Three Layer Game Theoretic Decision Framework for Cyber-Investment and Cyber-Insurance

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10575)


Cyber-threat landscape has become highly complex, due to which isolated attempts to understand, detect, and resolve cybersecurity issues are not feasible in making a time constrained decisions. Introduction of cyber-threat information (CTI) sharing has potential to handle this issue to some extent, where knowledge about security incidents is gathered, exchanged across organizations for deriving useful information regarding the threat actors and vulnerabilities. Although, sharing security information could allow organizations to make informed decision, it may not completely eliminate the risks. Therefore, organizations are also inclined toward considering cyber-insurance for transferring risks to the insurers. Also, in networked environment, adversaries may exploit the information sharing to successfully breach the participating organizations. In this paper, we consider these players, i.e. organizations, adversary, and insure, to model a three layer game, where players play sequentially to find out their optimal strategies. Organizations determine their optimal self-defense investment to make while participating in CTI sharing and cyber-insurance. The adversary looks for an optimal attack rate while the insurer targets to maximize its profit by offering suitable coverage level to the organizations. Using backward induction approach, we conduct subgame perfect equilibrium analysis to find optimal strategies for the involved players. We observe that when cyber-insurance is not considered, attacker prefers to increase its rate of attack. This motivates the organizations to consider cyber-insurance option for transferring the risks on their critical assets.


Cyber-insurance Cyber-threat information sharing Game theory CYBEX 


  1. 1.
    Cybersecurity information sharing act (cisa).
  2. 2.
    Huang, C.D., Behara, R.S.: Economics of information security investment in the case of concurrent heterogeneous attacks with budget constraints. Int. J. Prod. Econ. 141(1), 255–268 (2013)CrossRefGoogle Scholar
  3. 3.
    Anderson, R., Moore, T.: The economics of information security. Science 314(5799), 610–613 (2006)CrossRefGoogle Scholar
  4. 4.
    Barnum, S.: Standardizing cyber threat intelligence information with the structured threat information expression (stix). MITRE Corporation 11 (2012)Google Scholar
  5. 5.
    Böhme, R., Schwartz, G., et al.: Modeling cyber-insurance: towards a unifying framework. In: WEIS (2010)Google Scholar
  6. 6.
    Burger, E.W., Goodman, M.D., Kampanakis, P., Zhu, K.A.: Taxonomy model for cyber threat intelligence information exchange technologies. In: Proceedings of the 2014 ACM Workshop on Information Sharing & Collaborative Security, pp. 51–60. ACM (2014)Google Scholar
  7. 7.
    Cavusoglu, H., Raghunathan, S., Yue, W.T.: Decision-theoretic and game-theoretic approaches to it security investment. J. Manage. Inf. Syst. 25(2), 281–304 (2008)CrossRefGoogle Scholar
  8. 8.
    Dandurand, L., Serrano, O.S.: Towards improved cyber security information sharing. In: 5th International Conference on Cyber Conflict, pp. 1–16. IEEE (2013)Google Scholar
  9. 9.
    de Fuentes, J.M., González-Manzano, L., Tapiador, J., Peris-Lopez, P.: Pracis: privacy-preserving and aggregatable cybersecurity information sharing. Comp. Secur. 69, 127–141 (2016)CrossRefGoogle Scholar
  10. 10.
    Garrido-Pelaz, R., González-Manzano, L., Pastrana, S.: Shall we collaborate?: a model to analyse the benefits of information sharing. In: Proceedings of the 2016 ACM on Workshop on Information Sharing and Collaborative Security, pp. 15–24. ACM (2016)Google Scholar
  11. 11.
    Gordon, L.A., Loeb, M.P., Lucyshyn, W.: Sharing information on computer systems security: an economic analysis. J. Account. Public Policy 22(6), 461–485 (2003)CrossRefGoogle Scholar
  12. 12.
    Grossklags, J., Christin, N., Chuang, J.: Secure or insure?: a game-theoretic analysis of information security games. In: Proceedings of the 17th international conference on World Wide Web, pp. 209–218. ACM (2008)Google Scholar
  13. 13.
    Khouzani, M.H.R., Pham, V., Cid, C.: Strategic discovery and sharing of vulnerabilities in competitive environments. In: Poovendran, R., Saad, W. (eds.) GameSec 2014. LNCS, vol. 8840, pp. 59–78. Springer, Cham (2014). doi: 10.1007/978-3-319-12601-2_4 Google Scholar
  14. 14.
    Pal, R., Golubchik, L.: Analyzing self-defense investments in internet security under cyber-insurance coverage. In: 2010 IEEE 30th International Conference on Distributed Computing Systems (ICDCS), pp. 339–347. IEEE (2010)Google Scholar
  15. 15.
    Pal, R., Golubchik, L., Psounis, K., Hui, P.: Will cyber-insurance improve network security? a market analysis. In: INFOCOM, 2014 Proceedings IEEE, pp. 235–243. IEEE (2014)Google Scholar
  16. 16.
    Rutkowski, A., et al.: Cybex: the cybersecurity information exchange framework (x. 1500). ACM SIGCOMM Comput. Comm. Rev. 40(5), 59–64 (2010)CrossRefGoogle Scholar
  17. 17.
    Tosh, D.K., Sengupta, S., Kamhoua, C.A., Kwiat, K.A., Martin, A.: An evolutionary game-theoretic framework for cyber-threat information sharing. In: IEEE International Conference on Communications, ICC, pp. 7341–7346 (2015)Google Scholar
  18. 18.
    Tosh, D.K., Sengupta, S., Mukhopadhyay, S., Kamhoua, C., Kwiat, K.: Game theoretic modeling to enforce security information sharing among firms. In: IEEE 2nd International Conference on Cyber Security and Cloud Computing (CSCloud), pp. 7–12 (2015)Google Scholar
  19. 19.
    Vakilinia, I., Sengupta, S.: A coalitional game theory approach for cybersecurity information sharing. In: Military Communications Conference, (MILCOM). IEEE (2017)Google Scholar
  20. 20.
    Vakilinia, I., Tosh, D.K., Sengupta, S.: 3-way game model for privacy-preserving cybersecurity information exchange framework. In: Military Communications Conference, (MILCOM). IEEE (2017)Google Scholar
  21. 21.
    Van Dijk, M., Juels, A., Oprea, A., Rivest, R.L.: Flipit: the game of “stealthy takeover”. J. Cryptol. 26(4), 655–713 (2013)MathSciNetCrossRefzbMATHGoogle Scholar
  22. 22.
    Wang, T., Kannan, K.N., Ulmer, J.R.: The association between the disclosure and the realization of information security risk factors. Inf. Syst. Res. 24(2), 201–218 (2013)CrossRefGoogle Scholar
  23. 23.
    Young, D., Lopez, J., Rice, M., Ramsey, B., McTasney, R.: A framework for incorporating insurance in critical infrastructure cyber risk strategies. Int. J. Crit. Infrastruct. Prot. 14, 43–57 (2016)CrossRefGoogle Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  1. 1.Department of Computer ScienceNorfolk State UniversityNorfolkUSA
  2. 2.Department of Computer Science and EngineeringUniversity of NevadaRenoUSA
  3. 3.Virginia Modeling Analysis and Simulation CenterOld Dominion UniversityNorfolkUSA
  4. 4.Network Security BranchArmy Research LaboratoryAdelphiUSA
  5. 5.Cyber Assurance BranchAir Force Research LaboratoryRomeUSA

Personalised recommendations