Cybersecurity Games and Investments: A Decision Support Approach

  • Emmanouil Panaousis
  • Andrew Fielder
  • Pasquale Malacaria
  • Chris Hankin
  • Fabrizio Smeraldi
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8840)


In this paper we investigate how to optimally invest in cybersecurity controls. We are particularly interested in examining cases where the organization suffers from an underinvestment problem or inefficient spending on cybersecurity. To this end, we first model the cybersecurity environment of an organization. We then model non-cooperative cybersecurity control-games between the defender which abstracts all defense mechanisms of the organization and the attacker which can exploit different vulnerabilities at different network locations. To implement our methodology we use the SANS Top 20 Critical Security Controls and the 2011 CWE/SANS top 25 most dangerous software errors. Based on the profile of an organization, which forms its preferences in terms of indirect costs, its concerns about different kinds of threats and the importance of the assets given their associated risks we derive the Nash Equilibria of a series of control-games. These game solutions are then handled by optimization techniques, in particular multi-objective, multiple choice Knapsack to determine the optimal cybersecurity investment. Our methodology provides security effective and cost efficient solutions especially against commodity attacks. We believe our work can be used to advise security managers on how they should spend an available cybersecurity budget given their organization profile.


cybersecurity game theory optimization 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Anderson, R.: Why Information Security is Hard. In: Proc. of the 17th Annual Computer Security Applications Conference (2001)Google Scholar
  2. 2.
    CWE.: 2011 CWE/SANS Top 25 Most Dangerous Software Errors, (accessed, May 2014)
  3. 3.
    Council on Cybersecurity: The critical security controls for effective cyber defense (version 5.0), (accessed, May 2014)
  4. 4.
    2012 Deloitte-NASCIO Cybersecurity Study State governments at risk: A call for collaboration and compliance, (accessed, May 2014)
  5. 5.
    Alpcan, T., Basar, T.: Network Security: A Decision and Game-Theoretic Approach. Cambridge University Press (2010)Google Scholar
  6. 6.
    Alpcan, T.: Dynamic incentives for risk management. In: Proc. of the 5th IEEE International Conference on New Technologies, Mobility and Security, NTMS (2012)Google Scholar
  7. 7.
    Gordon, L.A., Loeb, M.P.: The economics of information security investment. In: ACM Transactions on Information and System Security, TISSEC (2002)Google Scholar
  8. 8.
    Johnson, B., Grossklags, J., Christin, N., Chuang, J.: Nash equilibria for weakest target security games with heterogeneous agents. In: Jain, R., Kannan, R. (eds.) Gamenets 2011. LNICST, vol. 75, pp. 444–458. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  9. 9.
    Fielder, A., Panaousis, E., Malacaria, P., Hankin, C., Smeraldi, F.: Game theory meets information security management. In: Cuppens-Boulahia, N., Cuppens, F., Jajodia, S., Abou El Kalam, A., Sans, T. (eds.) SEC 2014. IFIP AICT, vol. 428, pp. 15–29. Springer, Heidelberg (2014)CrossRefGoogle Scholar
  10. 10.
    Smeraldi, F., Malacaria, P.: How to Spend it: Optimal Investment for Cyber Security. In: Proc. of the 1st International Workshop on Agents and CyberSecurity, ACySe (2014)Google Scholar
  11. 11.
    Cavusoglu, H., Srinivasan, R., Wei, T.Y.: Decision-theoretic and game-theoretic approaches to IT security investment. Journal of Management Information Systems(ACySe) 25(2), 281–304 (2008)CrossRefGoogle Scholar
  12. 12.
    Saad, W., Alpcan, T., Basar, T., Hjorungnes, A.: Coalitional game theory for security risk management. In: Proc. of the 5th International Conference on Internet Monitoring and Protection (ICIMP), pp. 35–40 (2010)Google Scholar
  13. 13.
    Bommannavar, P., Alpcan, T., Bambos, N.: Security risk management via dynamic games with learning. In: Proc. of the 2011 IEEE International Conference on Communications (ICC), pp. 1–6 (2011)Google Scholar
  14. 14.
    Alpcan, T., Bambos, N.: Modeling dependencies in security risk management. In: Proc. of the Fourth International Conference on Risks and Security of Internet and Systems (CRiSIS), pp. 113–116 (2009)Google Scholar
  15. 15.
    Cremonini, M., Nizovtsev, D.: Understanding and influencing attackers’ decisions: Implications for security investment strategiesGoogle Scholar
  16. 16.
    Demetz, L., Bachlechner, D.: To Invest or Not to Invest? Assessing the Economic Viability of a Policy and Security Configuration Management Tool. In: The Economics of Information Security and Privacy, pp. 25–47. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  17. 17.
    Kiekintveld, C., Islam, T., Kreinovich, V.: Security games with interval uncertainty. In: Proc. of the 12th International Conference on Autonomous Agents and Multiagent Systems (AAMAS 2013), pp. 231–238. International Foundation for Autonomous Agents and Multiagent Systems, Richland (2013)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  • Emmanouil Panaousis
    • 1
  • Andrew Fielder
    • 2
  • Pasquale Malacaria
    • 1
  • Chris Hankin
    • 2
  • Fabrizio Smeraldi
    • 1
  1. 1.Queen Mary University of LondonUK
  2. 2.Imperial College LondonUK

Personalised recommendations