Abstract
One of the major concerns of organisations is how to protect themselves from the growing volume and sophistication of cyber attacks. In this context, methodologies, models, and frameworks must be developed to support decision makers in managing cyber risk. This dissertation presents novel models based on game theory and combinatorial optimisation to support cyber security decisions. In particular, this dissertation is composed of four distinct contributions.
The first contribution extends an existing model to study the optimal selection of cyber security controls. In particular, we use game theory and combinatorial optimisation to determine the best combination of subcontrols for the Critical Internet Security (CIS) Control 17, which deals with implementing security awareness and training programmes for employees. The developed framework has assumed a healthcare scenario to protect the information and communication technology (ICT), clinical, and administrative personnel from social engineering attacks. Numerical illustrations show that the Nash defending strategies are consistently better (or at least as good as) than other competing strategies for different attacker profiles. Finally, alternative investment strategies on different Nash equilibria and the optimal choices are presented and discussed using the framework.
The second contribution considers how the uncertainty of time required to exploit a vulnerability in a multi-stage cyber attack influences the optimal cyber security investment decisions. We develop two approaches for optimal investment in cyber security controls subject to a budget. To compare these approaches, we design and develop a decision support tool and a case study using the 2020 Common Weakness Enumerations (CWE) top 25 most dangerous software weaknesses and the CIS Controls. The solution highlights the cyber security investment strategies that fit various objectives of decision makers. These strategies provide cost-efficient solutions to counteract the most common cyber attacks.
The third contribution addresses the challenge of designing effective honeypots to deceive attackers and collect threat intelligence. We present two novel game theoretic models for the selection and configuration of honeypots. The interaction between the network administrator (defender) and the attacker is modelled as a
Bayesian game with players having limited information about their opponent’s action. The first model details the selection of the best type of honeypot to deploy in a Smart Grid. The second model extends the core idea of the first model by considering a multi-phase attack scenario. It presents a deception framework to assist with the cost-effective selection of a honeypot type to implement, and, in particular, to determine the optimal honeypot configuration for strategic deployment in an Internet of Vehicle network. Through the use cases, we demonstrate how these models can assist in determining the optimal honeypot configuration to satisfy various purposes of using honeypots.
The final contribution considers how often should cyber insurers audit to deter policyholders from misrepresenting their security levels to gain premium discounts. Cyber insurers offer discounts to policyholders based on their security posture and often rely on self-reports that controls are in place. Interviewing underwriters and reviewing regulatory filings has revealed concerns about whether security policies were complied with within reality. The post-incident claims management process is modelled as a Bayesian game of incomplete information to assist insurers in determining an optimal audit strategy. This work is the first theoretical consideration of post-incident claims management in cyber security. Simulation results demonstrate that common-sense techniques are not as efficient at providing effective cyber insurance audit decisions as ones computed using game theory.