Cybersecurity Games for Investment Decision | Must Read for CISOs

Allocation of the budget at proper places has always been a debatable topic. The traditional mechanism of calculating budget allocation is to weigh the benefits and costs attached to a particular allocation. But when this is clubbed with the organization’s priority for different factors involved, the outcome becomes more effective.

In this blog, I am going to describe the idea that is presented in the research article titled “Cybersecurity games and Investments: A Decision Support Approach”, and my take on the same. It explores the issue of optimal investment by adjusting the implementation level of controls required in order to maximize derived benefit given a budget constraint.

Basic Framework:

In order to decide on the optimal controls to invest in, network topology becomes the essential part of the overall analysis. For this purpose, the following topology is used:

The network considered here is made of three layers of depths: the demilitarized zone(DMZ), the Middleware, and Private Network. Depth 3 is used for the most sensitive data because that is protected by two more layers of defense i.e DMZ and Middleware. The depth of an asset ‘d’ is decided by the number of defences required to penetrate through in order to reach out the asset in consideration. These are separated by the network security software like IDS, firewall...etc.


  1. T: Set of all cybersecurity targets within an organization
  2. V: {νz}: Set of vulnerabilities threatened by commodity attacks
  3. d: Depth of the asset
  4. C: {cj}: Set of all cybersecurity controls
  5. Pj: {pjl}: set of all cybersecurity processes associated with control cj

Assets having the same vulnerability and present at the same depth are considered to come under the same target. So, a target is defined by vulnerability and depth pair. Therefore, the set of all targets is defined by T = {(νz , d)| νz ∈ V, d ∈ {1,...,n}}. The mitigation plan is to implement a control cj at a certain level ℓ ∈ {0,..., ん}. Here, ℓ indicates the degree to which the control is implemented.

Along with this, there are other factors that affect the decision regarding the investment. These are Risk, Direct cost, Indirect cost, Vulnerability factors, and organization profile.

Risk: Three broad types of risks are taken into consideration here: Data Loss(DL), Business Disruption(BD), and Reputation(RE). These factors vary with the depth at which the asset is located. DLd, BDd, REd denotes the respective risks where the depth matters.

Direct Cost: Each cybersecurity process has a cost attached to it: capital cost(CAC) and labor cost(LAC). CAC depicts the cost of purchasing the process for a particular control and LAC refers to the cost of the administration’s time in implementing that process i.e. (hours spent) X (cost per hour).

Indirect Cost: System performance cost(SPC), Morale Cost(MOC), and Re-Training Cost(RTC) are three indirect costs considered here. SPC refers to the cost due to the decrease in the performance of the system of the user in case-control is implemented. Whereas, the MOC refers to the cost due to the increase in the strictness of the measures undertaken.

Greater the strictness level more will be the willingness of the employee to circumvent it. Whenever the implementation level of a control is changed, the employees are required to be trained again in order for them to be able to use their systems properly, and the cost associated with this is termed as RTC. The indirect costs associated with every process pjl is expressed by SPCjl, MOCjl, and RTCjl.

Vulnerability Factors: Factors associated with this are Prevalence(PR), Attack Frequency(AF), Ease of Detection(ED), and Attacker Awareness(AA). For a vulnerability νz , the vulnerability factors are denoted by PRz, AFz, EDz, and AAz.

Here, PR depicts the frequency of presence of the vulnerability in a system. AF is the number of times someone tries to attack a particular vulnerability. AA depicts the average adversary would know that a malicious script is for sale. Whereas, ED measures the discovery cost of a vulnerability.

Profile: Since organizations differ from one another depending upon their key functional areas and the distinguishing features. Therefore, it is a necessity to include organizations’ preferences for the above-mentioned factors. Some factors might affect web service providers more as compared to an oil and gas company. So, the organization’s profile is denoted as {R, K, T}, where

  1. R is the risk profile;
  2. K is the indirect cost profile, and
  3. T is the threat concern.

These profiles are the probability distributions depicted by R = {r1 , r2 , r3}, K = {k1, k2, k3} and T = {イ1, イ2}. Therefore,

RISKS = r1DLd + r2REd + r3BDd
IND_COSTS = k1SPCjl + k2RTCjl + k3MOCjl
THREATS = イ1(current threats) + イ2(future potential threats)

The current threats are defined as: [(PRz + AFz)/2] and the future potential threats are given by [(EDz + AAz)/2]. Here, priority is defined based on the fact whether the organization is more concerned about the current threats or the future ones.


The interaction between the defender and an attacker is formulated here. Defender defends an organization’s data assets by minimizing the risk associated with the assets and the attacker derives benefits out of attacking the assets. There is a negative correlation between the defender and attacker payoffs which is to say that the more the defender loses the more the attacker gains.

Defender’s mixed strategy is given Qjλ = [qj0,...,qjλ] which depicts the probability of implementation level of the control cj at different levels. Whereas, the attacker’s mixed strategy is given by Hjλ = [hj0,...,hjλ], where hji is the probability of the attacker attacking the target given the control cj is implemented at a particular level. The utility of the defender when the target ti = (νz, d) is attacked and process pjl is implemented over a control cj is denoted by:

Theorem 1:

“The zero-sum cybersecurity control-subgame Gjλ admits an NE in mixed strategies, (Qjλ, Hjλ), with the property that

The minimax theorem states that for zero-sum games NE and minimax solutions coincide. Therefore in Gjλ any Nash cybersecurity plan mini-maximizes the attacker’s payoff. If any Gjλ admits multiple Nash cybersecurity plans they have the ordered interchangeability property which means that D reaches the same level of defense independent from A’s strategy, i.e.”

An organization will be implementing more than one control, therefore, it is required to combine all the controls given a budget specified to the defender. So, every plan has its own direct cost attached to it: CAC and LAC. We assume that a plan can be effective in protecting more than one target and its benefit for that target is determined by the expected damage caused when only that process is implemented.

Moreover, each investment solution has a score attached to it that is fixed by the expected damage across all targets. This implies the higher the score, the less valuable that investment plan is. So, the overall optimization aimed at minimizing this investment score. The solution of the game is defined as:

“Defining the value of any target ti as γi = −Risks × Threat, considering N controls and assuming that each Nash cybersecurity plan Q*jλ is associated with some benefit bjλ(tj)3 upon target ti, and it has cost ωjλ, the defender seeks a cybersecurity investment I such that”

Where I is the investment plan that maximizes the minimum amount of defense required against implemented across each target. The best investment plan symbolizes an allocation of resources in the direction of minimizing the expected damage caused given the constraints.


Since it is not possible to implement all the processes given a budget constraint by an organization which leads to a need of a mechanism that can help in making a decision about the optimal place to invest in.

The game-theoretic model discussed above diverts the traditional analysis to the one based on the organization’s priority. Considering the case of Data Loss Prevention(DLP) tools, a similar approach can be used there in order to classify the deciding rules for DLP to work.

The organization’s preference about the various profile can serve as a powerful tool in deciding whether an active or a passive action is required in case a sensitive data file is found to be shared outside the corporate network.