Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Game-Theoretic Cybersecurity: the Good, the Bad and the Ugly

Brandon Collins, Shouhuai Xu, Philip N. Brown

TL;DR

This paper analyzes why game-theoretic approaches to cybersecurity are not widely adopted in practice and introduces a four-pillar framework (Applications, Assumptions, Models and Solution Concepts, Analysis Techniques) to systematize the literature. It systematically reviews 80 publications across IDS, APT, Moving Target Defense, and CTI sharing, and finds a persistent gap: insufficient handling of uncertainty about adversaries and limited integration with real-world data standards like CVSS and STIX. The authors categorize existing work as Good, Bad, or Ugly based on efficacy and practicality, and provide concrete recommendations to incorporate uncertainty, learn attacker characteristics from noisy signals, and ground models in observable data. They advocate cross-pollination among model families and a shift toward prescriptive, data-informed frameworks to improve cybersecurity decision-making. Overall, the work offers a structured path to align theoretical game-theoretic models with practical cybersecurity needs and to guide future research toward uncertainty-aware, implementable solutions.

Abstract

Given the scale of consequences attributable to cyber attacks, the field of cybersecurity has long outgrown ad-hoc decision-making. A popular choice to provide disciplined decision-making in cybersecurity is Game Theory, which seeks to mathematically understand strategic interaction. In practice though, game-theoretic approaches are scarcely utilized (to our knowledge), highlighting the need to understand the deficit between the existing state-of-the-art and the needs of cybersecurity practitioners. Therefore, we develop a framework to characterize the function and assumptions of existing works as applied to cybersecurity and leverage it to characterize 80 unique technical papers. Then, we leverage this information to analyze the capabilities of the proposed models in comparison to the application-specific needs they are meant to serve, as well as the practicality of implementing the proposed solution. Our main finding is that Game Theory largely fails to incorporate notions of uncertainty critical to the application being considered. To remedy this, we provide guidance in terms of how to incorporate uncertainty in a model, what forms of uncertainty are critical to consider in each application area, and how to model the information that is available in each application area.

Game-Theoretic Cybersecurity: the Good, the Bad and the Ugly

TL;DR

This paper analyzes why game-theoretic approaches to cybersecurity are not widely adopted in practice and introduces a four-pillar framework (Applications, Assumptions, Models and Solution Concepts, Analysis Techniques) to systematize the literature. It systematically reviews 80 publications across IDS, APT, Moving Target Defense, and CTI sharing, and finds a persistent gap: insufficient handling of uncertainty about adversaries and limited integration with real-world data standards like CVSS and STIX. The authors categorize existing work as Good, Bad, or Ugly based on efficacy and practicality, and provide concrete recommendations to incorporate uncertainty, learn attacker characteristics from noisy signals, and ground models in observable data. They advocate cross-pollination among model families and a shift toward prescriptive, data-informed frameworks to improve cybersecurity decision-making. Overall, the work offers a structured path to align theoretical game-theoretic models with practical cybersecurity needs and to guide future research toward uncertainty-aware, implementable solutions.

Abstract

Given the scale of consequences attributable to cyber attacks, the field of cybersecurity has long outgrown ad-hoc decision-making. A popular choice to provide disciplined decision-making in cybersecurity is Game Theory, which seeks to mathematically understand strategic interaction. In practice though, game-theoretic approaches are scarcely utilized (to our knowledge), highlighting the need to understand the deficit between the existing state-of-the-art and the needs of cybersecurity practitioners. Therefore, we develop a framework to characterize the function and assumptions of existing works as applied to cybersecurity and leverage it to characterize 80 unique technical papers. Then, we leverage this information to analyze the capabilities of the proposed models in comparison to the application-specific needs they are meant to serve, as well as the practicality of implementing the proposed solution. Our main finding is that Game Theory largely fails to incorporate notions of uncertainty critical to the application being considered. To remedy this, we provide guidance in terms of how to incorporate uncertainty in a model, what forms of uncertainty are critical to consider in each application area, and how to model the information that is available in each application area.
Paper Structure (38 sections, 5 equations, 2 figures, 5 tables)

This paper contains 38 sections, 5 equations, 2 figures, 5 tables.

Table of Contents

  1. Introduction
  2. Our Contributions
  3. Systematization Methodology and Result Overview
  4. Systematization Framework
  5. Literature Selection
  6. Systematization Overview
  7. Game-Theoretic Cybersecurity Applications
  8. IDS (Intrusion Detection System) Optimization
  9. APT (Advanced Persistent Threat)
  10. MTD (Moving Target Defense)
  11. CTI (Cyber Threat Information) Sharing
  12. Assumptions
  13. Model Structure
  14. Player Knowledge
  15. Common Literature Assumptions
  16. ...and 23 more sections

Figures (2)

  • Figure 1: Stochastic Game model of a network security MTD problem.
  • Figure 2: The FlipIt Game Model. The red color indicates the attacker controls the resource and the green indicates the defender.