QM Logo ATI Logo Fabrizio

Mebomine Logo

Cybersecurity games and investments: A decision support approach

Emmanouil Panaousis, Andrew Fielder, Pasquale Malacaria, Chris Hankin and Fabrizio Smeraldi, in Proceedings of then 5th Conference on Decision and Game Theory for Security (GameSec 2014), Los Angeles (CA) USA, LNCS 8840, pp 266-286, Springer, 2014


In this paper we investigate how to optimally invest in cybersecurity controls. We are particularly interested in examining cases where the organization suffers from an underinvestment problem or inefficient spending on cybersecurity. To this end, we first model the cybersecurity environment of an organization. We then model non-cooperative cybersecurity control-games between the defender which abstracts all defense mechanisms of the organization and the attacker which can exploit different vulnerabilities at different network locations. To implement our methodology we use the SANS Top 20 Critical Security Controls and the 2011 CWE/SANS top 25 most dangerous software errors. Based on the profile of an organization, which forms its preferences in terms of indirect costs, its concerns about different kinds of threats and the importance of the assets given their associated risks we derive the Nash Equilibria of a series of control-games. These game solutions are then handled by optimization techniques, in particular multi-objective, multiple choice Knapsack to determine the optimal cybersecurity investment. Our methodology provides security effective and cost efficient solutions especially against commodity attacks. We believe our work can be used to advise security managers on how they should spend an available cybersecurity budget given their organization profile.

(Full text) (Slides) (Springer)

Backlinks: Publications