Abstract
Security risk assessment provides valuable insights about potential security risks to an organization to protect their critical information assets. With an ability to comprehend security risks, organizations can make effective decision to allocate their budget to mitigate or treat those risks (often based on the severity of the risk). Thus, it is paramount to identify and assess risk scenarios properly to manage those risks. Subjective judgment due to the lack of statistical data and the adaptive nature of the adversary may affect the credibility of the assessments when using classical risk assessment methods. Even though game theoretical approach formulates robust mathematical models for risk assessment without the reliance on subjective probabilities, it is seldom used in organizations. Thus, this chapter expands on the existing mapping between game theory and risk assessment process and terminology to provide further insight into how game theory can be utilized for risk assessment. In addition, we provide our view on how cooperative game theoretical model may be used to capture opportunity risk, which is usually overlooked in many classical risk assessment methods.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
ISO 31000 Risk management – Principles and guidelines. 2009.
ISO/IEC 27005 Information technology -Security techniques - Information security risk management. ISO/IEC, 1st edition, 2011.
NIST Special Publication 800-30 Revision 1. Guide for conducting risk assessments. Technical report, 2012.
David L. Banks and Steven Anderson. Combining Game Theory and Risk Analysis in Counterterrorism: A Smallpox Example. Springer New York, 2006.
F. Braber, I. Hogganvik, M. S. Lund, K. Stølen, and F. Vraalsen. Model-based security analysis in seven steps — a guided tour to the coras method. BT Technology Journal, 25(1):101–117, January 2007.
L. Carin, G. Cybenko, and J. Hughes. Cybersecurity strategies: The queries methodology. Computer, 41(8):20–26, Aug 2008.
Robert T. Clemen. Making Hard Decision: An Introduction to Decision Analysis. Duxbury, second edition, 1996.
Jr. Louis Anthony Cox. Some limitations of “Risk = Threat x Vulnerability x Consequence” for risk analysis of terrorist attacks. Risk Analysis, 28(6):1749–61, 2008.
Jr. Louis Anthony (Tony) Cox. What’s wrong with risk matrices? Risk Analysis, 28(2):497–512, 2008.
Jr. Louis Anthony (Tony) Cox. Game theory and risk analysis. Risk Analysis, 29(8):1062–1068, 2009.
Kjell Hausken. Probabilistic risk analysis and game theory. Society for Risk Analysis, 22, 2002.
David Hillson. Extending the risk process to manage opportunities. International Journal of Project Management, page 235–240, 2002.
David Rios Insua, Jesus Rios, and David Banks. Adversarial risk analysis. Journal of the American Statistical Association, 104(486):841–854, Jun 2009.
ISACA. The Risk IT Framework, 2009.
Peng Liu and Wanyu Zang. Incentive-based modeling and inference of attacker intent, objectives, and strategies. In Proceedings of the 10th ACM Conference on Computer and Communications Security, CCS ’03, pages 179–189, New York, NY, USA, 2003. ACM.
Patrick Maillé, Peter Reichl, and Bruno Tuffin. Of Threats and Costs: A Game-Theoretic Approach to Security Risk Management, pages 33–53. Springer New York, New York, NY, 2011.
Mohammad Hossein Manshaei, Quanyan Zhu, Tansu Alpcan, Tamer Bacşar, and Jean-Pierre Hubaux. Game theory meets network security and privacy. ACM Computing Surveys (CSUR), 45(3):25, 2013.
Richard D. McKelvey, Andrew M. McLennan, and Theodore L. Turocy. Gambit: Software tools for game theory, version 16.0.1. http://www.gambit-project.org, 2016. [retrieved: 15-9-2017].
John Nash. Non-cooperative games. Annals of mathematics, pages 286–295, 1951.
Eugene Nudelman, Jennifer Wortman, Yoav Shoham, and Kevin Leyton-Brown. Run the gamut: A comprehensive approach to evaluating game-theoretic algorithms. Autonomous Agents and Multiagent Systems, International Joint Conference on, 2:880–887, 2004.
Animesh Patcha and Jung-Min Park. A game theoretic formulation for intrusion detection in mobile ad hoc networks. International Journal of Network Security, 2:131–137, March 2006.
Lisa Rajbhandari. Risk analysis using “conflicting incentives” as an alternative notion of risk, 2013.
Lisa Rajbhandari and Einar Snekkenes. Risk acceptance and rejection for threat and opportunity risks in conflicting incentives risk analysis. In International Conference on Trust, Privacy and Security in Digital Business, pages 124–136. Springer, 2013.
Lisa Rajbhandari and Einar Snekkenes. Using the conflicting incentives risk analysis method. In IFIP International Information Security Conference, pages 315–329. Springer, 2013.
Lisa Rajbhandari and Einar Arthur Snekkenes. Mapping between Classical Risk Management and Game Theoretical Approaches, pages 147–154. Springer Berlin Heidelberg, Berlin, Heidelberg, 2011.
Sankardas Roy, Charles Ellis, Sajjan Shiva, Dipankar Dasgupta, Vivek Shandilya, and Wu Qishi. A survey of game theory as applied to network security. In System Sciences (HICSS), 2010 43rd Hawaii International Conference on, pages 1–10. IEEE, 2010.
Einar Snekkenes. Position paper: Privacy risk analysis is about understanding conflicting incentives. In IFIP Working Conference on Policies and Research in Identity Management, pages 100–103. Springer, 2013.
Gaute Wangen, Christoffer Hallstensen, and Einar Snekkenes. A framework for estimating information security risk assessment method completeness. International Journal of Information Security, pages 1–19, 6 2017.
Joel Watson. Strategy: An Introduction to Game Theory. W. W. Norton & Company, 2nd edition, 2008.
Jenn Wortman, Eugene Nudelman, Mark Chen, and Yoav Shoham. Gamut: Game-theoretic algorithms evaluation suite. http://gamut.stanford.edu/. [retrieved: 15-9-2017].
Cui Xiaolin, Tan Xiaobin, Zhang Yong, and Xi Hongsheng. A Markov game theory-based risk assessment model for network information system. In CSSE ’08: Proceedings of the 2008 International Conference on Computer Science and Software Engineering, pages 1057–1061, Washington, DC, USA, 2008. IEEE Computer Society.
Acknowledgements
We would like to thank the anonymous reviewers for their valuable comments and suggestions.
DisclaimerThis is an independent research of the first author; thus the view expressed in this book chapter is not associated with any organization she is affiliated with.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer International Publishing AG, part of Springer Nature
About this chapter
Cite this chapter
Rajbhandari, L., Snekkenes, E. (2018). Utilizing Game Theory for Security Risk Assessment. In: Rass, S., Schauer, S. (eds) Game Theory for Security and Risk Management. Static & Dynamic Game Theory: Foundations & Applications. Birkhäuser, Cham. https://doi.org/10.1007/978-3-319-75268-6_1
Download citation
DOI: https://doi.org/10.1007/978-3-319-75268-6_1
Published:
Publisher Name: Birkhäuser, Cham
Print ISBN: 978-3-319-75267-9
Online ISBN: 978-3-319-75268-6
eBook Packages: Mathematics and StatisticsMathematics and Statistics (R0)