Cybersecurity Games and Investments: A Decision Support Approach

Emmanouil Panaousis, Andrew Fielder, Pasquale Malacaria, Chris Hankin, Fabrizio Smeraldi

Research output: Chapter in Book/Conference proceeding with ISSN or ISBNConference contribution with ISSN or ISBNpeer-review


In this paper we investigate how to optimally invest in cybersecurity controls. We are particularly interested in examining cases where the organization suffers from an underinvestment problem or inefficient spending on cybersecurity. To this end, we first model the cybersecurity environment of an organization. We then model non-cooperative cybersecurity control-games between the defender which abstracts all defense mechanisms of the organization and the attacker which can exploit different vulnerabilities at different network locations. To implement our methodology we use the SANS Top 20 Critical Security Controls and the 2011 CWE/SANS top 25 most dangerous software errors. Based on the profile of an organization, which forms its preferences in terms ofindirect costs, its concerns about different kinds of threats and the importance of the assets given their associated risks we derive the Nash Equilibria of a series of control-games. These game solutions are then handled by optimization techniques, in particular multi-objective, multiple choice Knapsack to determine the optimal cybersecurity investment. Our methodology provides security effective and cost efficient solutions especially against commodity attacks. We believe our work can be used to advise security managers on how they should spend an available cybersecurity budget given their organization profile.
Original languageEnglish
Title of host publication5th International Conference, GameSec 2014
Place of PublicationSwitzerland
PublisherSpringer International Publishing
Number of pages21
ISBN (Print)9783319126005
Publication statusPublished - 6 Nov 2014
Event5th International Conference, GameSec 2014 - California, US, 6-7 November 2014
Duration: 6 Nov 2014 → …

Publication series

NameLecture Notes in Computer Science


Conference5th International Conference, GameSec 2014
Period6/11/14 → …

Bibliographical note

The final publication is available at Springer via


  • cybersecurity
  • game theory
  • optimization


Dive into the research topics of 'Cybersecurity Games and Investments: A Decision Support Approach'. Together they form a unique fingerprint.

Cite this