CSIAC

Cyber Security and Information Systems Information Analysis Center

/ All Podcast Series / / Cyber Security Game: A Model-based Game Theoretic Approach for Mitigating Cybersecurity Risk

- Cyber Security Game: A Model-based Game Theoretic Approach for Mitigating Cybersecurity Risk

| Presenter: Scott Musman | 18 Comments

Notice: This podcast video may contain personal or third-party views and opinions not associated with the government.
Please see our terms of use located here: https://www.csiac.org/csiac-terms-of-use/

The webinar video recording will be available shortly. Thank you for your patience.

This webinar describes the Cyber Security Game (CSG). CSG is a method that has been implemented in software that quantitatively identifies cyber security risks and uses this metric to determine the optimal employment of security methods for any given investment level. Cyber Security Game maximizes a system’s ability to operate in today’s contested cyber environment by minimizing its mission risk. The risk score is calculated by using a mission impact model to compute the consequences of cyber incidents and combining that with the likelihood that attacks will succeed. The likelihood of attacks succeeding is computed by applying a threat model to a system topology model and defender model. CSG takes into account the widespread interconnectedness of cyber systems, where defenders must defend all multi-step attack paths and an attacker only needs one to succeed. It employs a game theoretic solution using a game formulation that identifies defense strategies to minimize the maximum cyber risk (MiniMax). This webinar discusses the methods and models that compose Cyber Security Game. A limited example of a Point of Sale system is used to provide specific demonstrations of CSG models and analyses.

Download Associated Files:
You must be logged in to download files associated with this video podcast. Click here to login.

Presenter

Scott Musman
Scott Musman
Scott Musman is a principal engineer at MITRE Corporation, a not-for-profit organization that operates research and development centers sponsored by the federal government. He holds a BSc(Hon) in Engineering from the University of Sussex in the U.K. and a MSc in Computer Science from Johns Hopkins University. In addition to working in other domains, such as image understanding, decision support, data-planning and reasoning under uncertainty, and data-mining, Scott has been working information security related problems since the mid 1990's, acting as director of R&D for Integrated Management Services Inc, head of the enterprise security research group for Alphatech/BAE Systems-AIT, and as a principal engineer for MITRE. Most recently he has been focusing on mission assurance by estimating and mitigating cyber related mission risks.

Reader Interactions

Ask a Question or Comment:

  4. This comment was mentioned during the webinar:
    Boundaries of the Context (Model):
    More on Model Risk Management: Princeton Presentation: Future of Finance Beyond ‘Flash Boys’: Risk Modeling for Managing Uncertainty in an Increasingly Non-Deterministic Cyber World: Knight Reconsidered: Risk, Uncertainty, and Profit for the Cyber Era: https://ssrn.com/abstract=2590258 .

    • This reply was given during the webinar:
      Known Bayesian priors and “rational” agents are underlying assumptions for adaptation strategies.

  5. This comment was given during the webinar:
    More on Model Risk Arbitrage (‘Black Hat’ Offensive Cybersecurity Approach): Princeton Presentation: Beyond Model Risk Management to Model Risk Arbitrage for FinTech Era: How to Navigate ‘Uncertainty’…When ‘Models’ Are ‘Wrong’…And Knowledge’…‘Imperfect’! Knight Reconsidered Again: Risk, Uncertainty, & Profit Beyond ZIRP & NIRP: https://ssrn.com/abstract=2766099

  10. This comment was given during the webinar:
    Armed Forces Communications and Electronics Association (AFCEA) C4I and Cyber Conference Paper: Synthesizing above Presentations on Models and Model Risks: AI, Machine Learning & Deep Learning Risk Management & Controls: Beyond Deep Learning and Generative Adversarial Networks: Model Risk Management in AI, Machine Learning & Deep Learning: https://ssrn.com/abstract=3193693

Leave a Comment