Does game theory actually work in cybersecurity?
Traditional game theory uses rational choice theory to determine the most beneficial choice for all players in a game. Traditional game theory would expect rational players to maximize their rewards or payoffs. Using this theory, we can relate the game theory to cybersecurity. Let’s say there are two players, a defender and an attacker, with the rewards based on the values of the asset to the organization and consumer trust maintenance for a defender, and the value of assets and resources for an attacker. We can find the Nash equilibrium that maximizes the rewards for both players, depending on the situation. If there is no pure strategy equilibrium, we can also find the mixed strategy Nash equilibrium with randomization as shown in this article.
However, we should ask ourselves the fundamental question: does traditional game theory work in real world? Should we assume players are rational and all-knowing in real life? There should be more factors that we should consider when applying game theory to the industry. The presentation by Kelly Shortridge explains a new framework for modeling the information security game based on behavioral insights.
People predict their opponent’s moves by either “thinking” or “learning”. They “think” how opponents are likely to respond and “learn” based on prior games. Furthermore, people have different learning rates and experiences. Providing various possible factors of defenders and attackers, the presenter suggests applying behavioral game theory to the defender’s strategic decision-making process such as SWOT analysis, thinking exploitation, learning exploitation and minimax. In summary, this behavioral framework would help to gain perspective and improve threat modeling.
This presentation provides a practical implementation of game theory in the industry. It also explains how we can improve security based on our own needs and situation. The presentation allowed me to think beyond the game theory we covered in class by incorporating human behavioral factors in cybersecurity. It made me wonder, with all possible resources and scenarios, what other factors can affect modeling the strategy. Also, it was interesting for me to consider what would be the practical and optimal defensive model for cybersecurity as an engineer.