Are We Compromised? Modelling Security Assessment Games
Security assessments are an integral part of organisations’ strategies for protecting their digital assets and critical IT infrastructure. In this paper we propose a game-theoretic modelling of a particular form of security assessment – one which addresses the question “are we compromised?”. We do so by extending the recently proposed game “FlipIt”, which itself can be used to model the interaction between defenders and attackers under the Advanced Persistent Threat (APT) scenario. Our extension gives players the option to “test” the state of the game before making a move. This allows one to study the scenario in which organisations have the option to perform periodic security assessments of such nature, and the benefits they may bring.
KeywordsInformation Security Penetration Testing Periodic Moving State Check Security Investment
Unable to display preview. Download preview PDF.
- 1.Bejtlich, R.: Testimony before the USCC Hearing on “Developments in China’s Cyber and Nuclear Capabilities” (March 26, 2012), http://www.uscc.gov/hearings/2012hearings/written_testimonies/hr12_03_26.php
- 2.Billo, C.G.: Cyber warfare: An analysis of the means and motivations of selected nation states. Technical report, Institute for Security Technology Studies at Darthmouth College (2004)Google Scholar
- 4.Böhme, R., Moore, T.: The iterated weakest link: A model of adaptive security investment. In: Workshop on the Economics of Information Security, WEIS (2009)Google Scholar
- 5.Chabrow, E.: Identifying undetected breaches identifying undetected breaches: How data scientists analyze big data to spot vulnerabilities (April 20, 2012), http://www.bankinfosecurity.co.uk/interviews/identifying-undetected-breaches-i-1542
- 6.Coviello, A.: Open letter to RSA customers (March 17, 2011), http://www.rsa.com/node.aspx?id=3872
- 10.Manshaei, M.H., Zhu, Q., Alpcan, T., Basar, T., Hubaux, J.: Game Theory Meets Network Security and Privacy. Technical report, EPFL (2010)Google Scholar
- 11.National Institute of Standards and Technology. Technical Guide to Information Security Testing and Assessment. Special Publication 800–115 (2008)Google Scholar
- 12.National Institute of Standards and Technology. Recommended security controls for federal information systems and organizations. Special Publication 800–53 (2009)Google Scholar
- 14.van Dijk, M., Juels, A., Oprea, A., Rivest, R.L.: Flipit: The game of “stealthy takeover”. Cryptology ePrint Archive, Report 2012/103 (2012)Google Scholar
- 15.Vijayan, J.: Breach, undetected since 2005, exposes data on Kingston customers (July 17, 2007), http://www.computerworld.com/s/article/9027220/Breach_undetected_since_05_exposes_data_on_Kingston_customers