Game Theory in Cybersecurity
With each passing day, companies need to improve their technology to remain competitive in the market. However, changing technology also introduces new vulnerabilities which may lead to increasing cyber-attacks. As a result, cybersecurity (reducing vulnerabilities to possible cyber-attacks) is one of the biggest concerns in the 21st century. However, another problem associated with cybersecurity is the lack of adequate funding for it. The paper provided in the link discusses about how companies often suffer from inadequate funding for cybersecurity. The low budget allocated to cybersecurity is generally unable to provide coverage to their important digital resources, thereby exposing them to deadly cyber-attacks. The paper also mentions that around 86% of Chief Information Security Officers are faced with this dilemma. Therefore, amount of investment in cybersecurity has become a “game”, where the payoffs can either fuel the growth of a company or lead it to its downfall.
The given paper introduces a method to determine the fraction of budget that should be allocated to cybersecurity. The first step of the method involves modelling of the cybersecurity environment of the company. Moreover, a strategy is formulated by performing risk analysis of the data assets of the company. Now based on this strategy and the risk assessments, a series of ‘control games’ are formulated to model the interactions between two players of the ‘game’ – Defender (D) and Attacker (A). The defender D strives to defend the company’s data assets by reducing cybersecurity-related risks while the Attacker A strives to attack the defender’s data asset by exploiting the vulnerabilities. It takes the form of a zero-sum game. In order to minimize the damage inflicted by the attacker, defender D aims to implement the cybersecurity controls in such a way so that the Nash Equilibrium is attained. In the end, the equilibriums of these games are then processed by various optimisation techniques to determine the optimal cybersecurity investment.
In conclusion, the paper uses the concepts of Game Theory to determine the optimal level of investment in cybersecurity for a company.
Link: http://www.eecs.qmul.ac.uk/~pm/GameSecCameraready.pdf