Game-Theoretic Cybersecurity: the Good, the Bad and the Ugly

TL;DR

This paper reviews the application of game theory in cybersecurity, identifying gaps such as inadequate modeling of uncertainty, and provides guidance to improve its practical relevance and effectiveness.

Contribution

It develops a framework to analyze existing game-theoretic cybersecurity models and offers recommendations for incorporating uncertainty to enhance real-world applicability.

Findings

Game theory models often lack proper uncertainty modeling.

Most models do not align with practical cybersecurity needs.

Guidelines are provided for better uncertainty incorporation.

Abstract

Given the scale of consequences attributable to cyber attacks, the field of cybersecurity has long outgrown ad-hoc decision-making. A popular choice to provide disciplined decision-making in cybersecurity is Game Theory, which seeks to mathematically understand strategic interaction. In practice though, game-theoretic approaches are scarcely utilized (to our knowledge), highlighting the need to understand the deficit between the existing state-of-the-art and the needs of cybersecurity practitioners. Therefore, we develop a framework to characterize the function and assumptions of existing works as applied to cybersecurity and leverage it to characterize 80 unique technical papers. Then, we leverage this information to analyze the capabilities of the proposed models in comparison to the application-specific needs they are meant to serve, as well as the practicality of implementing the proposed solution. Our main finding is that Game Theory largely fails to incorporate notions of uncertainty critical to the application being considered. To remedy this, we provide guidance in terms of how to incorporate uncertainty in a model, what forms of uncertainty are critical to consider in each application area, and how to model the information that is available in each application area.