Cybersecurity Games and Investments: A Decision Support Approach

Emmanouil Panaousis, Andrew Fielder, Pasquale Malacaria, Chris Hankin, Fabrizio Smeraldi

Research output: Chapter in Book/Conference proceeding with ISSN or ISBNConference contribution with ISSN or ISBN

Abstract

In this paper we investigate how to optimally invest in cybersecurity controls. We are particularly interested in examining cases where the organization suffers from an underinvestment problem or inefficient spending on cybersecurity. To this end, we first model the cybersecurity environment of an organization. We then model non-cooperative cybersecurity control-games between the defender which abstracts all defense mechanisms of the organization and the attacker which can exploit different vulnerabilities at different network locations. To implement our methodology we use the SANS Top 20 Critical Security Controls and the 2011 CWE/SANS top 25 most dangerous software errors. Based on the profile of an organization, which forms its preferences in terms ofindirect costs, its concerns about different kinds of threats and the importance of the assets given their associated risks we derive the Nash Equilibria of a series of control-games. These game solutions are then handled by optimization techniques, in particular multi-objective, multiple choice Knapsack to determine the optimal cybersecurity investment. Our methodology provides security effective and cost efficient solutions especially against commodity attacks. We believe our work can be used to advise security managers on how they should spend an available cybersecurity budget given their organization profile.
Original languageEnglish
Title of host publication5th International Conference, GameSec 2014
Place of PublicationSwitzerland
PublisherSpringer International Publishing
Pages266-286
Number of pages21
Volume8840
ISBN (Print)9783319126005
DOIs
Publication statusPublished - 6 Nov 2014
Event5th International Conference, GameSec 2014 - California, US, 6-7 November 2014
Duration: 6 Nov 2014 → …

Publication series

NameLecture Notes in Computer Science

Conference

Conference5th International Conference, GameSec 2014
Period6/11/14 → …

Fingerprint

Decision support
Methodology
Costs
Software
Nash equilibrium
Organization form
Underinvestment
Managers
Attack
Optimization techniques
Threat
Commodities
Optimal investment
Vulnerability
Assets

Bibliographical note

The final publication is available at Springer via http://dx.doi.org/10.1007/978-3-319-12601-2_15.

Keywords

  • cybersecurity
  • game theory
  • optimization

Cite this

Panaousis, E., Fielder, A., Malacaria, P., Hankin, C., & Smeraldi, F. (2014). Cybersecurity Games and Investments: A Decision Support Approach. In 5th International Conference, GameSec 2014 (Vol. 8840, pp. 266-286). (Lecture Notes in Computer Science). Switzerland: Springer International Publishing. https://doi.org/10.1007/978-3-319-12601-2_15
Panaousis, Emmanouil ; Fielder, Andrew ; Malacaria, Pasquale ; Hankin, Chris ; Smeraldi, Fabrizio. / Cybersecurity Games and Investments: A Decision Support Approach. 5th International Conference, GameSec 2014. Vol. 8840 Switzerland : Springer International Publishing, 2014. pp. 266-286 (Lecture Notes in Computer Science).
@inproceedings{775a73ae22c24787ba97cb24cbd91ae2,
title = "Cybersecurity Games and Investments: A Decision Support Approach",
abstract = "In this paper we investigate how to optimally invest in cybersecurity controls. We are particularly interested in examining cases where the organization suffers from an underinvestment problem or inefficient spending on cybersecurity. To this end, we first model the cybersecurity environment of an organization. We then model non-cooperative cybersecurity control-games between the defender which abstracts all defense mechanisms of the organization and the attacker which can exploit different vulnerabilities at different network locations. To implement our methodology we use the SANS Top 20 Critical Security Controls and the 2011 CWE/SANS top 25 most dangerous software errors. Based on the profile of an organization, which forms its preferences in terms ofindirect costs, its concerns about different kinds of threats and the importance of the assets given their associated risks we derive the Nash Equilibria of a series of control-games. These game solutions are then handled by optimization techniques, in particular multi-objective, multiple choice Knapsack to determine the optimal cybersecurity investment. Our methodology provides security effective and cost efficient solutions especially against commodity attacks. We believe our work can be used to advise security managers on how they should spend an available cybersecurity budget given their organization profile.",
keywords = "cybersecurity, game theory, optimization",
author = "Emmanouil Panaousis and Andrew Fielder and Pasquale Malacaria and Chris Hankin and Fabrizio Smeraldi",
note = "The final publication is available at Springer via http://dx.doi.org/10.1007/978-3-319-12601-2_15.",
year = "2014",
month = "11",
day = "6",
doi = "10.1007/978-3-319-12601-2_15",
language = "English",
isbn = "9783319126005",
volume = "8840",
series = "Lecture Notes in Computer Science",
publisher = "Springer International Publishing",
pages = "266--286",
booktitle = "5th International Conference, GameSec 2014",

}

Panaousis, E, Fielder, A, Malacaria, P, Hankin, C & Smeraldi, F 2014, Cybersecurity Games and Investments: A Decision Support Approach. in 5th International Conference, GameSec 2014. vol. 8840, Lecture Notes in Computer Science, Springer International Publishing, Switzerland, pp. 266-286, 5th International Conference, GameSec 2014, 6/11/14. https://doi.org/10.1007/978-3-319-12601-2_15

Cybersecurity Games and Investments: A Decision Support Approach. / Panaousis, Emmanouil; Fielder, Andrew; Malacaria, Pasquale; Hankin, Chris; Smeraldi, Fabrizio.

5th International Conference, GameSec 2014. Vol. 8840 Switzerland : Springer International Publishing, 2014. p. 266-286 (Lecture Notes in Computer Science).

Research output: Chapter in Book/Conference proceeding with ISSN or ISBNConference contribution with ISSN or ISBN

TY - GEN

T1 - Cybersecurity Games and Investments: A Decision Support Approach

AU - Panaousis, Emmanouil

AU - Fielder, Andrew

AU - Malacaria, Pasquale

AU - Hankin, Chris

AU - Smeraldi, Fabrizio

N1 - The final publication is available at Springer via http://dx.doi.org/10.1007/978-3-319-12601-2_15.

PY - 2014/11/6

Y1 - 2014/11/6

N2 - In this paper we investigate how to optimally invest in cybersecurity controls. We are particularly interested in examining cases where the organization suffers from an underinvestment problem or inefficient spending on cybersecurity. To this end, we first model the cybersecurity environment of an organization. We then model non-cooperative cybersecurity control-games between the defender which abstracts all defense mechanisms of the organization and the attacker which can exploit different vulnerabilities at different network locations. To implement our methodology we use the SANS Top 20 Critical Security Controls and the 2011 CWE/SANS top 25 most dangerous software errors. Based on the profile of an organization, which forms its preferences in terms ofindirect costs, its concerns about different kinds of threats and the importance of the assets given their associated risks we derive the Nash Equilibria of a series of control-games. These game solutions are then handled by optimization techniques, in particular multi-objective, multiple choice Knapsack to determine the optimal cybersecurity investment. Our methodology provides security effective and cost efficient solutions especially against commodity attacks. We believe our work can be used to advise security managers on how they should spend an available cybersecurity budget given their organization profile.

AB - In this paper we investigate how to optimally invest in cybersecurity controls. We are particularly interested in examining cases where the organization suffers from an underinvestment problem or inefficient spending on cybersecurity. To this end, we first model the cybersecurity environment of an organization. We then model non-cooperative cybersecurity control-games between the defender which abstracts all defense mechanisms of the organization and the attacker which can exploit different vulnerabilities at different network locations. To implement our methodology we use the SANS Top 20 Critical Security Controls and the 2011 CWE/SANS top 25 most dangerous software errors. Based on the profile of an organization, which forms its preferences in terms ofindirect costs, its concerns about different kinds of threats and the importance of the assets given their associated risks we derive the Nash Equilibria of a series of control-games. These game solutions are then handled by optimization techniques, in particular multi-objective, multiple choice Knapsack to determine the optimal cybersecurity investment. Our methodology provides security effective and cost efficient solutions especially against commodity attacks. We believe our work can be used to advise security managers on how they should spend an available cybersecurity budget given their organization profile.

KW - cybersecurity

KW - game theory

KW - optimization

U2 - 10.1007/978-3-319-12601-2_15

DO - 10.1007/978-3-319-12601-2_15

M3 - Conference contribution with ISSN or ISBN

SN - 9783319126005

VL - 8840

T3 - Lecture Notes in Computer Science

SP - 266

EP - 286

BT - 5th International Conference, GameSec 2014

PB - Springer International Publishing

CY - Switzerland

ER -

Panaousis E, Fielder A, Malacaria P, Hankin C, Smeraldi F. Cybersecurity Games and Investments: A Decision Support Approach. In 5th International Conference, GameSec 2014. Vol. 8840. Switzerland: Springer International Publishing. 2014. p. 266-286. (Lecture Notes in Computer Science). https://doi.org/10.1007/978-3-319-12601-2_15