The Applicability of Game Theory in Cybersecurity Defense Decision-Making

by

Shanice Gilkes

W
A Capstone Project Submitted to the Faculty
Utica University
IE
May 2022
EV

in Partial Fulfillment of the Requirements for the Degree of

Master of Science in Cybersecurity

PR
 W
IE
© Copyright 2022 by Shanice Gilkes

All Rights Reserved

EV
PR

ii
 Abstract

Cybersecurity threats have increased significantly over time. Cybersecurity professionals have

been attempting various solution models in response to this trend. Many of these models,

including the Fault Tree Analysis (FTA) and Q-Learning, have major weaknesses like providing

an insufficient possible range of options for cybersecurity professionals to respond to the ever-

changing threat of cyber-attackers. The purpose of the current research was to explore game

theory security models to investigate whether they can effectively provide cybersecurity

professionals with a wide range of options for responding to cybersecurity threats effectively and

efficiently. The researcher sampled a wide range of credible scholarly articles from Utica

W
University's online library for review on the topic of study. The study findings showed that game
IE
theory models could be an excellent tool for responding to cybersecurity threats. They rely on

proven mathematical models that can model probabilities to predict attack patterns. Game theory
EV
models rely on behavior and situation analysis, allowing cyber security professionals to

understand possible patterns of attack upfront and respond accordingly. Cyber security

professionals can use either cooperative, non-cooperative, or static models, thus effectively
PR

modeling solutions. Game theory models can quantitatively detect cyber-related risks and

provide cyber security professionals with appropriate metrics to implement in response to the

risks. Further, the findings showed that game theory models are a versatile tool, providing

cybersecurity professionals with methods for analyzing the interconnected nature of cyber

systems, as is the case in government and large corporations' cyberinfrastructures.

Keywords: Cybersecurity, Professor Carmen Mercado, internet, cybercriminals,

cybersecurity professionals.

iii
 Acknowledgments

I want to use this opportunity to acknowledge all those who played a role in making this

work a success. First of all, I would like to mention the immense input of Professor Carmen

Mercado, whose guidance was very inevitably helpful in allowing me to tune the study in the

right direction, right from its conceptualization of it to the final details. I also acknowledge the

input of Professor Zambotti and my second reader, Professor William Hagestad. They further

helped ensure that I was editing the work in the best ways possible to make it professional and

scholarly content for this level of study. I am also much thankful to my Mother, brothers, and

sisters, who were all very understanding over the time I was working on the capstone research

W
paper and provided me with all support that I needed from them to make the work a success.
IE
EV
PR

iv
 Table of Contents

List of Illustrative Materials ........................................................................................................... vi

Applicability of Game Theory in Cybersecurity Defense Decision Making .................................. 1
Background of the Problem ......................................................................................................... 2
Problem Statement....................................................................................................................... 4
Purpose of the Study.................................................................................................................... 5
Gaps in Literature ........................................................................................................................ 5
Audience of the Study ................................................................................................................. 6
Research Questions ..................................................................................................................... 6
Literature Review ............................................................................................................................ 7
Overview of the Concept of Game Theory ................................................................................. 7
Adaptive Threats ......................................................................................................................... 9
Adaptive defense ....................................................................................................................... 11
Current Areas of Application .................................................................................................... 16
Evaluation of the Effectiveness of Game Theory as a Model for Decision Making ................. 18
Potential Areas of Criticism of Game Theory ........................................................................... 21

W
Discussion of the Findings ............................................................................................................ 23
The General and Specific Problem ............................................................................................ 23
Models for Cybersecurity Crime Responses ............................................................................. 24
IE
The Fault Tree Analysis (FTA) Model. ............................................................................. 24
The Q-Learning Model. ..................................................................................................... 25
Recommendations ......................................................................................................................... 31
Conclusion ..................................................................................................................................... 32
EV
References ..................................................................................................................................... 34
PR

v
 List of Illustrative Materials

Figure 1 – FTA Model ..................................................................................................................... 2

Figure 2 – General Outlook of Two-Way Signaling Game .......................................................... 12
Figure 3 – Two-Way Signaling Game Attacker Actions Probability Tree ................................... 13
Figure 4 – Two-Way Signaling Game Defender Actions Probability Tree .................................. 13

W
IE
EV
PR

vi
 Applicability of Game Theory in Cybersecurity Defense Decision Making

The world has witnessed a substantial revolutionization in almost every sphere of life

through the increased use of the Internet to perform tasks that traditionally have been only

possible by being executed by people physically. From online education to online transactions

and even medication consultations, more and more people have turned to the Internet to carry out

transactions and activities that would otherwise be required to take place physically.

Unfortunately, such an increase in the traffic going to various internet platforms has faced a

substantial increase in the threats of attack by cybercriminals. The threat of a cybersecurity

attack is significant in terms of costs that can be incurred with a successful cyberattack and has

W
previously been very costly to individuals and corporations, including national governments (Ho
IE
et al., 2022). For instance, taking the example of attacks like the one that caused the Finance

Department and Treasury Board to disconnect from the internet in 2011 and the 2014 incidence
EV
involving the hacking of Sony Pictures, it is notable that cybercriminals can direct their attacks to

anyone, including private citizens or organizations and even government agencies (Do et al.,

2017). The increase in the degree and the damage results of cyber-attacks directly links to several
PR

factors that motivate cybercriminals who perpetrate such Internet crimes. According to Cuong et

al. (2017), the core among these favorable factors for cybercriminals is plenty of personal data

that organizations are increasingly storing in the cloud to facilitate smooth online transactions.

The lack of robust cybersecurity models that can effectively and timely allow cybersecurity

professionals to respond to attacks when they have happened. As used in cyber security, personal

data is any identifiable information, including but not limited to personal social security number,

personal, national identification number, personal bank account details, and personal mobile

number, that belongs to a particular individual (Hachem et al., 2021).

1
Background of the Problem

Previously, cybersecurity professionals have attempted to develop models that can be

effective and efficient in responding to cybersecurity attacks. An example of such a model is the

Fault Tree Analysis (FTA). In FTA, an analysis of system failures in a top-down approach and

the undesired state of the system is analyzed through the use of Boolean logic, as illustrated in

Figure 1, to combine a series of lower-level events that could have been responsible for the

system failure (Gusmao et al., 2018).

Figure 1

The FTA Model

W
IE
EV
PR

Notable shortcomings of the FTA model as a tool for causal analysis in cyber security are

that it lacks standardized tress construction that cybersecurity professionals can apply for

verification and a complex implementation insight for adequate visualization of dynamic

2
 behaviors (Akinwumi et al., 2017). Such limitations of the FTA make it an ineffective model for

defense decision-making in cybersecurity because moderating and responding to advanced

persistent threats (APT) requires more than technical strategies since threats link to faceless

opponents and external forces. The fact that APTs always remain obscured and dynamic

threatens the effectiveness of any security intervention, especially in terms of economic

assessment of returns on security investments (Kumar et al., 2022; Rass et al., 2017).

Another model that researchers in cybersecurity have significantly tested in response to

cybersecurity attacks is Q-learning. According to Liu et al. (2021), in the context of

cybersecurity, the goal of the Q-learning principle is to form a Markov process by making

W
discrete and finite-state movements and selecting an action from a finite available action at any
IE
one time. The Q-learning principle improves the quality of the choice of actions from the finite

set of actions. Consequently, it helps find a strategy with the highest chance of profitability in
EV
line with the goal of game theory. However, while Q-learning considers some elements of game

theory in its reasoning and applicability, it presents the limitation of not being thoroughly

investigated and the problem of a limited or finite set of actions that cybersecurity professionals
PR

can base the next course of action. In the ever-changing nature of cybersecurity attacks, the

response models to such attacks need to present an infinite number of possible alternatives so

that cybersecurity professionals literary can have unlimited possibilities from which they can

pivot a response to a particular cyber-attack (Manshaei et al., 2013).

To overcome the limitations presented by models like the FTA, it has been necessary that

researchers and cybersecurity professionals consider testing other models. One of these models is

the game theory. According to current research, its applicability in cybersecurity is a widely

studied area owing to the continued increase in various cyber-attack methods. With the help of

Reproduced with permission of copyright owner. Further reproduction prohibited without permission.