Abstract
In this paper we use defense trees, an extension of attack trees with countermeasures, to represent attack scenarios and game theory to detect the most promising actions attacker and defender. On one side the attacker wants to break the system (with as little efforts as possible), on the opposite side the defender want to protect it (sustaining the minimum cost).
As utility function for the attacker and for the defender we consider economic indexes (like the Return on Investment (ROI) and the Return on Attack (ROA)). We show how our approach can be used to evaluate effectiveness and economic profitability of countermeasures as well as their deterrent effect on attackers, thus providing decision makers with a useful tool for performing better evaluation of IT security investments during the risk management process.
Partially supported by the MIUR PRIN 2005-015491.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Bistarelli, S., Fioravanti, F., Peretti, P.: Defense tree for economic evaluations of security investment. In: 1st International Conference on Availability, Reliability and Security (ARES 2006), pp. 416–423 (2006)
Clark, D.D., Wilson, D.R.: A comparison of commercial and military computer security policies. In: IEEE Symposium on Computer Security and Privacy (1987)
Cremonini, M., Martini, P.: Evaluating information security investments from attackers perspective: the Return-On-Attack (ROA). In: Fourth Workshop on the Economics of Information Security (June 2005)
Foster, N.L.: The application of software and safety engineering techniques to security protocol development. PhD thesis, University of York, Department of Computer Science (2002)
Fudenberg, D., Tirole, J.: Game Theory. MIT Press, Cambridge (1991)
Gibbons, R.: A Primer in Game Theory. Pearson Higher Education (1992)
Gordon, L.A., Loeb, M.P.: The economics of information security investment. ACM Trans. Inf. Syst. Secur. 5(4), 438–457 (2002)
Howard, LeBlanc.: Writing Secure Code. Microsoft Press, Redmond (2002)
Krutz, R.L., Vines, R.D., Stroz, E.M.: The CISSP Prep Guide: Mastering the Ten Domains of Computer Security. Wiley, Chichester (2001)
Liu, Y.: Intrusion Detection for Wireless Networks. PhD thesis, Stevens Institute of Technology (2006)
McKelvey, R.D., McLennan, A.M., Turocy, T.L.: Gambit: Software tools for game theory (version 0.2006.01.20) (2006), http://econweb.tamu.edu/gambit
Meritt, J.W.: A method for quantitative risk analysis. In: Proceedings of the 22nd National Information Systems Security Conference (October 1999)
Osborne, M.J.: An introduction to game theory. Oxford University Press, Oxford (2003)
Schechter, S.E.: Computer Security Strength & Risk: A Quantitative Approach. PhD thesis, Harvard University (May 2004)
Schneier, B.: Attack trees: Modeling security threats. Dr. Dobb’s Journal (1999)
Schneier, B.: Secrets & Lies: Digital Security in a Networked World. John Wiley & Sons, Chichester (2000)
Sonnenreich, W., Albanese, J., Stout, B.: Return On Security Investment (ROSI): A practical quantitative model. In: Security in Information Systems, Proceedings of the 3rd International Workshop on Security in Information Systems, WOSIS 2005, pp. 239–252. INSTICC Press (2005)
Stoneburner, G., Goguen, A., Feringa, A.: Risk management guide for information technology systems. Nist special publication 800–830, NIST, National Institute of Standard Technology (July 2002)
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2007 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Bistarelli, S., Dall’Aglio, M., Peretti, P. (2007). Strategic Games on Defense Trees. In: Dimitrakos, T., Martinelli, F., Ryan, P.Y.A., Schneider, S. (eds) Formal Aspects in Security and Trust. FAST 2006. Lecture Notes in Computer Science, vol 4691. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-75227-1_1
Download citation
DOI: https://doi.org/10.1007/978-3-540-75227-1_1
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-75226-4
Online ISBN: 978-3-540-75227-1
eBook Packages: Computer ScienceComputer Science (R0)