Game Theory for Security and Risk Management

Security risk assessment provides valuable insights about potential security risks to an organization to protect their critical information assets. With an ability to comprehend security risks, organizations can make effective decision to allocate their budget to mitigate or treat those risks (often based on the severity of the risk). Thus, it is paramount to identify and assess risk scenarios properly to manage those risks. Subjective judgment due to the lack of statistical data and the adaptive nature of the adversary may affect the credibility of the assessments when using classical risk assessment methods. Even though game theoretical approach formulates robust mathematical models for risk assessment without the reliance on subjective probabilities, it is seldom used in organizations. Thus, this chapter expands on the existing mapping between game theory and risk assessment process and terminology to provide further insight into how game theory can be utilized for risk assessment. In addition, we provide our view on how cooperative game theoretical model may be used to capture opportunity risk, which is usually overlooked in many classical risk assessment methods.

The intricacy of decision making is often due to uncertainty about the data to base a decision upon, and the consequences that the decision implies. Commonly, decision options are rated based on their expected utility. This approach is intuitive and successful in many cases, but has difficulties when the utility to be associated with an action is unknown or at least uncertain. Both problems can be addressed by accepting randomness as an intrinsic part of the utility itself, leading to defining optimal decisions in terms of stochastic orders rather than upon benchmark figures (only). For one such (even total) stochastic order, we give a complete construction, accompanied by examples and procedures how to get a (stochastically optimal) decision. A discussion of how game theory can be put on top of the stochastic order, as well as how the ordering can be applied to general IT risk management closes the chapter.

The essence of security is defending assets against an adversary that may behave almost arbitrarily. Game theory can help finding optimal strategies against any possible behavior, provided that the attacker stays within a known action space. This is the typical domain and case of security risk management, where a set of threats is identified, against which a uniformly best defense is sought. In game-theoretic terms, the threat list corresponds to an action space, and the best defense against that list is a security strategy. This chapter discusses how such strategies can be computed for single and multiple protection goals, even when the effects of the defense actions are nondeterministic (random). The latter especially admits a treatment of uncertainty in three forms, being about the adversary (form and number), the attacker(s) incentives, and – to a limited extent – also the action space (threat list) itself. Suitable game-theoretic models are introduced, and methods are presented to compute bests defenses under uncertainty.

We investigate the problem of defending a cyber network against progressive attacks from an adversary. The defender is unable to perfectly observe attacks and the network’s security status and instead must use its imperfect observations to determine a defense strategy. The nature of the defender’s imperfect information is assumed to be non-probabilistic. Thus, the defender takes a conservative (minmax) approach to defending the network, attempting to construct a defense policy that minimizes the worst-case damage. Determining an optimal minmax defense strategy proves to be computationally intractable even for small-scale networks. To address this dimensionality issue, we propose a scalable decomposition method which involves the construction of multiple local defense problems, each equipped with a corresponding local defense policy. The local defense policies communicate information with one another with the goal of achieving network-wide security. The local defense problem’s construction is based on a decomposition of the network into clusters. For the decomposition, we use the notion of an influence graph to describe the dependencies among the security states of the network’s nodes. These dependencies, along with the available computational capability, are used to determine clusters of nodes, with each cluster corresponding to a local defense problem. After clusters are specified, we design the information structure of the network, that is, the information each local defense problem has over time to defend its own cluster; this information includes the data the local defense problem gathers from the environment along with the data communicated by other local defense policies. We illustrate the decomposition methodology with an example.

With the integration of modern information and communication technologies (ICTs) into critical infrastructures (CIs) such as 5G networks and the Internet of Things (IoTs), the CIs are becoming vulnerable to cyber threats at the same time improving its connectivity and functionalities. Hence it is essential to understand the risk of ICTs on CIs holistically as a cyber-physical system and design efficient security hardening mechanisms to reduce the cyber risks. To this end, we establish a game-theoretic framework to capture the system behaviors of the CIs under malicious attacks and the security design objectives. We propose the factored Markov game theory to enable a computationally scalable model of large-scale infrastructure networks and provide approximate algorithms for designing optimal mechanisms. The proposed theory builds on the factored graph that exploits the dependency structure of the nodes of CIs and the approximate dynamic programming tools for stochastic Markov games. This work focuses on a localized information structure and the single-controller game solvable by linear programming. Numerical results illustrate the proper trade-off of the approximation accuracy and computation complexity in the new design paradigm and show the proactive security at the time of unanticipated attacks.

Critical infrastructure protection becomes increasingly a major concern in governments and industries. Besides the increasing rates of cyber-crime, recent terrorist attacks bring critical infrastructure into a severer environment. Many critical infrastructures, in particular those operating large industry complexes, incorporate some kind of physical surveillance technologies to secure their premises. Surveillance systems, such as access control and malicious behavior detection, have been long used for perimeter security as a first line of defense. Traditional perimeter security solutions typically monitor the outer boundary structures and lines, thus ignoring threats from the inside. Moreover, the deterrent effect of surveillance systems like Closed Circuit Television (CCTV) becomes considerably less important due to the inflexibility induced by their fixed installations. Hence, an infrastructure’s surveillance policy is more predictable and a potential adversary has a better opportunity to observe and bypass it subsequently. Therefore, it is important to maintain situational awareness within such environments so that potential intruders can still be detected. Regardless of whether personnel (e.g., security guards, etc.) or technical solutions (e.g., cameras, etc.) are applied, such surveillance systems have an imperfect detection rate, leaving an intruder with the potential to cause some damage to the infrastructure. Hence, the core problem is to find an optimal application of the surveillance technology at hand to minimize such a potential damage. This problem already has a natural reflection in game theory known as cops-and-robbers game but current models always assume a deterministic outcome of the gameplay. In this work, we present a decision-making framework, which assesses possible choices and alternatives towards finding an optimal surveillance configurations and hence minimizing addressed risks. The decision is made by means of a game-theoretic model for optimizing physical surveillance systems and minimizing the potential damage caused by an intruder with respect to the imperfect detection rates of surveillance technology. With our approach, we have the advantage of using categorical (or continuous) distributions instead of a single numerical value to capture the uncertainty in describing the potential damage of an intruder. This gives us the opportunity to model the imperfection of surveillance systems and to optimize over large collections of empirical or simulated data without losing valuable information during the process.

Large-scale networked systems, such as the power grid, are comprised of a large number of interconnected assets managed by multiple self-interested stakeholders. The interdependencies between the assets play a critical role in the security of the overall system, especially against strategic attackers who exploit these interdependencies to target valuable assets. In this work, we develop a general game-theoretic framework to model the security investments of resource-constrained stakeholders against targeted attacks. We consider two complementary problems: (i) where defenders are given a budget to minimize expected loss due to attacks and (ii) where defenders minimize security investment cost subject to a maximum security risk they are willing to tolerate per each valuable asset. For both problems, we establish the existence of Nash equilibria and show that the problem of computing the optimal defense allocation by a central authority and the (decentralized) problem of computing the best response for a single defender can be formulated as convex optimization problems. We then show that our framework can be applied to determine deployment of moving target defense (MTD) in networks. We first apply the game-theoretic framework on the IEEE 300 bus power grid network and compare the optimal expected loss (respectively, security investment cost) under centralized and Nash equilibrium defense allocations. We then show how our framework can be used to compute optimal deployment of MTD on an e-commerce system.

When looking at security incidents in Industrial Control System (ICS) networks, it appears that the interplay between an attacker and a defender can be modeled using a game-theoretic approach. Preparing a game require several steps, including the definition of attack and defense strategies, estimation of payoffs, etc. Specifically, during the preparation of a game, the estimation of payoffs (i.e. damage) for each possible scenario is one of its core tasks. However, damage estimation is not always a trivial task since it cannot be easily predicted, primarily due to incomplete information about the attack or due to external influences (e.g. weather conditions, etc.). Therefore, it is evident that describing the payoffs by means of a probability distribution may be an appropriate approach to deal with this uncertainty. In this chapter, we show that if the network structure of an organization is known, it is possible to estimate the payoff distribution by means of a stochastic spreading model. To this extend, the underlying network is modeled as a graph whose edges are classified depending on their properties. Each of these classes has a different probability of failure (e.g. probability of transmitting a malware). Finally, we demonstrate how these probabilities can be estimated, even if only subjective information is available.

This chapter presents a novel model to assess the interdependencies between electric power systems interconnected with natural gas systems. The impact from natural gas systems in the electric power system can be evaluated with the proposed model in normal operation and contingency situations. To reduce the impact of interdependencies, additional constraints to the optimal dispatch problem are formulated. The interdependency constraints can be integrated into the normal optimal power flow problem and security-constrained optimal power flow problem to improve the robustness of the electric power system. A co-simulation platform is built in MATLAB environment. We evaluate the proposed model using the IEEE 14-bus system and a corresponding natural gas transmission system. According to the simulation results, the reliability of the power system is improved when interdependency constraints are considered.

The smart grid will increasingly rely on the communication infrastructure to ensure a reliable and secure delivery of electricity. The use of off-the-shelf operating systems in the communication infrastructure has the potential to increase the attack surface of the power grid. In this chapter, we address the issue of the security risk management of interdependent communication and electric infrastructures in the smart grid by proposing an analytical model for hardening security on critical communication equipment used to control the power grid. Using noncooperative game theory, we analyze the behavior of an attacker and a defender. The attacker tries to compromise communication equipment to cause the maximum impact on the power grid. On the other hand, the defender tries to protect the power system by hardening the security on communication equipment, while taking into account the existence of backup control equipment in the communication infrastructure. We analyze different types of interactions between the attacker and the defender and propose methodologies to assess the initial security risk on communication equipment and the parameters of the analytical model used to evaluate the impact of equipment failures in the power system. We validate our model via a case study based on the Polish electric power transmission system.

As cloud computing thrives, many organizations - both large and small - are taking advantage of the multiple benefits of joining a public cloud. Public cloud computing is cost-effective: a cloud user can reduce spending on technology infrastructure and have easy access to their information without an up-front or long-term commitment of resources. Despite such benefits, concern over cyber security deters many large organizations with sensitive information to use a public cloud such as the Department of Defense. This is because different public cloud users share a common platform such as the hypervisor. An attacker can compromise a virtual machine (VM) to launch an attack on the hypervisor which, if compromised, can instantly yield the compromising of all the VMs running on top of that hypervisor. In this paper we evaluate the cloud user-attacker dynamic using game theory, which models competition among rational agents. This work will show that there are multiple Nash equilibria of the public cloud game. The Nash equilibrium profile that results will be shown to depend on several factors, including the probability that the hypervisor is compromised given a successful attack on a user and the total expense required to invest in security.

Critical infrastructures together with their utility networks play a crucial role in the societal and individual day-to-day life. Thus, the estimation of potential threats and security issues as well as a proper assessment of the respective risks is a core duty of utility providers. Despite the fact that utility providers operate several networks (e.g., communication, control, and utility networks), most of today’s risk management tools only focus on one of these networks. In this chpater, we will give an overview of a novel risk management process specifically designed for estimating threats and assessing risks in highly interconnected networks. Based on the internationally accepted standard for risk management, ISO 31000, our risk management process integrates various methodologies and tools supporting the different steps of the process from risk identification up to risk treatment. At the heart of this process, a novel game-theoretic approach for risk minimization and risk treatment is applied. This approach is specifically designed to take the information coming from the various tools into account and model the complex interplay between the heterogeneous networks, systems, and operators within a utility provider. It operates on qualitative and semiquantitative information as well as empirical data and uses distribution-valued payoffs to account for the unpredictable effects occurring in this highly uncertain environment.

The sovereignty and well-being of nations are highly dependent on the continuous and uninterrupted operation of critical infrastructures. Thus, the protection of utilities that provision critical services (e.g., water, electricity, telecommunications) is of vital importance given the severity imposed by any failure of these services. Recent security incidents in the context of critical infrastructures indicate that threats in such environments appear to be increasing both in frequency and intensity. The complexity of typical critical infrastructures is among the factors that make these environments vulnerable to threats. One of the most problematic types of threat is an advanced persistent threat (APT). This usually refers to a sophisticated, targeted, and costly attack that employs multiple attack vectors to gain access to the target system, then to operate in stealth mode when penetration is achieved, and to exfiltrate data or cause failures inside the system. In this chapter, we demonstrate how a set of processes developed in the context of HyRiM’s framework can assist in minimizing the damage caused to a utility organization that is subjected to an APT style of attack. Specifically, the framework is demonstrated using data from a real-world water utility network and an industrial control system (ICS) test-bed, and in which optimal defensive strategies are investigated.

Utility networks are becoming more and more interconnected. Besides the natural physical interdependencies (e.g., water networks heavily depend on power grids, etc.), utility networks are nowadays often monitored and operated by industrial control systems (ICS). While these systems enhance the level of control over utility networks, they also enable new forms of attacks, such as cyberattacks. During the last years, cyberattacks have occurred more frequently with sometimes a significant impact on the company as well as the society. The first step toward preventing such incidents is to understand how an infection of one component influences the rest of the network. This malware spreading can be modeled as a stochastic process on a graph where edges transmit an infection with a specific probability. In practice, this probability depends on the type of the malware (e.g., ransomware, spyware, virus, etc.) as well as on the type of the connection between the nodes (e.g., physical or logical connections). In this chapter, we illustrate how the abstract model can be put into practice for a concrete use case.

Surveillance technologies represent a standard practice for the protection of critical infrastructures such as utility networks. Although surveillance systems may be in place and operating within a utility provider’s premises, they are prone to technical as well as organizational failures resulting in a fluctuating performance. Furthermore, several emergency and unforeseen events, such as human errors, can significantly impact the effectiveness of specific surveillance activities. Therefore, modeling surveillance needs to account for the characteristics and practicalities of surveillance systems, especially imperfect detection as well as fuzzy assessment of the performance. To cope with this challenge, we apply game theory principles to solve zero-sum games with probability distribution-valued payoffs as a means to integrate the intrinsic uncertainty of surveillance systems. This model is an essential component of a comprehensive decision-making framework for physical surveillance games, called “G-DPS-framework”. The ultimate goal of this framework is to find the optimal configuration for physical surveillance system over multiple goals. As an evaluation scenario, we will use the actual setup given within a critical infrastructure, henceforth referred to as “the company”. For reasons of simplicity, we will focus solely on the use of security guards, who are controlling the area. Taking into account the details of the physical infrastructure (buildings, roads, etc.) as well as personnel requirements (working hours, available number of guards, etc.), we will make use of simulations to assess various real-life attack and defense scenarios with regard to different identified goals. Finally, the optimal solution obtained by the model will be implemented and empirically validated.

This chapter provides an applicability example of the game-theoretic model developed in the course of the HyRiM (Hybrid Risk Management for Utility Providers) project. Therefore, the online tool “Smart SECPLAN” has been created and used to guide information technology (IT) and operations technology (OT) security operators in an asset-driven risk assessment exercise following a step by step approach. The scenario chosen has been a medium-size electrical cooperative distribution system operator (DSO), who manages the distribution of the electricity. The Smart SECPLAN tool goes beyond existing risk assessment methods and techniques by providing advanced analytics based on a game theory model. For the experimental evaluation, we compared a classical game model to a model where the payoffs are fully stochastic (distribution-valued). This adds more analytic possibilities and flexibility. Our finding is that distribution-valued games require a more careful and involved modeling of losses (damages) but, upon a decent and accurate loss model, provide interesting insights and possibilities to understand a defense’s consequences at a very fine-grained level. As a major benefit of the tool, a prioritized set of mitigation actions is delivered, and a draft Gantt chart is proposed to manage the mitigation activities.