A A Survey of Interdependent Information Security Games

Information security has traditionally been considered a strategic cat-and-mouse game between the defending party and “the attacker”. The goal of the attacker has been to compromise the defender’s systems and to profit from this unauthorized access, while the goal of the defender has been to prevent unauthorized access to and usage of resources. In this game, both the attacker and the defender have traditionally been focusing on developing new technology to achieve their goals. Especially on the defense side, a traditional approach in information security is to enhance security technologies to reduce the number of vulnerabilities, hence attacks, and their impact on business operation. Even though the defenses are getting more efficient and protecting more users [Microsoft 2011], the total number of attacks is increasing globally. This trend can mostly be accounted to the increasing number of devices connected to the Internet, and consequently to the increasing interdependence of information systems. Attackers exploit this strong interdependence by launching and operating their attacks on a large-scale from countries where operating costs are reduced and law enforcement is weak. Although the proportion of protected users [Microsoft 2011] is increasing, the equally increasing number of unprotected computer systems leaves ample space to the attackers for exploitation. In addition to interdependence, available security information is highly asymmetric and strongly favors the attackers. A fundamental bias is that attackers only need to exploit one vulnerability of the targeted system, while the defender has to protect as many threat vectors as possible. Attackers can – and often do – proactively test their attack methods offline, but due to the number of attack possibilities, the defenders have a difficult time to patch systems proactively [Anderson 2001]. Moreover, the possibility of using illegal methods gives attackers a broader range of options than defenders. Finally, the “physics” of security changes over time new classes of attacks are being discovered and this dynamics keeps security researchers and practitioners alert.