IDEAS home Printed from https://ideas.repec.org/a/sae/joudef/v15y2018i2p127-146.html
   My bibliography  Save this article

A game theoretic approach to cyber security risk management

Author

Listed:
  • Scott Musman
  • Andrew Turner

Abstract

This paper describes the Cyber Security Game (CSG). Cyber Security Game is a method that has been implemented in software that quantitatively identifies cyber security risks and uses this metric to determine the optimal employment of security methods for any given investment level. Cyber Security Game maximizes a system’s ability to operate in today’s contested cyber environment by minimizing its mission risk. The risk score is calculated by using a mission impact model to compute the consequences of cyber incidents and combining that with the likelihood that attacks will succeed. The likelihood of attacks succeeding is computed by applying a threat model to a system topology model and defender model. Cyber Security Game takes into account the widespread interconnectedness of cyber systems, where defenders must defend all multi-step attack paths and an attacker only needs one to succeed. It employs a game theoretic solution using a game formulation that identifies defense strategies to minimize the maximum cyber risk (MiniMax). This paper discusses the methods and models that compose Cyber Security Game . A limited example of a Point of Sale system is used to provide specific demonstrations of Cyber Security Game models and analyses.

Suggested Citation

  • Scott Musman & Andrew Turner, 2018. "A game theoretic approach to cyber security risk management," The Journal of Defense Modeling and Simulation, , vol. 15(2), pages 127-146, April.
    • Handle: RePEc:sae:joudef:v:15:y:2018:i:2:p:127-146
    DOI: 10.1177/1548512917699724
    as

    Download full text from publisher

    File URL: https://journals.sagepub.com/doi/10.1177/1548512917699724
    Download Restriction: no
    File URL: https://libkey.io/10.1177/1548512917699724?utm_source=ideas
    LibKey link: if access is restricted and if your library uses this service, LibKey will redirect you to where you can use your library subscription to access this item
    ---><---

    References listed on IDEAS

    as
    1. Kunreuther, Howard & Heal, Geoffrey, 2003. "Interdependent Security," Journal of Risk and Uncertainty, Springer, vol. 26(2-3), pages 231-249, March-May.
    2. Vicki M. Bier, 2007. "Choosing What to Protect," Risk Analysis, John Wiley & Sons, vol. 27(3), pages 607-620, June.
    Full references (including those not matched with items on IDEAS)

    Citations

    Citations are extracted by the CitEc Project, subscribe to its RSS feed for this item.
    as


    Cited by:

    1. Dipankar Dasgupta & Zahid Akhtar & Sajib Sen, 2022. "Machine learning in cybersecurity: a comprehensive survey," The Journal of Defense Modeling and Simulation, , vol. 19(1), pages 57-106, January.

    Most related items

    These are the items that most often cite the same works as this one and are cited by the same works as this one.
    1. Geoffrey Heal & Howard Kunreuther, 2007. "Modeling Interdependent Risks," Risk Analysis, John Wiley & Sons, vol. 27(3), pages 621-634, June.
    2. Bose, Gautam & Konrad, Kai A., 2020. "Devil take the hindmost: Deflecting attacks to other defenders," Reliability Engineering and System Safety, Elsevier, vol. 204(C).
    3. Vicki Bier & Santiago Oliveros & Larry Samuelson, 2007. "Choosing What to Protect: Strategic Defensive Allocation against an Unknown Attacker," Journal of Public Economic Theory, Association for Public Economic Theory, vol. 9(4), pages 563-587, August.
    4. Hoy, Michael & Polborn, Mattias K., 2015. "The value of technology improvements in games with externalities: A fresh look at offsetting behavior," Journal of Public Economics, Elsevier, vol. 131(C), pages 12-20.
    5. Bandyopadhyay, Subhayu & Sandler, Todd, 2021. "Counterterrorism policy: Spillovers, regime solidity, and corner solutions," Journal of Economic Behavior & Organization, Elsevier, vol. 188(C), pages 811-827.
    6. Geoffrey Heal & Howard Kunreuther, 2010. "Environment and Energy: Catastrophic Liabilities from Nuclear Power Plants," NBER Chapters, in: Measuring and Managing Federal Financial Risk, pages 235-257, National Bureau of Economic Research, Inc.
    7. Liying Mu & Milind Dawande & Xianjun Geng & Vijay Mookerjee, 2016. "Milking the Quality Test: Improving the Milk Supply Chain Under Competing Collection Intermediaries," Management Science, INFORMS, vol. 62(5), pages 1259-1277, May.
    8. Michael Greenberg & Paul Lioy & Birnur Ozbas & Nancy Mantell & Sastry Isukapalli & Michael Lahr & Tayfur Altiok & Joseph Bober & Clifton Lacy & Karen Lowrie & Henry Mayer & Jennifer Rovito, 2013. "Passenger Rail Security, Planning, and Resilience: Application of Network, Plume, and Economic Simulation Models as Decision Support Tools," Risk Analysis, John Wiley & Sons, vol. 33(11), pages 1969-1986, November.
    9. Konrad, Kai A. & Morath, Florian, 2023. "How to preempt attacks in multi-front conflict with limited resources," European Journal of Operational Research, Elsevier, vol. 305(1), pages 493-500.
    10. Wang, Chunhua, 2014. "Regulating land development in a natural disaster-prone area: The roles of building codes," Resource and Energy Economics, Elsevier, vol. 36(1), pages 209-228.
    11. Lakdawalla, Darius & Zanjani, George, 2005. "Insurance, self-protection, and the economics of terrorism," Journal of Public Economics, Elsevier, vol. 89(9-10), pages 1891-1905, September.
    12. Katherine A. Daniell & Alec Morton & David Ríos Insua, 2016. "Policy analysis and policy analytics," Annals of Operations Research, Springer, vol. 236(1), pages 1-13, January.
    13. Christopher Cotton & Cheng Li, 2015. "Profiling, Screening, and Criminal Recruitment," Journal of Public Economic Theory, Association for Public Economic Theory, vol. 17(6), pages 964-985, December.
    14. Dulbecco, Philippe & Laporte, Bertrand, 2005. "How can the security of international trade be financed in developing countries? A global public good Approach," World Development, Elsevier, vol. 33(8), pages 1201-1214, August.
    15. Konrad, Kai A., 2024. "The collective security dilemma of preemptive strikes," European Journal of Operational Research, Elsevier, vol. 313(3), pages 1191-1199.
    16. Wu, Baichao & Tang, Aiping & Wu, Jie, 2016. "Modeling cascading failures in interdependent infrastructures under terrorist attacks," Reliability Engineering and System Safety, Elsevier, vol. 147(C), pages 1-8.
    17. Jun Zhuang & Vicki M. Bier, 2007. "Balancing Terrorism and Natural Disasters---Defensive Strategy with Endogenous Attacker Effort," Operations Research, INFORMS, vol. 55(5), pages 976-991, October.
    18. Scott DuHadway & Steven Carnovale & Benjamin Hazen, 2019. "Understanding risk management for intentional supply chain disruptions: risk detection, risk mitigation, and risk recovery," Annals of Operations Research, Springer, vol. 283(1), pages 179-198, December.
    19. Lam, Wing Man Wynne, 2016. "Attack-prevention and damage-control investments in cybersecurity," Information Economics and Policy, Elsevier, vol. 37(C), pages 42-51.
    20. Nell, Martin & Richter, Andreas & Schiller, Jörg, 2009. "When prices hardly matter: Incomplete insurance contracts and markets for repair goods," European Economic Review, Elsevier, vol. 53(3), pages 343-354, April.

    Corrections

    All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:sae:joudef:v:15:y:2018:i:2:p:127-146. See general information about how to correct material in RePEc.

    If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.

    If CitEc recognized a bibliographic reference but did not link an item in RePEc to it, you can help with this form .

    If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.

    For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: SAGE Publications (email available below). General contact details of provider: .

    Please note that corrections may take a couple of weeks to filter through the various RePEc services.

    IDEAS is a RePEc service. RePEc uses bibliographic data supplied by the respective publishers.