IDEAS home Printed from https://ideas.repec.org/a/gam/jgames/v15y2024i4p28-d1456012.html
   My bibliography  Save this article

A Review of Attacker–Defender Games and Cyber Security

Author

Listed:
  • Kjell Hausken

    (Faculty of Science and Technology, University of Stavanger, 4036 Stavanger, Norway)

  • Jonathan W. Welburn

    (Pardee RAND Graduate School, 1776 Main St., Santa Monica, CA 90401-3208, USA)

  • Jun Zhuang

    (Department of Industrial and Systems Engineering, University at Buffalo, Buffalo, NY 14260, USA)

Abstract

The focus of this review is the long and broad history of attacker–defender games as a foundation for the narrower and shorter history of cyber security. The purpose is to illustrate the role of game theory in cyber security and which areas have received attention and to indicate future research directions. The methodology uses the search terms game theory, attack, defense, and cyber security in Web of Science, augmented with the authors’ knowledge of the field. Games may involve multiple attackers and defenders over multiple periods. Defense involves security screening and inspection, the detection of invaders, jamming, secrecy, and deception. Incomplete information is reviewed due to its inevitable presence in cyber security. The findings pertain to players sharing information weighted against the security investment, influenced by social planning. Attackers stockpile zero-day cyber vulnerabilities. Defenders build deterrent resilient systems. Stochastic cyber security games play a role due to uncertainty and the need to build probabilistic models. Such games can be further developed. Cyber security games based on traffic and transportation are reviewed; they are influenced by the more extensive communication of GPS data. Such games should be extended to comprise air, land, and sea. Finally, cyber security education and board games are reviewed, which play a prominent role.

Suggested Citation

  • Kjell Hausken & Jonathan W. Welburn & Jun Zhuang, 2024. "A Review of Attacker–Defender Games and Cyber Security," Games, MDPI, vol. 15(4), pages 1-27, August.
    • Handle: RePEc:gam:jgames:v:15:y:2024:i:4:p:28-:d:1456012
    as

    Download full text from publisher

    File URL: https://www.mdpi.com/2073-4336/15/4/28/pdf
    Download Restriction: no
    File URL: https://www.mdpi.com/2073-4336/15/4/28/
    Download Restriction: no
    ---><---

    References listed on IDEAS

    as
    1. David Rios Insua & David Banks & Jesus Rios, 2016. "Modeling Opponents in Adversarial Risk Analysis," Risk Analysis, John Wiley & Sons, vol. 36(4), pages 742-755, April.
    2. Hausken, Kjell, 2024. "Fifty Years of Operations Research in Defense," European Journal of Operational Research, Elsevier, vol. 318(2), pages 355-368.
    3. Casey Rothschild & Laura McLay & Seth Guikema, 2012. "Adversarial Risk Analysis with Incomplete Information: A Level‐k Approach," Risk Analysis, John Wiley & Sons, vol. 32(7), pages 1219-1231, July.
    4. Kjell Hausken & Jun Zhuang, 2011. "Defending Against a Stockpiling Terrorist," The Engineering Economist, Taylor & Francis Journals, vol. 56(4), pages 321-353.
    5. Jun Zhuang & Vicki M. Bier, 2007. "Balancing Terrorism and Natural Disasters---Defensive Strategy with Endogenous Attacker Effort," Operations Research, INFORMS, vol. 55(5), pages 976-991, October.
    6. Esther Gal-Or & Anindya Ghose, 2005. "The Economic Incentives for Sharing Security Information," Information Systems Research, INFORMS, vol. 16(2), pages 186-208, June.
    7. Vicki Bier & Santiago Oliveros & Larry Samuelson, 2007. "Choosing What to Protect: Strategic Defensive Allocation against an Unknown Attacker," Journal of Public Economic Theory, Association for Public Economic Theory, vol. 9(4), pages 563-587, August.
    8. Zhuang, Jun & Bier, Vicki M. & Alagoz, Oguzhan, 2010. "Modeling secrecy and deception in a multiple-period attacker-defender signaling game," European Journal of Operational Research, Elsevier, vol. 203(2), pages 409-418, June.
    9. Song, Cen & Zhuang, Jun, 2017. "N-stage security screening strategies in the face of strategic applicants," Reliability Engineering and System Safety, Elsevier, vol. 165(C), pages 292-301.
    10. Acemoglu, Daron & Malekian, Azarakhsh & Ozdaglar, Asu, 2016. "Network security and contagion," Journal of Economic Theory, Elsevier, vol. 166(C), pages 536-585.
    11. Baliga, Sandeep & Bueno De Mesquita, Ethan & Wolitzky, Alexander, 2020. "Deterrence with Imperfect Attribution," American Political Science Review, Cambridge University Press, vol. 114(4), pages 1155-1178, November.
    12. Jun Zhuang & Vicki M. Bier, 2010. "Reasons for Secrecy and Deception in Homeland‐Security Resource Allocation," Risk Analysis, John Wiley & Sons, vol. 30(12), pages 1737-1743, December.
    13. Jie Xu & Jun Zhuang, 2016. "Modeling costly learning and counter-learning in a defender-attacker game with private defender information," Annals of Operations Research, Springer, vol. 236(1), pages 271-289, January.
    14. Gary A. Ackerman & Jun Zhuang & Sitara Weerasuriya, 2017. "Cross‐Milieu Terrorist Collaboration: Using Game Theory to Assess the Risk of a Novel Threat," Risk Analysis, John Wiley & Sons, vol. 37(2), pages 342-371, February.
    15. Simon, Jay & Omar, Ayman, 2020. "Cybersecurity investments in the supply chain: Coordination and a strategic attacker," European Journal of Operational Research, Elsevier, vol. 282(1), pages 161-171.
    16. Dan Kovenock & Brian Roberson, 2018. "The Optimal Defense Of Networks Of Targets," Economic Inquiry, Western Economic Association International, vol. 56(4), pages 2195-2211, October.
    17. Meilin He & Laura Devine & Jun Zhuang, 2018. "Perspectives on Cybersecurity Information Sharing among Multiple Stakeholders Using a Decision‐Theoretic Approach," Risk Analysis, John Wiley & Sons, vol. 38(2), pages 215-225, February.
    18. Insua, Insua Rios & Rios, Jesus & Banks, David, 2009. "Adversarial Risk Analysis," Journal of the American Statistical Association, American Statistical Association, vol. 104(486), pages 841-854.
    19. Qingqing Zhai & Rui Peng & Jun Zhuang, 2020. "Defender–Attacker Games with Asymmetric Player Utilities," Risk Analysis, John Wiley & Sons, vol. 40(2), pages 408-420, February.
    20. Hunt, Kyle & Zhuang, Jun, 2024. "A review of attacker-defender games: Current state and paths forward," European Journal of Operational Research, Elsevier, vol. 313(2), pages 401-417.
    21. Kjell Hausken, 2018. "Proactivity and Retroactivity of Firms and Information Sharing of Hackers," International Game Theory Review (IGTR), World Scientific Publishing Co. Pte. Ltd., vol. 20(01), pages 1-30, March.
    22. Vicki M. Bier, 2007. "Choosing What to Protect," Risk Analysis, John Wiley & Sons, vol. 27(3), pages 607-620, June.
    23. Gordon, Lawrence A. & Loeb, Martin P. & Lucyshyn, William, 2003. "Sharing information on computer systems security: An economic analysis," Journal of Accounting and Public Policy, Elsevier, vol. 22(6), pages 461-485.
    24. Pala, Ali & Zhuang, Jun, 2018. "Security screening queues with impatient applicants: A new model with a case study," European Journal of Operational Research, Elsevier, vol. 265(3), pages 919-930.
    25. Wang, Xiaofang & Zhuang, Jun, 2011. "Balancing congestion and security in the presence of strategic applicants with private information," European Journal of Operational Research, Elsevier, vol. 212(1), pages 100-111, July.
    26. Hausken, Kjell, 2007. "Information sharing among firms and cyber attacks," Journal of Accounting and Public Policy, Elsevier, vol. 26(6), pages 639-688.
    27. Kjell Hausken, 2002. "Probabilistic Risk Analysis and Game Theory," Risk Analysis, John Wiley & Sons, vol. 22(1), pages 17-27, February.
    28. Chen Wang & Vicki M. Bier, 2016. "Quantifying Adversary Capabilities to Inform Defensive Resource Allocation," Risk Analysis, John Wiley & Sons, vol. 36(4), pages 756-775, April.
    29. Kjell Hausken, 2014. "Choosing what to protect when attacker resources and asset valuations are uncertain," Operations Research and Decisions, Wroclaw University of Science and Technology, Faculty of Management, vol. 24(3), pages 23-44.
    Full references (including those not matched with items on IDEAS)

    Most related items

    These are the items that most often cite the same works as this one and are cited by the same works as this one.
    1. Hunt, Kyle & Zhuang, Jun, 2024. "A review of attacker-defender games: Current state and paths forward," European Journal of Operational Research, Elsevier, vol. 313(2), pages 401-417.
    2. Hunt, Kyle & Agarwal, Puneet & Zhuang, Jun, 2021. "Technology adoption for airport security: Modeling public disclosure and secrecy in an attacker-defender game," Reliability Engineering and System Safety, Elsevier, vol. 207(C).
    3. Xing Gao & Weijun Zhong & Shue Mei, 2013. "Information Security Investment When Hackers Disseminate Knowledge," Decision Analysis, INFORMS, vol. 10(4), pages 352-368, December.
    4. Tania Wallis & Rafał Leszczyna, 2022. "EE-ISAC—Practical Cybersecurity Solution for the Energy Sector," Energies, MDPI, vol. 15(6), pages 1-23, March.
    5. Wei Wang & Francesco Di Maio & Enrico Zio, 2019. "Adversarial Risk Analysis to Allocate Optimal Defense Resources for Protecting Cyber–Physical Systems from Cyber Attacks," Risk Analysis, John Wiley & Sons, vol. 39(12), pages 2766-2785, December.
    6. Bose, Gautam & Konrad, Kai A., 2020. "Devil take the hindmost: Deflecting attacks to other defenders," Reliability Engineering and System Safety, Elsevier, vol. 204(C).
    7. Mohammad E. Nikoofal & Mehmet Gümüs, 2015. "On the value of terrorist’s private information in a government’s defensive resource allocation problem," IISE Transactions, Taylor & Francis Journals, vol. 47(6), pages 533-555, June.
    8. Qingqing Zhai & Rui Peng & Jun Zhuang, 2020. "Defender–Attacker Games with Asymmetric Player Utilities," Risk Analysis, John Wiley & Sons, vol. 40(2), pages 408-420, February.
    9. Vineet M. Payyappalli & Jun Zhuang & Victor Richmond R. Jose, 2017. "Deterrence and Risk Preferences in Sequential Attacker–Defender Games with Continuous Efforts," Risk Analysis, John Wiley & Sons, vol. 37(11), pages 2229-2245, November.
    10. Meilin He & Laura Devine & Jun Zhuang, 2018. "Perspectives on Cybersecurity Information Sharing among Multiple Stakeholders Using a Decision‐Theoretic Approach," Risk Analysis, John Wiley & Sons, vol. 38(2), pages 215-225, February.
    11. Xiaojun Shan & Jun Zhuang, 2013. "Cost of Equity in Homeland Security Resource Allocation in the Face of a Strategic Attacker," Risk Analysis, John Wiley & Sons, vol. 33(6), pages 1083-1099, June.
    12. Jesus Rios & David Rios Insua, 2012. "Adversarial Risk Analysis for Counterterrorism Modeling," Risk Analysis, John Wiley & Sons, vol. 32(5), pages 894-915, May.
    13. González-Ortega, Jorge & Ríos Insua, David & Cano, Javier, 2019. "Adversarial risk analysis for bi-agent influence diagrams: An algorithmic approach," European Journal of Operational Research, Elsevier, vol. 273(3), pages 1085-1096.
    14. Mohammad E. Nikoofal & Jun Zhuang, 2012. "Robust Allocation of a Defensive Budget Considering an Attacker's Private Information," Risk Analysis, John Wiley & Sons, vol. 32(5), pages 930-943, May.
    15. Roponen, Juho & Ríos Insua, David & Salo, Ahti, 2020. "Adversarial risk analysis under partial information," European Journal of Operational Research, Elsevier, vol. 287(1), pages 306-316.
    16. Nikoofal, Mohammad E. & Zhuang, Jun, 2015. "On the value of exposure and secrecy of defense system: First-mover advantage vs. robustness," European Journal of Operational Research, Elsevier, vol. 246(1), pages 320-330.
    17. Xing Gao & Weijun Zhong & Shue Mei, 2014. "A game-theoretic analysis of information sharing and security investment for complementary firms," Journal of the Operational Research Society, Palgrave Macmillan;The OR Society, vol. 65(11), pages 1682-1691, November.
    18. Peiqiu Guan & Jun Zhuang, 2016. "Modeling Resources Allocation in Attacker‐Defender Games with “Warm Up” CSF," Risk Analysis, John Wiley & Sons, vol. 36(4), pages 776-791, April.
    19. Jie Xu & Jun Zhuang, 2016. "Modeling costly learning and counter-learning in a defender-attacker game with private defender information," Annals of Operations Research, Springer, vol. 236(1), pages 271-289, January.
    20. Sushil Gupta & Martin K. Starr & Reza Zanjirani Farahani & Mahsa Mahboob Ghodsi, 2020. "Prevention of Terrorism–An Assessment of Prior POM Work and Future Potentials," Production and Operations Management, Production and Operations Management Society, vol. 29(7), pages 1789-1815, July.

    Corrections

    All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:gam:jgames:v:15:y:2024:i:4:p:28-:d:1456012. See general information about how to correct material in RePEc.

    If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.

    If CitEc recognized a bibliographic reference but did not link an item in RePEc to it, you can help with this form .

    If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.

    For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: MDPI Indexing Manager (email available below). General contact details of provider: https://www.mdpi.com .

    Please note that corrections may take a couple of weeks to filter through the various RePEc services.

    IDEAS is a RePEc service. RePEc uses bibliographic data supplied by the respective publishers.