Toward Realistic Modeling Criteria of Games in Internet Security

Posted: February 9, 2016 | By: Jonathan Spring

2 Related work

Game theory was kicked off in 1944 as a robust field by [37] and saw application to such national security issues as nuclear deterrence and mutually assured destruction. The essential problems of bargaining and non-cooperative games were laid out by John Nash in the early 1950s [27, 26]. Founded as a branch of mathematics, after the theory acquired conceptual foundations (see [30, 29] for a summary), notions from game theory spread to a number of fields, notably economics (for example [31]). Some game theorists have also taken influence from other fields, such as evolution and dynamical systems [15]. Some game theory texts are broad, mathematical treatments such as [28]. Useful for the work described in this paper are treatments of non-cooperative games and games of incomplete information, which is included in some of the above but focused in some texts such as [14, 25].

There have been previous efforts to extend game theory into the field of information security; [34] summarize and categorize the efforts. Game-theoretic models have been proposed for both organization-scale [7] and single-wireless-node-scale [40] information security games; both as single-play [36] and repeated games [20]. As economics intersects game theory it also intersects information security; for a summary of the extensive work on the economics of information security, see [5].

We heuristically derive our model from case studies and empirical reporting of information-security relevant behavior on the Internet. There are several organizations that report on various aspects of cyber-crime and human behavior, in varying levels of detail, such as [4, 33, 2, 23, 13, 19, 24, 9, 8, 1]. These sources do not generally attempt to derive a general model from the information observed. There is some work in cyber-crime and risk dynamics such as [23, 35] that model criminal behavior, which inform our game theoretic modeling directly.

It seems that all existing applications of game theory to information security force the game to be a two-player game. Some study population dynamics of users and adversaries [39], which has richer descriptive power, but these retain still only two types of players. These efforts do not seem satisfactory in describing the Internet-scale phenomenon of information security, as reported by the economics, cyber-crime and dynamics literatures. We assert that a primary reason for this shortcoming is that the game cannot be described with fewer than three players.

Want to find out more about this topic?

Request a FREE Technical Inquiry!