IDEAS home Printed from https://ideas.repec.org/a/sae/joudef/v15y2018i2p127-146.html
   My bibliography  Save this article

A game theoretic approach to cyber security risk management

Author

Listed:
  • Scott Musman
  • Andrew Turner

Abstract

This paper describes the Cyber Security Game (CSG). Cyber Security Game is a method that has been implemented in software that quantitatively identifies cyber security risks and uses this metric to determine the optimal employment of security methods for any given investment level. Cyber Security Game maximizes a system’s ability to operate in today’s contested cyber environment by minimizing its mission risk. The risk score is calculated by using a mission impact model to compute the consequences of cyber incidents and combining that with the likelihood that attacks will succeed. The likelihood of attacks succeeding is computed by applying a threat model to a system topology model and defender model. Cyber Security Game takes into account the widespread interconnectedness of cyber systems, where defenders must defend all multi-step attack paths and an attacker only needs one to succeed. It employs a game theoretic solution using a game formulation that identifies defense strategies to minimize the maximum cyber risk (MiniMax). This paper discusses the methods and models that compose Cyber Security Game . A limited example of a Point of Sale system is used to provide specific demonstrations of Cyber Security Game models and analyses.

Suggested Citation

  • Scott Musman & Andrew Turner, 2018. "A game theoretic approach to cyber security risk management," The Journal of Defense Modeling and Simulation, , vol. 15(2), pages 127-146, April.
  • Handle: RePEc:sae:joudef:v:15:y:2018:i:2:p:127-146
    DOI: 10.1177/1548512917699724
    as

    Download full text from publisher

    File URL: https://journals.sagepub.com/doi/10.1177/1548512917699724
    Download Restriction: no

    File URL: https://libkey.io/10.1177/1548512917699724?utm_source=ideas
    LibKey link: if access is restricted and if your library uses this service, LibKey will redirect you to where you can use your library subscription to access this item
    ---><---

    References listed on IDEAS

    as
    1. Vicki M. Bier, 2007. "Choosing What to Protect," Risk Analysis, John Wiley & Sons, vol. 27(3), pages 607-620, June.
    2. Kunreuther, Howard & Heal, Geoffrey, 2003. "Interdependent Security," Journal of Risk and Uncertainty, Springer, vol. 26(2-3), pages 231-249, March-May.
    Full references (including those not matched with items on IDEAS)

    Citations

    Citations are extracted by the CitEc Project, subscribe to its RSS feed for this item.
    as


    Cited by:

    1. Dipankar Dasgupta & Zahid Akhtar & Sajib Sen, 2022. "Machine learning in cybersecurity: a comprehensive survey," The Journal of Defense Modeling and Simulation, , vol. 19(1), pages 57-106, January.

    Most related items

    These are the items that most often cite the same works as this one and are cited by the same works as this one.
    1. Bose, Gautam & Konrad, Kai A., 2020. "Devil take the hindmost: Deflecting attacks to other defenders," Reliability Engineering and System Safety, Elsevier, vol. 204(C).
    2. Geoffrey Heal & Howard Kunreuther, 2007. "Modeling Interdependent Risks," Risk Analysis, John Wiley & Sons, vol. 27(3), pages 621-634, June.
    3. Vicki Bier & Santiago Oliveros & Larry Samuelson, 2007. "Choosing What to Protect: Strategic Defensive Allocation against an Unknown Attacker," Journal of Public Economic Theory, Association for Public Economic Theory, vol. 9(4), pages 563-587, August.
    4. Pourakbar, M. & Zuidwijk, R.A., 2018. "The role of customs in securing containerized global supply chains," European Journal of Operational Research, Elsevier, vol. 271(1), pages 331-340.
    5. Hoy, Michael & Polborn, Mattias K., 2015. "The value of technology improvements in games with externalities: A fresh look at offsetting behavior," Journal of Public Economics, Elsevier, vol. 131(C), pages 12-20.
    6. John K. Stranlund & Barry C. Field, 2006. "On the Production of Homeland Security Under True Uncertainty," Working Papers 2006-5, University of Massachusetts Amherst, Department of Resource Economics.
    7. Katherine L. Dickinson & Hannah Brenkert-Smith & Greg Madonia & Nicholas E. Flores, 2020. "Risk interdependency, social norms, and wildfire mitigation: a choice experiment," Natural Hazards: Journal of the International Society for the Prevention and Mitigation of Natural Hazards, Springer;International Society for the Prevention and Mitigation of Natural Hazards, vol. 103(1), pages 1327-1354, August.
    8. Bandyopadhyay, Subhayu & Sandler, Todd, 2021. "Counterterrorism policy: Spillovers, regime solidity, and corner solutions," Journal of Economic Behavior & Organization, Elsevier, vol. 188(C), pages 811-827.
    9. Geoffrey Heal & Howard Kunreuther, 2010. "Environment and Energy: Catastrophic Liabilities from Nuclear Power Plants," NBER Chapters, in: Measuring and Managing Federal Financial Risk, pages 235-257, National Bureau of Economic Research, Inc.
    10. Hausken, Kjell, 2024. "Fifty Years of Operations Research in Defense," European Journal of Operational Research, Elsevier, vol. 318(2), pages 355-368.
    11. Liying Mu & Milind Dawande & Xianjun Geng & Vijay Mookerjee, 2016. "Milking the Quality Test: Improving the Milk Supply Chain Under Competing Collection Intermediaries," Management Science, INFORMS, vol. 62(5), pages 1259-1277, May.
    12. Michael Greenberg & Paul Lioy & Birnur Ozbas & Nancy Mantell & Sastry Isukapalli & Michael Lahr & Tayfur Altiok & Joseph Bober & Clifton Lacy & Karen Lowrie & Henry Mayer & Jennifer Rovito, 2013. "Passenger Rail Security, Planning, and Resilience: Application of Network, Plume, and Economic Simulation Models as Decision Support Tools," Risk Analysis, John Wiley & Sons, vol. 33(11), pages 1969-1986, November.
    13. Robin L. Dillon & Robert M. Liebe & Thomas Bestafka, 2009. "Risk‐Based Decision Making for Terrorism Applications," Risk Analysis, John Wiley & Sons, vol. 29(3), pages 321-335, March.
    14. Konrad, Kai A. & Morath, Florian, 2023. "How to preempt attacks in multi-front conflict with limited resources," European Journal of Operational Research, Elsevier, vol. 305(1), pages 493-500.
    15. Rui Peng & Di Wu & Mengyao Sun & Shaomin Wu, 2021. "An attack-defense game on interdependent networks," Journal of the Operational Research Society, Taylor & Francis Journals, vol. 72(10), pages 2331-2341, October.
    16. Anna Nagurney & Ladimer Nagurney, 2015. "A game theory model of cybersecurity investments with information asymmetry," Netnomics, Springer, vol. 16(1), pages 127-148, August.
    17. Seyed Alireza Hasheminasab & Behrouz Tork Ladani, 2018. "Security Investment in Contagious Networks," Risk Analysis, John Wiley & Sons, vol. 38(8), pages 1559-1575, August.
    18. Catherine C. Langlois & Jean-Pierre P. Langlois, 2011. "The Escalation of Terror: Hate and the Demise of Terrorist Organizations," Conflict Management and Peace Science, Peace Science Society (International), vol. 28(5), pages 497-521, November.
    19. Wang, Chunhua, 2014. "Regulating land development in a natural disaster-prone area: The roles of building codes," Resource and Energy Economics, Elsevier, vol. 36(1), pages 209-228.
    20. Levitin, Gregory & Hausken, Kjell, 2008. "Protection vs. redundancy in homogeneous parallel systems," Reliability Engineering and System Safety, Elsevier, vol. 93(10), pages 1444-1451.

    Corrections

    All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:sae:joudef:v:15:y:2018:i:2:p:127-146. See general information about how to correct material in RePEc.

    If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.

    If CitEc recognized a bibliographic reference but did not link an item in RePEc to it, you can help with this form .

    If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.

    For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: SAGE Publications (email available below). General contact details of provider: .

    Please note that corrections may take a couple of weeks to filter through the various RePEc services.

    IDEAS is a RePEc service. RePEc uses bibliographic data supplied by the respective publishers.