A Game Oriented Approach to Minimizing Cybersecurity Risk

A Game Oriented Approach to Minimizing Cybersecurity Risk

Scott Musman Andrew J. Turner 

The MITRE Corporation, McLean, Va, USA

| |
| | Citation



Information and Communication Technology (ICT) systems are now ubiquitous in all aspects of our society. With an ability to create ICT incident effects via cyberspace, criminals can steal information or extort money, terrorists can disrupt society or cause loss of life, and the effectiveness of a military can be degraded. These threats have caused an imperative to maximize a system’s cyber security resilience. Protecting systems that rely on ICT from cyber-attacks or reducing the impacts that cyber incidents cause is a topic of major importance. In this paper, we describe an approach to minimizing cybersecurity risks called Cyber Security Game (CSG), where CSG can be viewed as a form of model-based system security engineering. CSG is a method and supporting software that quantitatively identifies mission outcome focused cybersecurity risks and uses this metric to determine the optimal employment of security methods to use for any given investment level. CSG maximizes a system’s ability to operate in today’s contested cyber environment by minimizing its mission risk. The risk score is calculated by using a cyber mission impact assessment (CMIA) model to compute the consequences of cyber incidents, and by applying a threat model to a system topology model and defender model to estimate how likely attacks are to succeed. CSG takes into account the widespread interconnectedness of cyber systems, where defenders must defend all multi-step attack paths and an attacker only needs one to succeed. It employs a game theoretic solution using a game formulation that identifies defense strategies to minimize the maximum cyber risk (MiniMax), employing the defense methods defined in the defender model. This paper describes the approach and the models that CSG uses.


cybersecurity, game theory, return on investment, risk assessment, risk management


[1] Cox, A., Some limitations of risk = threat × vulnerability × consequence for risk analysis of terrorist attacks. Risk Analysis, 28(6), pp. 1749–1761, 2008. https://doi.org/10.1111/j.1539-6924.2008.01142.x

[2] Lagner, R., To Kill a Centrifuge. The Langner Group, 2013.

[3] United States Senate Committee on Commerce, Science, and Transportation, A “Kill Chain”Analysis of the 2013 Target Data Breach. United States Senate , Washington, D.C., USA, 2014.

[4] Garvey, P.R. & Patel, S.H., Analytical frameworks to assess the effectiveness and economicreturns of cybersecurity investments. Military Communications Conference (MILCOM), 2014 IEEE, Baltimore, MD, USA, 2014.

[5] Carin, L., Cybenko, G. & Hughes, J., Cybersecurity strategies: the QuERIES methodology. Computer, 41(8), pp. 20–26, 2008. https://doi.org/10.1109/mc.2008.295

[6] Roy, S., Ellis, C., Shiva, S., Dasgupta, D., Shandilya, V. & Wu, Q., A Survey of Game Theory as Applied to Network Security. 43rd Hawaii International Conference on System Sciences (HICSS), Koloa, HI, USA, 2010.

[7] Temin, A. & Musman, S., A Language for Capturing Cyber Impact Effects. MITRE Technical Report MTR-10344. MITRE Corporation, Washington DC, 2010.

[8] Musman, S., Temin, A., Tanner, M., Fox, F. & Pridemore, B., Evaluating the Impact of Cyber Attacks on Complex Missions. 5th International Conference on Information Warfare and Security, Dayton, OH, USA, 2010.

[9] Musman, S.T.A., A Cyber Mission Impact Assessment Tool. Homeland Security Technologies Conference, Boston, MA, 2015.

[10] Jajodia, N.S., Topological vulnerability analysis. Cyber Situational Awareness, Advances in Information Security, 2010.

[11] Wang, L., Jajodia, S. & Noel, S., k-zero day safety: Measuring the security risk of networks against unknown attacks. European Symposium on Research in Computer Security, Athens, Greece, 2010.

[12] Musman, S., Tanner, M., Elsaesser, E. & Lewis, L., A Systems Engineering Approach to Crown Jewels Estimation and Mission Assurance Decision Making, Proceedings of the IEEE Symposium on Computational Intelligence in Cyber Security, Paris, France, 2011.

[13] Musman, S., Tanner, M., Temin, A. & Elsaesser, E., Computing the Impact of Cyber Attacks on Missions. 2011 IEEE International Systems Conference (SysCon), Montreal, QC, 2011.

[14] Musman, S. & Agbolosu-Amison, S., A Measurable Definition of Resiliency Using “Mission Risk” as a Metric, MITRE Corp, McLean, VA, USA, 2014.

[15] Dhanjani, N., Rios, B. & Hardin, B., Hacking: The Next Generation, O’Reiley Media Inc., Sebastopol, CA, 2009.

[16] Noel, S., Ludwig, J., Jain, P., Jhonson, D., Thomas, R., McFarland, F., King, B., Webster, S. & Tello, B., Analyzing Mission Impacts of Cyber Actions (AMICA). ATO IST-128 Workshop on Cyber Attack Detection, Forensics and Attribution for Assessment of Mission Impact, Istanbul, Turkey, 2015.

[17] Nguyen, N., Alpcan, T. & Basar, T., Stochastic games for security in networks with interdependent nodes. International Conference on Game Theory for Networks, Istanbul, Turkey, 2009.

[18] Jormakka, J. & Jolsa, J., Modelling information warfare as a game. Journal of Information Warfare, 4(2), pp. 12–25, 2005.

[19] Sallhammar, K. & Knapskog, S., Using Game Theory in Stochastic Models for Quantifying Security. Proceedings of the 9th Nordic Workshop on Secure IT-systems, Espoo, Finland, 2004.

[20] MSM, “Making Security Measurable,” [Online], available at https://makingsecuritymeasurable. mitre.org/, 8 July 2013.

[21] Alpcan, T. & Basar, T., A game theoretic analysis of intrusion detection in access control systems. 43rd IEEE Conference on Decision and Control, Nassau, Bahamas, 2004.

[22] Watters, J., Morrissey, S., Bodeau, D. & Powers, S., The Risk-to-Mission Assessment Process (RiskMAP): A Sensitivity Analysis and an Extension to Treat Confidentiality Issues. MITRE, McLean, VA, USA, 2009.

[23] S. Noel, J. S, O. B. & J. M., Efficient minimum-cost network hardening via exploit dependency graphs. Proceedings of the 19th Annual Computer Security Applications Conference (ACSAC’03), 2003.