Wei Sun,Xiangwei Kong,Dequan He,Xingang You

DOI: https://doi.org/10.1109/ICICIC.2008.319

2008-01-01

Abstract:The purpose of this paper is to analyze the strategy to promote the information security investment based on game theory. We use game theory to make the analysis and put forward the fruitful strategy suggestions for the defender organization to invest in information security. We set up the information security game model, and make the Nash Equilibrium analysis. The Nash Equilibrium analysis results of pure strategy and mixed strategy are consistent. By Nash Equilibrium analysis, we get the cost demand for information security investment. If this demand condition is not satisfied, we introduce the penalty parameter to the investment game. By regulating the value of the penalty parameter, we solve the hard problem of information security investment when it is difficult to reduce the investment cost. It is the first time to analyze information security investment by game theory. Our results provide fruitful strategy suggestions to promote information security investment.

Daojing He,Sammy Chan,Yan Zhang,Chunming Wu,Bing Wang

DOI: https://doi.org/10.1109/mis.2013.105

IF: 6.744

2014-01-01

IEEE Intelligent Systems

Abstract:Attack-defense models play an important role in the design of cybersecurity systems. Here, the authors review some traditional and prevailing attack-defense models along with their weaknesses. Then, they survey some recently proposed paradigm shifts to these models based on which more effective security strategies can be designed. Further, they provide some suggestions on how to adopt the new models, and present challenges that need to be addressed in this field.

Dylan Léveillé,Jason Jaskolka

DOI: https://doi.org/10.4204/EPTCS.409.11

2024-10-30

Abstract:Selecting the combination of security controls that will most effectively protect a system's assets is a difficult task. If the wrong controls are selected, the system may be left vulnerable to cyber-attacks that can impact the confidentiality, integrity and availability of critical data and services. In practical settings, it is not possible to select and implement every control possible. Instead considerations, such as budget, effectiveness, and dependencies among various controls, must be considered to choose a combination of security controls that best achieve a set of system security objectives. In this paper, we propose a game-theoretic approach for selecting effective combinations of security controls based on expected attacker profiles and a set budget. The control selection problem is set up as a two-person zero-sum one-shot game. Valid control combinations for selection are generated using an algebraic formalism to account for dependencies among selected controls. We demonstrate the proposed approach on an illustrative financial system used in government departments under four different scenarios. The results illustrate how a security analyst can use the proposed approach to guide and support decision-making in the control selection activity when developing secure systems.

Cryptography and Security,Computer Science and Game Theory

Sakshyam Panda,Emmanouil Panaousis,George Loukas,Christos Laoudias

DOI: https://doi.org/10.48550/arXiv.2001.03782

2020-01-11

Cryptography and Security

Abstract:Cyber hygiene measures are often recommended for strengthening an organization's security posture, especially for protecting against social engineering attacks that target the human element. However, the related recommendations are typically the same for all organizations and their employees, regardless of the nature and the level of risk for different groups of users. Building upon an existing cybersecurity investment model, this paper presents a tool for optimal selection of cyber hygiene safeguards, which we refer as the Optimal Safeguards Tool. The model combines game theory and combinatorial optimization taking into account the probability of each user group to being attacked, the value of assets accessible by each group, and the efficacy of each control for a particular group. The model considers indirect cost as the time employees could require for learning and training against an implemented control. Utilizing a game-theoretic framework to support the Knapsack optimization problem permits us to optimally select safeguards' application levels minimizing the aggregated expected damage within a security investment budget. We evaluate OST in a healthcare domain use case. The Critical Internet Security Control group 17 for implementing security awareness and training programs for employees belonging to the ICT, clinical and administration personnel of a hospital. We compare the strategies implemented by OST against alternative common-sense defending approaches for three different types of attackers: Nash, Weighted and Opportunistic. Nash defending strategies are consistently better than the competing strategies for all attacker types with a minor exception where the Nash defending strategy performs at least as good as other common-sense approaches.

Michael D. Iannacone,Robert A. Bridges

DOI: https://doi.org/10.48550/arXiv.1902.00053

2019-10-25

Abstract:Metrics and frameworks to quantifiably assess security measures have arisen from needs of three distinct research communities - statistical measures from the intrusion detection and prevention literature, evaluation of cyber exercises, e.g.,red-team and capture-the-flag competitions, and economic analyses addressing cost-versus-security tradeoffs. In this paper we provide two primary contributions to the security evaluation literature - a representative survey, and a novel framework for evaluating security that is flexible, applicable to all three use cases, and readily interpretable. In our survey of the literature we identify the distinct themes from each community's evaluation procedures side by side and flesh out the drawbacks and benefits of each. The evaluation framework we propose includes comprehensively modeling the resource, labor, and attack costs in dollars incurred based on expected resource usage, accuracy metrics, and time. This framework provides a unified approach in that it incorporates the accuracy and performance metrics, which dominate intrusion detection evaluation, the time to detection and impact to data and resources of an attack, favored by educational competitions' metrics, and the monetary cost of many essential security components used in financial analysis. Moreover, it is flexible enough to accommodate each use case, easily interpretable and comparable, and comprehensive in terms of costs <a class="link-external link-http" href="http://considered.Finally" rel="external noopener nofollow">this http URL</a>, we provide two examples of the framework applied to real-world use cases. Overall, we provide a survey and a grounded, flexible framework with multiple concrete examples for evaluating security which can address the needs of three currently distinct communities.

Cryptography and Security

Ihab Mohamed,Hesham A. Hefny,Nagy R. Darwish

2024-07-27

Abstract:Cybersecurity is a big challenge as hackers are always trying to find new methods to attack and exploit system vulnerabilities. Cybersecurity threats and risks have increased in recent years, due to the increasing number of devices and networks connected. This has led to the development of new cyberattack patterns, such as ransomware, data breaches, and advanced persistent threats (APT). Consequently, defending such complicated attacks needs to stay up to date with the latest system vulnerabilities and weaknesses to set a proper cybersecurity defense strategy. This paper aims to propose a defense strategy for the presented security threats by determining and prioritizing which security control to put in place based on combining the MITRE ATT&CK framework with multi-criteria decision-making (MCDM) techniques. This approach helps organizations achieve a more robust and resilient cybersecurity posture.

Cryptography and Security

Kevin Kam Fung Yuen

DOI: https://doi.org/10.1109/ICAIIC.2019.8668842

2019-01-01

Abstract:Cybercrime is everywhere in cyberspace. Cybersecurity is a set of technologies, processes and policies to protect the enterprise information asset to prevent business loss assets from the cyber attackers. Planning a sustainable and reliable cybersecurity system is an essential initial step since the large amount of investment on the system has long lasting impact. This paper introduces a multiple criteria decision making method using the Primitive Cognitive Network Process (PCNP) for the cyber-security investment decision making.

Yong Wu,Gengzhong Feng,Nengmin Wang,Huigang Liang

DOI: https://doi.org/10.1016/j.eswa.2015.03.033

IF: 8.5

2015-01-01

Expert Systems with Applications

Abstract:The level of firms' information security investment has recently become a critical issue in the management of IT infrastructure. Prior studies have not considered attack types and firms interconnection simultaneously when investigating the optimisation of such investment. Using game theory, we demonstrate that the optimal security investment level of an interconnected firm against targeted attacks is different from that against opportunistic attacks. Our model shows that not all information security risks are worth fighting against. As the potential loss increases, it is unadvisable to increase the security investment proportionately. Firms should increase investments with intrinsic vulnerability when facing target attacks, but focus on those systems that fall into the midrange of intrinsic vulnerability when facing opportunistic attacks. Firms are unwilling to invest in security and often offload reliability problems onto others when the trusted interdependence relationship becomes tighter in the absence of economic incentives. Thus we also discuss two economic incentives to motivate firms: liability and security information sharing. We find-that if the rules are set properly, both economic incentives are effective to not only internalise the negative externality and improve a firm's security level, but also reduce the total expected cost. We show that firms' optimal investments of liability always increase with the increasing number of firms, but the optimal investments on security information sharing increase only when the number of firms is large enough. These insights draw attention to many trade-offs firms often face and the importance of accurate assessment of firms' security environment. Future research directions are discussed based on the limitations and possible extensions of this study. (C) 2015 Elsevier Ltd. All rights reserved.

Mustafa Abdallah,Daniel Woods,Parinaz Naghizadeh,Issa Khalil,Timothy Cason,Shreyas Sundaram,Saurabh Bagchi

DOI: https://doi.org/10.48550/arXiv.2004.01958

2020-04-08

Abstract:We study the security of large-scale cyber-physical systems (CPS) consisting of multiple interdependent subsystems, each managed by a different defender. Defenders invest their security budgets with the goal of thwarting the spread of cyber attacks to their critical assets. We model the security investment decisions made by the defenders as a security game. While prior work has used security games to analyze such scenarios, we propose behavioral security games, in which defenders exhibit characteristics of human decision making that have been identified in behavioral economics as representing typical human cognitive biases. This is important as many of the critical security decisions in our target class of systems are made by humans. We provide empirical evidence for our behavioral model through a controlled subject experiment. We then show that behavioral decision making leads to a suboptimal pattern of resource allocation compared to non-behavioral decision making. We illustrate the effects of behavioral decision making using two representative real-world interdependent CPS. In particular, we identify the effects of the defenders' security budget availability and distribution, the degree of interdependency among defenders, and collaborative defense strategies, on the degree of suboptimality of security outcomes due to behavioral decision making. In this context, the adverse effects of behavioral decision making are most severe with moderate defense budgets. Moreover, the impact of behavioral suboptimal decision making is magnified as the degree of the interdependency between subnetworks belonging to different defenders increases. We also observe that selfish defense decisions together with behavioral decisions significantly increase security risk.

Cryptography and Security,Computer Science and Game Theory

Michael R. Grimaila,Adedeji Badiru

DOI: https://doi.org/10.1007/s12351-010-0102-2

IF: 2.7

2011-01-23

Operational Research

Abstract:The increased reliance on information technology systems and communications networks in support of the core organizational processes creates an environment where significant, and potentially catastrophic, losses can result from a loss or corruption of a critical information resource. Risk assessment is the widely accepted process used to understand, quantify, and document the effects of undesirable events on organizational objectives so that risk management, continuity of operations planning, and contingency planning can be performed. In this paper, we present the application of a simulation-based hybrid analytic dynamic forecasting methodology that combines the techniques of analytic hierarchy process, factor analysis, and spanning tree to the problem of selecting among a set contingency measures following events which place the organizational mission at risk. The methodology makes use of qualitative subjective assessments by subject matter experts at multiple levels of the organization and uses historical event occurrences (when available) to provide the decision maker with a ongoing recommendation of the best contingency measures to employ to assure the organizational mission objectives. The method is novel because it augments the decision maker’s experiential knowledge with a probabilistic forecast of the best contingency measure to take in response to events based upon subject matter expert knowledge, historical evidence, and the real-time status critical resources. The methodology provides a structured approach to mitigate operational risk in complex environments and decreases the time required to make decisions under conditions of uncertainty.

operations research & management science

Md. Reya Shad Azim,Timothy Cason,Mustafa Abdallah

DOI: https://doi.org/10.1109/access.2024.3391305

IF: 3.9

2024-04-27

IEEE Access

Abstract:Interdependent systems, under the management of multiple decision-makers, confront rapidly growing cybersecurity threats. This paper delves into the realm of security decision-making within these complex interdependent systems managed by multiple defenders. Each defender assumes responsibility for safeguarding a specific subnetwork of the system against potential attacks. The relationships between these assets are depicted through an attack graph, where edges connecting assets signify that the compromise of one asset could expose vulnerabilities in another asset. These edges are associated with probabilities that represent the likelihood of a successful attack, which can be reduced through security investments by the defenders. Our approach involves modeling these systems using game-theoretic frameworks, accounting for the impact of bounded rationality and imperfect best-response behavior—as frequently observed in human decision-making within the domains of behavioral economics and psychology. We first establish the existence of quantal response equilibrium in our interdependent security games. We present illustrative examples to highlight the disparities between the solutions derived from the social optimal perspective and those arising from quantal response equilibrium. Subsequently, we analyze the inefficiency introduced by behavioral players with this type of bounded rationality in terms of the overall social cost of the system. We adapt a widely recognized metric to quantify the extent of this inefficiency, providing bounds and illustrating its exponential growth with an increase in the security budget. To assess our models, we employ a representative real-world interdependent system and compare the game-theoretic optimal investment strategies to those derived from a socially optimal standpoint.

computer science, information systems,telecommunications,engineering, electrical & electronic

Alexander A. Ganin,Phuoc Quach,Mahesh Panwar,Zachary A. Collier,Jeffrey M. Keisler,Dayton Marchese,Igor Linkov

DOI: https://doi.org/10.1111/risa.12891

2017-09-05

Risk Analysis

Abstract:Risk assessors and managers face many difficult challenges related to novel cyber systems. Among these challenges are the constantly changing nature of cyber systems caused by technical advances, their distribution across the physical, information, and sociocognitive domains, and the complex network structures often including thousands of nodes. Here, we review probabilistic and risk-based decision-making techniques applied to cyber systems and conclude that existing approaches typically do not address all components of the risk assessment triplet (threat, vulnerability, consequence) and lack the ability to integrate across multiple domains of cyber systems to provide guidance for enhancing cybersecurity. We present a decision-analysis-based approach that quantifies threat, vulnerability, and consequences through a set of criteria designed to assess the overall utility of cybersecurity management alternatives. The proposed framework bridges the gap between risk assessment and risk management, allowing an analyst to ensure a structured and transparent process of selecting risk management alternatives. The use of this technique is illustrated for a hypothetical, but realistic, case study exemplifying the process of evaluating and ranking five cybersecurity enhancement strategies. The approach presented does not necessarily eliminate biases and subjectivity necessary for selecting countermeasures, but provides justifiable methods for selecting risk management actions consistent with stakeholder and decisionmaker values and technical data.

public, environmental & occupational health,mathematics, interdisciplinary applications,social sciences, mathematical methods

Yong Wu,Gengzhong Feng,Richard Y. K. Fung

DOI: https://doi.org/10.1057/s41274-017-0263-y

IF: 3.6

2018-01-01

Journal of the Operational Research Society

Abstract:Serious information security breaches have caused firms to suffer from customer churns directly or indirectly. To prevent customer churns, firms usually enhance their security protection through two measures, i.e. security investment and security information sharing. Prior studies seldom consider security environment and business environment simultaneously when making a firm’s optimal security decisions. Using game theory, this paper purports to demonstrate that a firm’s security decisions under a competitive environment differ significantly from those under an integrated environment. Moreover, distortions may surface if firms do not cooperate on security practices. Thus, this paper further analyses the measures that a social planner such as the government or industry association controls firms’ security decisions, and results show that these measures may not always be effective. Instead, social planners are recommended to enhance or attenuate the controlling level of the two security decisions based on realistic security and business environments.

Pankaj Pandey

DOI: https://doi.org/10.5121/ijsptm.2015.4403

2015-12-14

Abstract:Today business environment is highly dependent on complex technologies, and information is considered an important asset. Organizations are therefore required to protect their information infrastructure and follow an inclusive risk management approach. One way to achieve this is by aligning the information security investment decisions with respect to organizational strategy. A large number of information security investment models have are in the literature. These models are useful for optimal and cost-effective investments in information security. However, it is extremely challenging for a decision maker to select one or combination of several models to decide on investments in information security controls. We propose a framework to simplify the task of selecting information security investment model(s). The proposed framework follows the 'Context, Content, Process' approach, and this approach is useful in evaluation and prioritization of investments in information security controls in alignment with the overall organizational strategy.

Computers and Society,Cryptography and Security

Manuel Kern,Max Landauer,Florian Skopik,Edgar Weippl

DOI: https://doi.org/10.1016/j.cose.2024.103844

IF: 5.105

2024-04-11

Computers & Security

Abstract:Many modern cyber attack techniques cannot be prevented. Logging and monitoring, however, offer a means to at least detect these techniques early, and therefore become increasingly important for defense. Many companies are unfortunately reluctant to invest more in cyber security logging and monitoring or hire additional security staff to operate detective solutions. There is a need for a methodology to pick appropriate cyber security solutions from the vast pool of available products. Our model takes requirements mandated by common standards from ISO, NIST, BSI and the like into account. While standards and guidelines remain at a high abstraction level and are applicable to different organizations over a long period of time, guidance on implementation becomes outdated comparatively quickly. We propose a novel logging maturity and decision model for the selection of the best fitting cyber security solutions for an organization. The novelty is that this model accounts for constraints in the selection process, such as cost, complexity, compliance, and relevance to the organization's assets. We validate the model with MITRE ATT&CK framework data and apply it to illustrative use cases based on our survey.

computer science, information systems

Dimitri Percia David,Alain Mermoud,Sébastien Gillard

DOI: https://doi.org/10.48550/arXiv.2112.04310

2021-12-08

Cryptography and Security

Abstract:Cyber-security breaches inflict significant costs on organizations. Hence, the development of an information-systems defense capability through cyber-security investment is a prerequisite. The question of how to determine the optimal amount to invest in cyber-security has been widely investigated in the literature. In this respect, the Gordon-Loeb model and its extensions received wide-scale acceptance. However, such models predominantly rely on restrictive assumptions that are not adapted for analyzing dynamic aspects of cyber-security investment. Yet, understanding such dynamic aspects is a key feature for studying cyber-security investment in the context of a fast-paced and continuously evolving technological landscape. We propose an extension of the Gordon-Loeb model by considering multi-period and relaxing the assumption of a continuous security-breach probability function. Such theoretical adaptations enable to capture dynamic aspects of cyber-security investment such as the advent of a disruptive technology and its investment consequences. Such a proposed extension of the Gordon-Loeb model gives room for a hypothetical decrease of the optimal level of cyber-security investment, due to a potential technological shift. While we believe our framework should be generalizable across the cyber-security milieu, we illustrate our approach in the context of critical-infrastructure protection, where security-cost reductions related to risk events are of paramount importance as potential losses reach unaffordable proportions. Moreover, despite the fact that some technologies are considered as disruptive and thus promising for critical-infrastructure protection, their effects on cyber-security investment have been discussed little.

Alva Hendi Muhammad,Joko Dwi Santoso,Ananda Fikri Akbar

DOI: https://doi.org/10.11591/ijeecs.v31.i1.pp271-280

2023-07-01

Indonesian Journal of Electrical Engineering and Computer Science

Abstract:In recent years, cyber security has become an increasingly important aspect of the decision-making process of corporations. It is essential to make investments in cybersecurity at this point to guard against the frequent disruption of business operations posed by cyberattacks. In the context of small and medium-sized organizations, this study recommends using a multicriteria decision-making technique to evaluate information security aspects. The information security index is derived as the foundation for every one of these features. The best-worst method is carried out to establish the best and worst possible security investments. In order to validate these findings, a survey was distributed to a variety of professionals and business decisionmakers. The criteria for selection are laid forth in the form of categories labeled technology and organization, respectively. The findings are presented in a rating system with three tiers, with the highest level representing the absolute best of the results. In the final section of the study, we will examine potential future possibilities for research and policy.

Benjamin Shreeve,Joseph Hallett,Matthew Edwards,Kopo M. Ramokapane,Richard Atkins,Awais Rashid

DOI: https://doi.org/10.1109/TSE.2020.3023735

2021-04-01

Abstract:Cyber security requirements are influenced by the priorities and decisions of a range of stakeholders. Board members and CISOs determine strategic priorities. Managers have responsibility for resource allocation and project management. Legal professionals concern themselves with regulatory compliance. Little is understood about how the security decision-making approaches of these different stakeholders contrast, and if particular groups of stakeholders have a better appreciation of security requirements during decision-making. Are risk analysts better decision makers than CISOs? Do security experts exhibit more effective strategies than board members? This paper explores the effect that different experience and diversity of expertise has on the quality of a team's cyber security decision-making and whether teams with members from more varied backgrounds perform better than those with more focused, homogeneous skill sets. Using data from 208 sessions and 948 players of a tabletop game run in the wild by a major national organization over 16 months, we explore how choices are affected by player background (e.g.,~cyber security experts versus risk analysts, board-level decision makers versus technical experts) and different team make-ups (homogeneous teams of security experts versus various mixes). We find that no group of experts makes significantly better game decisions than anyone else, and that their biases lead them to not fully comprehend what they are defending or how the defenses work.

Cryptography and Security

Xiaotong Li

DOI: https://doi.org/10.1080/09537325.2020.1841158

2020-11-18

Technology Analysis and Strategic Management

Abstract:<span>With the development of information technology and the deepening of enterprise informatization, there are new challenges of enterprise information security investment decisions because of cooperative relationships among multi-enterprises. In this paper, the Gordon-Loeb model is extended to the multi-enterprise game environment, and combined with the probability of hacker invasion, which can stimulate enterprises to increase investment in information security and reduce costs, the game model of information security investment among complementary enterprises is constructed. Through this model, the impact of factors on optimal investment can be analyzed. It is found that the information security level of enterprises in cooperation situation is higher than that in the non-cooperation situation. Our research shows that the optimal investment will increase with the increase of the probability of one spread in cooperative situations, which is contrary to the changing trend of enterprises in non-cooperation situations, and there is a minimum expected cost threshold. According to the results, enterprise compensation mechanism and information sharing mechanism are designed to ensure the optimal level of social information security, it provides a new solution to deal with the information security investment decision of complementary enterprises under the characteristics of multi-enterprise and non-cooperative.</span>

management

Chaitanya Joshi,Jinming Yang,Sergeja Slapnicar,Ryan K L Ko

2024-11-28

Abstract:Protecting against cyber-threats is vital for every organization and can be done by investing in cybersecurity controls and purchasing cyber insurance. However, these are interlinked since insurance premiums could be reduced by investing more in cybersecurity controls. The expected utility theory and the prospect theory are two alternative theories explaining decision-making under risk and uncertainty, which can inform strategies for optimizing resource allocation. While the former is considered a rational approach, research has shown that most people make decisions consistent with the latter, including on insurance uptakes. We compare and contrast these two approaches to provide important insights into how the two approaches could lead to different optimal allocations resulting in differing risk exposure as well as financial costs. We introduce the concept of a risk curve and show that identifying the nature of the risk curve is a key step in deriving the optimal resource allocation.

Econometrics,Optimization and Control,Other Statistics