Steven J Brams: Negotiation Games: Applying game theory to bargaining and arbitration. Routledge, 2003.

[7] Huseyin Cavusoglu, Birendra Mishra, Srinivasan Raghunathan: “A model for evaluating IT security investments”, Communications of the ACM, pp. 87—92, 2004.

[8] Adam Cummings, Todd Lewellen, David McIntire, Andrew Moore, Randall Trzeciak: Insider Threat Study: Illicit Cyber Activity Involving Fraud in the U.S. Financial Services Sector, 2012. URL

[9] David Drummond: A new approach to China. Google Official Blog, 2010.

[10] L. Dolanskỳ: “Present state of the Lanchester theory of combat”, Operations Research, pp. 344—358, 1964.

[11] Ellen Messmer: “RSA’s SecurID security breach: What should you do?”, Network World, 2011. URL

[12] Ellen Messmer: “RSA’s SecurID security breach: What should you do?”, Network World, 2011. URL

[13] Drew Fudenberg, Jean Tirole: Game theory. 1991. MIT Press, 1991.

[14] Herbert Gintis: Game theory evolving: A problem-centered introduction to modeling strategic behavior. Princeton University Press, 2000.

[15] Kuno JM Huisman: Technology Investment: a game theoretic real options approach. Kluwer Academic Pub, 2001.

[16] John Gilmore: DES (Data Encryption Standard) Review at Stanford University, 2005. URL

[17] C. Kanich, N. Weaver, D. McCoy, T. Halvorson, C. Kreibich, K. Levchenko, V. Paxson, G.M. Voelker, S. Savage: “Show Me the Money: Characterizing Spam-advertised Revenue”, 20th USENIX Security Symposium, 2011. URL

[18] Ioanna Kantzavelou, Sokratis Katsikas: “A game-based intrusion detection mechanism to confront internal attackers”, Computers & Security, pp. 859—874, 2010.

[19] MK Lauren: Describing Rates of Interaction between Multiple Autonomous Entities: An Example Using Combat Modelling, 2001.

[20] S.D. Moitra: Managing Risk from Cybercrime: Internet Policy and Security Management for Organizations. Max-Planck-Institut f. ausländisches und internationales Strafrecht, 2008.

[21] Tyler Moore, Richard Clayton: “Evil searching: Compromise and recompromise of internet hosts for phishing”, Financial Cryptography and Data Security, pp. 256—272, 2009.

[22] Roger B Myerson: Game theory: analysis of conflict. Harvard University Press, 1997.

[23] John F Nash Jr: “Non-cooperative games”, The Annals of Mathematics, pp. 286—295, 1951.

[24] John F Nash Jr: “The bargaining problem”, Econometrica: Journal of the Econometric Society, pp. 155—162, 1950.

[25] G. Owen: Game theory. Emerald Group Publishing, 1995.

[26] Anatol Rapoport: N-person game theory: Concepts and applications. Courier Dover Publications, 1970.

[27] Anatol Rapoport: Two-person game theory: The essential ideas. Courier Dover Publications, 1966.

[28] E. Rasmusen: Games and Information: An Introduction to Game Theory. Blackwell, 2007.

[29] R. Rasmussen, G. Aaron: Global phishing survey: trends and domain name use in 2Q2012, 2012.

[30] Sankardas Roy, Charles Ellis, Sajjan Shiva, Dipankar Dasgupta, Vivek Shandilya, Qishi Wu: “A survey of game theory as applied to network security”, System Sciences (HICSS), 2010 43rd Hawaii International Conference on, pp. 1—10, 2010.

[31] J.M. Spring: “Modeling Malicious Domain Name Take-down Dynamics: Why eCrime Pays”, IEEE eCrime Researchers Summit, 2013. URL

[32] T Spyridopoulos, G Karanikas, T Tryfonas, G Oikonomoug: “A Game Theoretic Defence Framework Against DoS/DDoS Cyber Attacks”, Computers & Security, pp. 39—50, 2013.

[33] John Von Neumann, Oskar Morgenstern: The theory of games and economic behavior. Princeton university press, 1944.

[34] E Weinan, Bjorn Engquist, Xiantao Li, Weiqing Ren, Eric Vanden-Eijnden: “Heterogeneous multiscale methods: a review”, Communications in computational physics, pp. 367—450, 2007.

[35] William Casey, Jose A. Morales, Thomson Nguyen, Jonathan Spring, Rhiannon Weaver, Evan Wright, Leigh Metcalf, Bud Mishra: “Cyber Security via Signaling Games: Toward a Science of Cyber Security”, ICDCIT, pp. 34-42, 2014. URL

[36] Quanyan Zhu, Linda Bushnell, Tamer Basar: “Game-theoretic analysis of node capture and cloning attack with multiple attackers in wireless sensor networks”, Decision and Control (CDC), 2012 IEEE 51st Annual Conference on, pp. 3404—3411, 2012.


1An agent may both use one system and be the architect of another; most software developers fit this description. However the roles of user and architect qua roles do not overlap.


Jonathan Spring
Jonathan Spring is a member of the technical staff with the CERT Threat Analysis Group of the Software Engineering Institute, Carnegie Mellon University. He began working for the CERT program in 2009. He is the co-author of an information security textbook, “Introduction to Information Security: A Strategic-Based Approach,” and also serves as an adjunct professor at the University of Pittsburgh’s School of Information Sciences. His research topics include monitoring cloud computing, DNS traffic analysis, and game theory. He holds a Master’s degree in information security and a Bachelor’s degree in philosophy from the University of Pittsburgh. Jonathan can be reached at

Reader Interactions

Leave a Comment