Game theory is the mathematical study of interactions between players. It has been applied extensively to social sciences such as economics. Cybersecurity has a social component in the sense that players can have co-operative or adversarial relationships. We will frame cybersecurity in terms of game theory. Note that many concepts elsewhere in the book can be analyzed using game theory.
We will begin with a contrived example to illustrate the benefit of modeling cybersecurity using game theory. This example is not realistic; it is only intended to illustrate a key difference between game theory models and other methods for analyzing cybersecurity problems. We will construct more realistic models in the next chapter.
Expected Value Example
Figure 9-1 is the following: EV = 0.1(20) + 0.2(−10) + 0.3(5) + 0.4(0). Note that expected value can be positive, negative, or zero. We will use the terms expected gain and expected loss to emphasize that expected value is positive or negative, respectively.
Our example game has two players, one attacker and one defender. The game occurs in two stages. In the first stage, the defender chooses how many units to spend on cybersecurity. In the second stage, the attacker chooses whether or not to attack. If the defender spent 0 units, the attack will be successful with probability 1. For each unit thereafter, the probability that the attack will be successful decreases by half. The attacker must spend 1 unit in order to attack. If the attack is successful, the attacker gains 10 units, and the defender loses 10 units. We will assume that the attacker will attack if the expected value of the attack is greater than the cost. In other words, the attacker will attack if 10p > 1, where p is the probability that the attack is successful.
Suppose the defender tries to develop a strategy without considering the attacker’s strategy. The defender reasons as follows. It is worthwhile to spend 1 unit on cybersecurity if it decreases the defender’s expected loss from an attack by more than 1. Otherwise, it is not worthwhile. The calculations of the defender’s expected net loss are summarized in Figure 9-2. The defender chooses to spend 3 units, and the probability of success of the attack is 
. The attacker chooses to attack, since the expected gain from the attack is 
, which is greater than the 1 unit spent to attack. The attacker’s expected net payoff is 1.25−1 = 0.25. The defender’s expected net loss is −3−1.25 = −4.25. The expected loss consists of the 3 units spent on cybersecurity and the expected 1.25 loss from the cyberattack.
, since the expected gain from the attack is greater than 1 unit. Similarly, the attacker will choose not to attack if the probability of success is less than 
. The calculations are summarized in Figure 9-3. The optimum strategy for the defender is to spend 4 units on cybersecurity. In that case, the attacker chooses not to attack and has a payoff of 0. The defender’s expected loss is −4.
Defender’s Expected Loss Assuming Attack Occurs
Without considering the attacker’s strategy, the defender concluded that it was not worthwhile to spend the fourth unit on cybersecurity. The flaw in that reasoning was not considering that the defender can influence the attacker’s behavior. The evolution of strategy is a key concept in modeling cybersecurity using game theory. Attackers are always adapting to defenders, and defenders are always adapting to attackers. Changing the strategy of key players can influence the entire game.
Attacker and Defender EV Assuming Optimal Attacker Strategy
The Infinite Cybersecurity Game
Game theory models are usually constructed with many simplifying assumptions so that conclusive analysis can be done. Instead of incorporating simplifying assumptions immediately, we will begin by outlining how to construct a game theory model for cybersecurity as a whole. Previous work in this area has focused mainly on the interaction between an attacker and defender during a single cyberattack. We are concerned with attacker and defender strategies over time and how those strategies evolve.
For the purposes of this model, we will consider the cybersecurity game to be infinite. Technically, it is a finite game with unknown duration which ends when cybersecurity is no longer relevant. Many games have discrete stages, but events in the cybersecurity game occur in real time.
In the following sections, we will define key terms related to game theory. We will also describe the related elements of the cybersecurity game.
Players in the Cybersecurity Game
We place two requirements for an individual or organization to be considered a player in the cybersecurity game: the player must have the ability to protect or compromise cyber assets, and the player must experience gain or loss from doing so. The ability to protect or compromise cyber assets may be either direct or indirect. For example, an individual may discover and publicize software exploits, but not make use of them. The gain or loss may be financial or otherwise. For example, if an individual launches cyberattacks for fun, then fun is the gain.
We will define several categories of players in the cybersecurity game. Attackers attempt to directly compromise cyber assets in order to realize some gain. As discussed regarding the 1-9-90 principle in Chapter 3, the types and capabilities of attackers vary greatly. Attackers include nation-states, criminal organizations, and lone individuals. Defenders attempt to directly protect cyber assets in order to prevent losses. Defenders include government agencies, corporations, and individuals with personal computers.
Other types of players influence the cybersecurity game without directly interacting with cyber assets. Governments/law enforcement attempt to protect cyber assets by passing and enforcing laws. Cybersecurity providers attempt to protect cyber assets by providing hardware, software, and services. While cybersecurity providers experience gains and losses based on earnings, cybersecurity outcomes influence those earnings.
In many games, there is a concept of “nature.” Essentially, nature is responsible for all actions which affect a game other than those by a player. (Note that nature is sometimes described as a player in the game, but we are making a distinction for simplicity.) For the purposes of analysis, one could consider the less important players to be part of nature.
States in the Cybersecurity Game
The resources available to each player
The current state of all cyber assets
The knowledge and beliefs of each player
Current laws related to cybersecurity
The history of actions by attackers, defenders, and law enforcement
From those examples alone, it is clear that the cybersecurity game’s state contains an unwieldly amount of information. For the purposes of practical analysis, only the most important information is considered. The examples in the next chapter illustrate how to reduce the game’s state to a reasonable amount of information.
Actions in the Cybersecurity Game
A player accruing resources such as personnel
An attacker selecting a target
A defender securing cyber assets
Conducting or responding to a cyberattack
Developing cybersecurity products
Passing and enforcing cybersecurity laws
Note that some of the preceding actions are long-term, and some are short-term. Recruiting personnel, setting up defenses of cyber assets, and passing laws are long-term actions with long-term consequences. Selecting targets, conducting a cyberattack, and responding to an immediate cyberattack are short-term actions with immediate consequences.
Payoffs in the Cybersecurity Game
A payoff is a gain or loss for a player in a game. In the cybersecurity game, we will consider payoffs to be equivalent to an amount of currency. It may not be obvious how to convert different types of gains or losses into currency. The following examples illustrate how that could be done. We referenced before an attacker who engages in cyberattacks for fun. There is probably an amount of currency, either a positive gain or a negative loss, that would convince the attacker to cease. That amount of currency would be the equivalent of fun for that attacker. Nation-states typically pursue strategic objectives. There is a maximum amount of currency a nation-state would be willing or able to invest in order to ensure attaining an objective. That amount of currency is the financial equivalent of the objective.
Every expenditure of money, time, or resources is a negative payoff. Attackers only realize positive payoffs after a successful attack. Rational attackers attempt to maximize net payoff. Investing in cybersecurity is a negative payoff for defenders, but the intention is to eliminate or reduce losses from successful cyberattacks. Rational defenders attempt to minimize losses.
Payoffs for other players are more difficult to model. One could consider earnings to be the payoff for cybersecurity providers, but that is blending the cybersecurity game with an economic game. One possibility for determining government payoffs is to consider long-term tax revenue. In that model, a rational government would address cybersecurity in the way that would maximize corporate and individual tax revenue over time.
The preceding discussion referenced how rational players would act. Not every player in the cybersecurity game is rational. Players may not understand which actions are in their best interest, or players may disregard payoffs altogether. Any analysis must account for the possibility of irrational players.
Knowledge and Beliefs in the Cybersecurity Game
The cybersecurity game is a game of incomplete and imperfect information. Essentially, players in the cybersecurity game are ignorant of much information: the number and identity of other players, the state of the game, the strategies of other players, the payoffs of other players, etc. Certain types of information can be especially valuable. For example, if an attacker has inside knowledge about a defender, a successful attack is more likely. If a defender has knowledge about the number and types of attackers who will target that defender, then the defender can more optimally allocate resources.
Since knowledge is limited in the cybersecurity game, we will introduce the notion of belief. For our purposes, a player’s beliefs contain all of the player’s knowledge together with all of the player’s assumptions. To be mathematically precise, assumptions would be modeled with a probability distribution. For example, suppose an attacker estimates a payoff of $10,000 from a successful attack against a defender. That could be modeled using a normal distribution with mean $10,000 and some specified variance. In practice, the attacker may express the assumption more simply. A payoff within the range of $7,500–$12,500 could be within the attacker’s expectation, but the attacker would be surprised to receive a payoff of only $1,000.
Generally, a player’s beliefs contain some level of inaccuracy. Also, note that beliefs can change frequently. As a player gains more information, that player will also update related assumptions. Finally, beliefs can be either explicit or implicit. If we assume that a player is rational, we can infer a range of underlying beliefs from the player’s strategy.
We will now give some examples of common beliefs. When an attacker assesses a defender, the attacker makes several assumptions: the probability of success of an attack, the time and resources required to execute an attack, and the likely payoff if the attack is successful. Defenders make similar assumptions: the types of likely attackers, the probability of a successful attack, and the damages from a successful attack. The cost-benefit analysis discussed in Chapter 3 depends on the beliefs of the player. Inaccurate beliefs lead to faulty analysis, which can lead to a significant reduction in payoff.
Now, we will clarify why this concept is essential. The strategy of the players in the cybersecurity game depends on the beliefs of the players. If it is possible to influence a player’s beliefs, then it is also possible to influence that player’s strategy. If an attacker believes that it is unprofitable to attack a defender (or that it is more profitable to attack another defender), then a rational attacker will not even make an attempt against that defender.
That introduces the concept of reputation. We will define reputation as the set of beliefs other players have about a specified player. That includes information about the player’s resources, payoffs, and strategy. A player can attempt to create a specific reputation by taking calculated actions. For example, law enforcement can strongly pursue every attacker who targets critical infrastructure. That increases the possibility of criminal or civil penalties for an attacker, thus making it less profitable to attack those targets.
Modeling the Cybersecurity Game
Constructing a realistic model of the entire cybersecurity game would require collecting a large amount of data. It would also require many assumptions to fill in missing information. First, the players would need to be identified. Some players could be identified using public information: governments, cybersecurity providers, and high-profile defenders (such as corporations). Low-profile defenders, such as individuals with personal computers, would be harder to identify, but the number could be estimated.
Attackers are much harder to identify. The number and types of attackers could be estimated by using information from known cyberattacks. Multiple attackers with similar strategies could be treated as a single player for the purposes of the game theory model. Since this approach does not consider unknown attacks, the estimate based on known attacks could be highly inaccurate.
Collecting information about resources, payoffs, beliefs, and strategies of players would be even more difficult. Constructing a full, realistic model is impractical for most applications. For the purposes of analysis, models are constructed using many simplifying assumptions. Examples are given in the next sections and the next chapter.
Analysis of the Cybersecurity Game
We will use the following problem to illustrate analysis of cybersecurity using game theory. Suppose there is a group of similar corporations who all meet the same cybersecurity standard. In game theory terms, an attacker would expect similar costs to attack each corporation and similar gains upon success. We will analyze the effects of corporations upgrading their cybersecurity above the standard or downgrading it below the standard.
Our example game contains one attacker and six defenders. Each defender will choose whether to maintain the standard level of cybersecurity, upgrade, or downgrade. Then, the attacker will launch attacks against three of the defenders. We will assume that four of the defenders maintain the same level of security, one upgrades, and one downgrades. Now, we will define the game state from the attacker’s perspective.
Attacker’s Net Payoff from Attacking Each Defender
A rational attacker would attack defender F and choose two targets randomly from defenders B, C, D, and E. Even though it is profitable to attack defender A, it is more profitable to attack the other defenders. Therefore, upgrading cybersecurity discouraged the attack from occurring, and down-grading made the attack a certainty. Now, we must translate our analysis into a hypothesis about cybersecurity. We will illustrate how not to do this first in order to make an important point.
Absurd Hypothesis: Corporations who exceed the standard for cybersecurity will never be attacked, and corporations who have substandard cybersecurity will always be attacked first.
The attacker cannot complete attacks against every defender.
The attacker is aware of the level of cybersecurity for each defender.
The attacker is rational.
The attacker considers net gain when discriminating among targets.
The first assumption is plausible. Assuming each attack requires a considerable amount of time, an attacker must choose which defenders to target and which to ignore. The second assumption is an important addition to the hypothesis. The upgrades and downgrades to cybersecurity must be apparent to an attacker in order to influence the attacker’s behavior. The third and fourth assumptions are true in some cases, but not in others. If we assume that a significant percentage of attackers are rational and consider net gain, then the game still implies a change in attacker behavior overall. Therefore, we can formulate the following hypothesis.
Hypothesis: If upgrades or downgrades are apparent to an attacker, corporations who exceed the standard for cybersecurity are less likely to be attacked, and corporations who have substandard cybersecurity are more likely to be attacked.
Steps to Apply Game Theory to Cybersecurity
We still cannot assert that the hypothesis is correct. Any conclusion is only as valid as the underlying assumptions. In a game as complicated as the cybersecurity game, it is not possible to identify and evaluate every assumption. Therefore, the hypothesis must be tested in practice. By collecting data about attacks against similar corporations with different levels of cybersecurity, statistics would either support or contradict the hypothesis.
This example showed how to apply game theory to cybersecurity practically. Construct a simplified model to study the topic of interest, and analyze that model. Make a hypothesis based on that analysis which incorporates the relevant assumptions. Finally, test the hypothesis to determine whether it is valid in practice. The process is summarized in Figure 9-5.
Subgame Analysis
The next chapter outlines a game which can be separated into multiple discrete steps. Analysis of the entire game can be simplified by analyzing each subgame, starting at the end of the game. We will illustrate this with a simple example.
The first step of our example game involves two players, an attacker and a defender. The attacker launches a cyberattack against the defender in order to gain access to valuable data. The attacker utilizes a series of actions in order to attain the goal. The defender may or may not respond to the cyberattack in progress. Ultimately, the attacker either acquires the data or ceases the attack.
Game from the Attacker’s Point of View
The bargaining step is an example of a subgame. Once the attacker has acquired the data, the sequential bargaining game can be analyzed independently without considering the step that preceded it. Now, we will clarify why this concept is useful. When determining whether or not to initiate or continue the cyberattack, the attacker must consider both the attack step and the bargaining step of the game. This analysis can be simplified by reducing the bargaining subgame to its expected payoff.
Based on the attacker’s beliefs, the attacker can estimate the likely outcomes of the bargaining subgame. To be precise, this estimate would be represented with a probability distribution. Instead, we will assume that the attacker is only concerned about the expected value. Regardless of how the attacker performs the analysis, the bargaining subgame can be reduced to a single expected payoff. The reduced game is represented in Figure 9-7.
Reduced Game from the Attacker’s Point of View