When the Winning Move is Not to Play: Games of Deterrence in Cyber Security

Conference item

We often hear of measures that promote traditional security concepts such as ‘defence in depth’ or ‘compartmentalisation’. One aspect that has been largely ignored in computer security is that of ‘deterrence’. This may be due to difficulties in applying common notions of strategic deterrence, such as attribution — resulting in previous work focusing on the role that deterrence plays in large-scale cyberwar or other esoteric possibilities. In this paper, we focus on the operational and tactical roles of deterrence in providing everyday security for individuals. As such, the challenge changes: from one of attribution to one of understanding the role of attacker beliefs and the constraints on attackers and defenders. To this end, we demonstrate the role deterrence can play as part of the security of individuals against the low-focus, low-skill attacks that pervade the Internet. Using commonly encountered problems of spam email and the security of wireless networks as examples, we demonstrate how different notions of deterrence can complement well-developed models of defence, as well as provide insights into how individuals can overcome conflicting security advice. We use dynamic games of incomplete information, in the form of screening and signalling games, as models of users employing deterrence. We find multiple equilibria that demonstrate aspects of deterrence within specific bounds of utility, and show that there are scenarios where the employment of deterrence changes the game such that the attacker is led to conclude that the best move is not to play.

Authors: Simpson, A; Heitzenrater, C; Taylor, G

• Publication status: Published
• Peer review status: Peer reviewed
• Publisher: Springer International Publishing
• Host title: Decision and Game Theory for Security: 6th International Conference, GameSec 2015
• Publication date: 2015-11-12
• DOI: 10.1007/978-3-319-25594-1_14
• ISSN: 0302-9743
• ISBN: 9783319255941