Are We Compromised? Modelling Security Assessment Games

  • Viet Pham
  • Carlos Cid
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7638)


Security assessments are an integral part of organisations’ strategies for protecting their digital assets and critical IT infrastructure. In this paper we propose a game-theoretic modelling of a particular form of security assessment – one which addresses the question “are we compromised?”. We do so by extending the recently proposed game “FlipIt”, which itself can be used to model the interaction between defenders and attackers under the Advanced Persistent Threat (APT) scenario. Our extension gives players the option to “test” the state of the game before making a move. This allows one to study the scenario in which organisations have the option to perform periodic security assessments of such nature, and the benefits they may bring.


Information Security Penetration Testing Periodic Moving State Check Security Investment 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Bejtlich, R.: Testimony before the USCC Hearing on “Developments in China’s Cyber and Nuclear Capabilities” (March 26, 2012),
  2. 2.
    Billo, C.G.: Cyber warfare: An analysis of the means and motivations of selected nation states. Technical report, Institute for Security Technology Studies at Darthmouth College (2004)Google Scholar
  3. 3.
    Böhme, R., Félegyházi, M.: Optimal Information Security Investment with Penetration Testing. In: Alpcan, T., Buttyán, L., Baras, J.S. (eds.) GameSec 2010. LNCS, vol. 6442, pp. 21–37. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  4. 4.
    Böhme, R., Moore, T.: The iterated weakest link: A model of adaptive security investment. In: Workshop on the Economics of Information Security, WEIS (2009)Google Scholar
  5. 5.
    Chabrow, E.: Identifying undetected breaches identifying undetected breaches: How data scientists analyze big data to spot vulnerabilities (April 20, 2012),
  6. 6.
    Coviello, A.: Open letter to RSA customers (March 17, 2011),
  7. 7.
    Gordon, L.A., Loeb, M.P.: The economics of information security investment. ACM Transactions in Information System Security 5(4), 438–457 (2002)CrossRefGoogle Scholar
  8. 8.
    Kunreuther, H., Heal, G.: Interdependent Security. Journal of Risk and Uncertainty 26(2), 231–249 (2007)CrossRefGoogle Scholar
  9. 9.
    Langner, R.: Stuxnet: Dissecting a cyber warfare weapon. IEEE Security & Privacy 9(3), 49–51 (2011)CrossRefGoogle Scholar
  10. 10.
    Manshaei, M.H., Zhu, Q., Alpcan, T., Basar, T., Hubaux, J.: Game Theory Meets Network Security and Privacy. Technical report, EPFL (2010)Google Scholar
  11. 11.
    National Institute of Standards and Technology. Technical Guide to Information Security Testing and Assessment. Special Publication 800–115 (2008)Google Scholar
  12. 12.
    National Institute of Standards and Technology. Recommended security controls for federal information systems and organizations. Special Publication 800–53 (2009)Google Scholar
  13. 13.
    Raya, M., Shokri, R., Hubaux, J.: On the tradeoff between trust and privacy in wireless ad hoc networks. In: Proceedings of the Third ACM Conference on Wireless Network Security, WiSec 2010, pp. 75–80. ACM, New York (2010)CrossRefGoogle Scholar
  14. 14.
    van Dijk, M., Juels, A., Oprea, A., Rivest, R.L.: Flipit: The game of “stealthy takeover”. Cryptology ePrint Archive, Report 2012/103 (2012)Google Scholar
  15. 15.
    Vijayan, J.: Breach, undetected since 2005, exposes data on Kingston customers (July 17, 2007),

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Viet Pham
    • 1
  • Carlos Cid
    • 1
  1. 1.Information Security GroupRoyal Holloway, University of LondonSurreyUnited Kingdom

Personalised recommendations