Cybersecurity Games for Investment Decision| Must Read for CISOs | Lucideus Research

Allocation of the budget at proper places has always been a debatable topic. Traditional mechanism of calculating budget allocation is to weigh the benefits and cost attached to a particular allocation. But when this is clubbed with the organization’s priority for different factors involved, the outcome becomes more effective. 

In this blog, I am going to describe the idea that is presented in the research article titled “Cybersecurity games and Investments: A Decision Support Approach”, and my take on the same. It explores the issue of optimal investment by adjusting the implementation level of controls required in order to maximise derived benefit given a budget constraint.

Basic Framework:
In order to decide for the optimal controls to invest in, network topology becomes the essential part of the overall analysis. For this purpose, the following topology is used:

The network considered here is made of three layers of depths: the demilitarized zone(DMZ), the Middleware and Private Network. Depth 3 is used for the most sensitive data because that is protected by two more layers of defence i.e DMZ and Middleware. The depth of an asset ‘d’ is decided by the number of defences required to penetrate through in order to reach out the asset in consideration. These are separated by the network security software like IDS, firewall...etc.

Notations: 
T: Set of all cybersecurity targets within an organization
V = {νz}: Set of vulnerabilities threatened by commodity attacks
d: Depth of the asset
C = {cj}: Set of all cybersecurity controls
Pj = {pjl}: set of all cybersecurity processes associated with control cj

Assets having same vulnerability and present at same depth are considered to come under the same target. So, a target is defined by vulnerability and depth pair. Therefore, the set of all targets is defined by T = {(νz , d)| νz  ∈ V, d ∈ {1,...,n}}. The mitigation plan is to implement a control cj at certain level ℓ ∈ {0,..., ん}. Here, ℓ indicates the degree to which the control is implemented.

Along with this, there are other factors which affect the decision regarding the investment. These are Risk, Direct cost, Indirect cost, Vulnerability factors and organization profile.

Risk: Three broad types of risks are taken into consideration here: Data Loss(DL), Business Disruption(BD) and Reputation(RE). These factors vary with depth at which the asset is located. DLd, BDd, REd denotes the respective risks where the depth matters.

Direct Cost: Each cybersecurity process has a cost attached to it: capital cost(CAC) and labour cost(LAC). CAC depicts the cost of purchasing the process for a particular control and LAC refers to the cost of the administration’s time in implementing that process i.e. (hours spent) X (cost per hour).

Indirect Cost: System performance cost(SPC), Morale Cost(MOC) and Re-Training Cost(RTC) are three indirect costs considered here. SPC refers to the cost due to the decrease in the performance of the system of the user in case a control is implemented. Whereas, the MOC refers to the cost due to the increase in the strictness of the measures undertaken. Greater the strictness level more will be the willingness of the employee to circumvent it. Whenever the implementation level of a control is changed, the employees are required to be trained again in order for them to be able to use their systems properly and cost associated with this is termed as RTC. The indirect costs associated with the every process pjl is expressed by SPCjl, MOCjl and RTCjl.

Vulnerability Factors: Factors associated with this are Prevalence(PR), Attack Frequency(AF), Ease of Detection(ED) and Attacker Awareness(AA). For a vulnerability νz , the vulnerability factors are denoted by PRz, AFz, EDz and AAz. Here, PR depicts the frequency of presence of the vulnerability in a system. AF is the number of times someone tries to attack a particular vulnerability. AA depicts the average adversary would know that a malicious script is for sale. Whereas, ED measures the discovery cost of a vulnerability.

Organization Profile: Since organizations differ from one another depending upon their key functional areas and the distinguishing features. Therefore, it is a necessity to include organizations preference for the above-mentioned factors. Some factors might affect a web service providers more as compared to an oil and gas company. So, the organization’s profile is denoted as {R, K, T}, where

R is the risk profile;
K is the indirect cost profile, and
T is the threat concern.

These profiles are the probability distributions depicted by R = {r1 , r2 , r3}, K = {k1, k2, k3} and T = {イ1, イ2}. Therefore,

RISKS = r1DLd + r2REd + r3BDd
IND_COSTS = k1SPCjl + k2RTCjl + k3MOCjl
THREATS = イ1(current threats) + イ2(future potential threats)

The current threats are defined as: [(PRz + AFz)/2] and the future potential threats is given by [(EDz + AAz)/2]. Here, priority is defined based on the fact whether the organization is more concerned about the current threats or the future ones.

Model: 
The interaction between the defender and an attacker is formulated here. Defender defends an organization’s data assets by minimizing the risk associated with the assets and the attacker derives benefits out of attacking the assets. There is a negative correlation between the defender and attacker payoffs which is to say that more the defender loses the more the attacker gains.

Defender’s mixed strategy is given Qjλ = [qj0,...,qjλ] which depicts the probability of implementation level of the control cj at different levels. Whereas, the attacker’s mixed strategy is given by Hjλ = [hj0,...,hjλ], where hji is the probability of attacker attacking target ti given the control cj is implemented at a particular level. The utility of the defender when the target ti = (νz ,d) is attacked and process pjl is implemented over a control cj is denoted by:



Theorem 1: 

“The zero-sum cybersecurity control-subgame Gjλ admits an NE in mixed strategies, (Qjλ ,Hjλ ), with the property that 

The minimax theorem states that for zero-sum games NE and minimax solution coincide. Therefore in Gjλ any Nash cybersecurity plan mini-maximizes the attacker’s payoff. If any Gjλ admits multiple Nash cybersecurity plans they have the ordered interchangeability property which means that D reaches the same level of defence independent from A’s strategy, i.e.”
An organization will be implementing more than one control, therefore, it is required to combine all the controls given a budget specified to the defender. So, every plan has its own direct cost attached to it: CAC and LAC. We assume that a plan can be effective in protecting more than one target and its benefit for that target is determined by the expected damage caused when only that process is implemented. Moreover, each investment solution has a score attached to it that is fixed by the expected damage across all targets. This implies higher the score, less valuable that investment plan is. So, the overall optimisation aimed at minimising this investment score. The solution of the game is defined as:

“Defining the value of any target ti as γi = −Risks × Threat, considering N controls and assuming that each Nash cybersecurity plan Q*jλ is associated with some benefit bjλ(tj)3 upon target ti, and it has cost ωjλ, the defender seeks a cybersecurity investment I such that”

Where I is the investment plan that maximises the minimum amount of defence required against implemented across each target. The best investment plan symbolises an allocation of resources in the direction of minimising the expected damage caused given the constraints. 

Conclusion:
Since it is not possible to implement all the processes given a budget constraint by an organization which leads to a need of a mechanism that can help in making a decision about the optimal place to invest in. The game theoretic model discussed above diverts the traditional analysis to the one based on organization’s priority. Considering the case of Data Loss Prevention(DLP) tools, a similar approach can be used there in order to classify the deciding rules for DLP to work. The organization’s preference about the various profile can serve as a powerful tool in deciding whether an active or a passive action is required in case a sensitive data file is found to be shared outside the corporate network. 

References:
1. Panaousis E., Fielder A., Malacaria P., Hankin C., Smeraldi F. (2014) Cybersecurity Games and Investments: A Decision Support Approach. In: Poovendran R., Saad W. (eds) Decision and Game Theory for Security. GameSec 2014. Lecture Notes in Computer Science, vol 8840. Springer, Cham

2. Anderson, R: Why Information Security is Hard. In Proc. of the 17th Annual Computer Security Applications Conference (2001)

3. CWE: 2011 CWE/SANS Top 25 Most Dangerous Software Errors. http://cwe.mitre.org/top25/ (accessed May 2014)

4. Council on Cybersecurity: The critical security controls for effective cyber defence (version 5.0). http://www.counciloncybersecurity.org/attachments/article/12/CSC-MASTER-VER50-2-27-2014.pdf (accessed May 2014)

5. 2012 Deloitte-NASCIO Cybersecurity Study State governments at risk: a call for collaboration and compliance. https://www.deloitte.com/assets/Dcom-UnitedStates/Local\%20Assets/Documents/AERS/us_aers_nascio\%20Cybersecurity\%20Study_10192012.pdf (accessed May 2014)

6. Alpcan, T., Basar, T.: Network Security: A Decision and Game-Theoretic Ap̥proach. Cambridge University Press (2010)

7. Alpcan, T.: Dynamic incentives for risk management. In: Proc. of the 5th IEEE International Conference on New Technologies, Mobility and Security (NTMS) (2012)

8. Gordon, L.A., Loeb, M.P.: The economics of information security investment. In: ACM Transactions on Information and System Security (TISSEC) (2002)

9. Johnson, B., Grossklags, J., Christin, N., Chuang, J.: Nash equilibria for weakest target security games with heterogeneous agents. In: Jain, R., Kannan, R. (eds.) Gamenets 2011. LNICST, vol. 75, pp. 444-458. Springer, Heidelberg (2012)

10. Fielder, A., Panaousis, E., Malacaria, P., Hankin, C., Smeraldi, F.: Game theory meets information security management. In: Proc. of the 29th IFIP International Information Security and Privacy Conference (2014)

11. Smeraldi, F., Malacaria, P.: How to Spend it: Optimal Investment for Cyber Security. In: Proc. of the 1st International Workshop on Agents and CyberSecurity (ACySe) (2014)

12. Cavusoglu, H., Srinivasan, R., Wei, T.Y.: Decision-theoretic and game-theoretic approaches to IT security investment. In: Journal of Management Information Systems(ACySe), 25(2), pp.281-304 (2008)

13. Saad, W., Alpcan, T., Basar, T., Hjorungnes, A.: Coalitional game theory for security risk management. In: Proc. of the 5th International Conference on Internet Monitoring and Protection (ICIMP), pp. 35-40 (2010)

14. Bommannavar, P., Alpcan, T., Bambos, N.: Security risk management via dynamic games with learning. In: Proc. of the 2011 IEEE International Conference on Communications (ICC), pp. 1-6 (2011)

15. Alpcan, T., Bambos, N.: Modeling dependencies in security risk management. In: Proc. of the Fourth International Conference on Risks and Security of Internet and Systems (CRiSIS), pp. 113-116 (2009)

16. Cremonini, M., Nizovtsev, D.: Understanding and influencing attackers’ decisions: Implications for security investment strategies

17. Demetz, L., Bachlechner, D.: To Invest or Not to Invest? Assessing the Economic Viability of a Policy and Security Configuration Management Tool. The Economics of Information Security and Privacy, Springer Berlin Heidelberg, pp. 25-47 (2013)

18. Kiekintveld, C., Islam, T., Kreinovich, V.: Security games with interval uncertainty. In: Proc. of the 12th International Conference on Autonomous Agents and Multiagent Systems (AAMAS 2013), pp. 231-238. International Foundation for Autonomous Agents and Multiagent Systems, Richland (2013).

Post a Comment

0 Comments