Using awareness and game theory to strengthen cybersecurity defenses

What is it about?

Modeling and quantifying the awareness process has proved to be one of the more novel and very challenging aspects of game theory modeling. However, the need to understand, model, and predict it is underscored by the changes in our environment, where threats and opportunities may arise in an intangible form. This research focuses on modeling how individuals become aware of the games and, in this particular case, threats. While bigger organizations may have departments that deal with cybersecurity, in smaller companies, the managing burden often falls on one person. The latter situation is further explored in this paper, where the manager also takes the role of the defender. However, this defender does not have all the required skills and knowledge; rather, they have limited knowledge and available strategies to counteract the attack. So, the research involves modeling how individuals, specifically managers, become aware of cybersecurity threats and how that awareness evolves. The focus is on how decision-making happens in real life when a person does not have complete information but must adapt based on what they observe, even when their observations are imperfect. Awareness in this context doesn’t just mean detecting a potential threat—it involves a deeper understanding and assessment of that threat, which forms the basis for action. When a threat is detected, a person might not immediately be fully "aware" in a sense relevant to decision-making. They have to assess the threat, and they do so based on the threat's attributes and categories or "frames" created using their previous knowledge. So, based on the assessed attributes, they classify a threat in the category that fits best, which is a basis for their decision and action. This process, though logical, is imperfect, so a small amount of randomness was implemented, which mirrors the unpredictability of human decision-making. The randomness reflects how, at the individual level, detection, assessment, and action are not always accurate. Using a game theory model, the research introduces "dynamic awareness," where managers continuously update their understanding of potential threats over time, using past experiences and Bayesian updating. Bayesian updating is a method of refining decisions based on new information. In this context, managers start with an initial understanding of potential threats, and as they gather more information, they adjust their assessment of the situation. Each new observation helps them update their beliefs, allowing them to classify the threats better over time. This method describes how managers refine their strategies in real time and improve their ability to defend against cyberattacks over time. Although cybersecurity is the main application demonstrated in this study, this framework for dynamic awareness can be used in various fields requiring adaptive decision-making. Main takeaways: - Dynamic awareness via Bayesian updating: The research introduces a way to quantify awareness in game theory using Bayesian inference. Managers continuously update their awareness of potential cyber threats, which allows them to refine their defensive strategies based on new information, attack frequencies, and prior knowledge. This dynamic awareness is crucial for adapting to the evolving nature of cybersecurity threats. - Impact of initial frequencies on success: The manager’s success in defending against cyber-attacks is significantly influenced by the accuracy of the initial frequencies of attack types. Aligned prior frequencies lead to optimal outcomes, but even imperfect information can outperform complete uncertainty, emphasizing the importance of any available knowledge when making strategic decisions. - Strategic adaptation in cybersecurity: The simulations demonstrate the critical role of adaptive strategies in response to hacker behavior. The manager’s awareness of potential hacker strategies evolves over time, allowing them to choose the most effective countermeasures. This adaptability is key to mitigating risks in a rapidly changing cyber threat landscape. - Methodological contribution: This study enhances the understanding of strategic interactions in cybersecurity by incorporating dynamic awareness into the game theory model. The iterative process of awareness updating provides a nuanced framework for understanding how managers can adjust their defenses in response to continuously changing threats. - Practical applications for SMEs: For small and medium-sized enterprises (SMEs), the game theory framework provides actionable insights for developing dynamic cybersecurity strategies. SME managers can leverage the Bayesian updating approach to enhance their team’s awareness of the latest cyber threats, allowing them to be more proactive rather than reactive. The model is further adaptable to different industries, where specific attack vectors and defensive postures may vary. Future research could apply the framework across various sectors to develop more granular, industry-specific cybersecurity strategies. The model’s usefulness can be validated through real-world testing in the future, such as pilot studies with SMEs, which would measure the impact of dynamic awareness and strategic adaptation on the organization’s cybersecurity outcomes. This future research would refine the model for broader implementation and improve its practical applicability.

Featured Image

Photo by FlyD on Unsplash

Photo by FlyD on Unsplash

Why is it important?

Modeling awareness in decision-making is crucial, not just for cybersecurity but as part of broader efforts in game theory and evolutionary game theory. Understanding how individuals and organizations become aware of and adapt to threats is vital for improving strategic responses in uncertain environments. This research contributes to these novel modeling efforts by showing how dynamic awareness, even when based on imperfect (or not accurate) information, can still outperform strategies based on uncertainty or incomplete data. In the simulation, attacks (and attackers, as their type is recognized through their actions) are categorized into three distinct types for simplicity: - Social engineering attacks, where hackers exploit human weaknesses to gain unauthorized access. - Software vulnerability exploits, where attackers target weaknesses in software systems, often due to outdated or unpatched applications. - DDoS (Distributed Denial of Service) attacks, where attackers overwhelm a network or system, rendering it inaccessible to users. The outcomes of the simulations revealed that each type of hacker presents different levels of severity: - In the case of T-type attacks (social engineering), which are the most common and, therefore, most expected, the manager was able to achieve a much higher success rate—nearly 90% of wins. The manager’s ability to defend against this type of attack was more robust due to the predictability and frequency of this strategy. Because T-type attacks align with the manager's initial expectations and historical data, as well as the overlapping effect of two defensive strategies, the manager was able to outmaneuver the hacker significantly. - Against V-type attacks (vulnerability exploits), managers won about 50% of the interactions. Although less predictable, the manager's strategies helped defend against roughly half of these attacks, with only a few successful hacker breaches. The balanced outcome reflects the moderate success of the manager in countering these technical exploits. - In the case of Z-type attacks (DDoS), managers also won about 50% of the time, but these attacks posed a significant loss since each successful DDoS attack could lead to disruptions. The manager’s choice of appropriate strategy played a critical role in defending against these attacks, though the inherent severity of DDoS breaches meant that every loss could be significant. - Versatile hackers who switched between all three strategies with equal probability posed a different challenge. The simulations showed that the manager’s win rate increased when facing a versatile hacker, achieving success in more than 50% (converging to 70%) of interactions. However, the hacker was still able to achieve a 20% rate of completely successful attacks, reflecting the need for managers to adapt their strategies dynamically to handle unpredictable threats. - Impact of prior probabilities (knowledge of previous attacks) on awareness: Simulations were conducted using various initial frequencies for different attack types, and these frequencies significantly influenced the manager's success rate. The initial simulations assumed that all attack types had equal probability. In this scenario, the manager achieved around 50% success, highlighting the challenge of defending against versatile hackers when prior information is limited or inaccurate. When the frequencies were adjusted to more closely reflect past reports (e.g., higher probabilities for certain attack types), the manager’s success rate improved to approximately 60%, showing that even imperfect prior knowledge could significantly enhance the manager’s defenses. - The simulations also demonstrated that prior probabilities aligned with the hacker’s predominant attack strategy led to the best outcomes. When the initial data reflected the actual hacker's tendencies, the manager’s adaptive strategies, guided by Bayesian updating, proved to be most effective. This highlights the importance of situational awareness (both individual and computer-supported) and the continuous updating of threat intelligence in a rapidly evolving cyber environment. In cybersecurity, where threats evolve rapidly, the ability to continuously refine awareness and adapt defensive strategies is very important. This is particularly relevant for small and medium-sized enterprises (SMEs), which often have limited resources. By adopting a dynamic awareness approach, SME managers can reflect on and improve their decision-making process.