A Study on a Sequential One‐Defender‐<i>N</i>‐Attacker Game

Xu, Zhihua; Zhuang, Jun

doi:10.1111/risa.13257

Cited by 28 publications

(15 citation statements)

References 31 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The application of game theory to analyze the strategic choices of a firm in EIS literature has gained attention in recent times (Wu et al , 2017; Qian et al , 2018; Miaoui and Boudriga, 2019; Xu and Zhuang, 2019; Feng et al , 2020; Li and Xu, 2020; Peng et al , 2020; Wu et al , 2020; Zhai et al , 2020). Laszka et al (2015) provide a detailed literature review of existing research on strategic games under a full-information setting.…”

Section: Literature Reviewmentioning

confidence: 99%

“…We observe that broadly two forms of probability functions are adopted in the extant game-theoretic EIS literature: BPF first proposed by Gordon and Loeb (2002), modified by Cavusoglu et al (2008) and used in a multitude of cybersecurity investment problems (Huang et al , 2008; Kim and Kim, 2016; Young et al , 2016; Ezhei and Ladani, 2017; Qian et al , 2017; Wu et al , 2017; Ezhei and Ladani, 2018; Qian et al , 2018; Miaoui and Boudriga, 2019; Dou et al , 2020; Feng et al , 2020; Gordon et al , 2020; Li and Xu, 2020; Wu et al , 2020). Contest success function (CSF) introduced in rent-seeking literature and widely applied by Hausken and associates (Hausken and Bier, 2011; Hausken and Zhuang, 2012; Hausken, 2017a; Hausken, 2017b; Hausken, 2017c; Hausken, 2019) and other scholars (Gao et al , 2014; Peng et al , 2016; Guan et al , 2017; Wu et al , 2018; Wu et al , 2019; Xu and Zhuang, 2019; Wu et al , 2020; Peng et al , 2020; Xiao et al , 2020; Zhai et al , 2020) for modeling defender-attacker problems. …”

Section: Literature Reviewmentioning

confidence: 99%

“…Contest success function (CSF) introduced in rent-seeking literature and widely applied by Hausken and associates (Hausken and Bier, 2011; Hausken and Zhuang, 2012; Hausken, 2017a; Hausken, 2017b; Hausken, 2017c; Hausken, 2019) and other scholars (Gao et al , 2014; Peng et al , 2016; Guan et al , 2017; Wu et al , 2018; Wu et al , 2019; Xu and Zhuang, 2019; Wu et al , 2020; Peng et al , 2020; Xiao et al , 2020; Zhai et al , 2020) for modeling defender-attacker problems.…”

Section: Literature Reviewmentioning

confidence: 99%

“…Recent studies in EIS have also dealt with game-theoretic modeling to investigate the strategies of the attackers and the firms (Hausken, 2014; Fielder et al , 2016; Hausken, 2017a; Hausken, 2017b; Hausken, 2017c; Wu et al , 2018; Hausken, 2019; Xiao et al , 2020; Zhai et al , 2020). While they have considered attack scenarios with multiple firms (Gao et al , 2015; Gao and Zhong, 2015; Huang and Behara, 2013) or between a single attacker and a firm (Cavusoglu and Raghunathan, 2004; Cavusoglu et al , 2008), most large breach incidents are not singular and may involve multiple attacker agents [5] (Xu and Zhuang, 2019).…”

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

Firm investment decisions for information security under a fuzzy environment: a game-theoretic approach

Gupta

Biswas

et al. 2020

ICS

View full text Add to dashboard Cite

Purpose This paper aims to examine optimal decisions for information security investments for a firm in a fuzzy environment. Under both sequential and simultaneous attack scenarios, optimal investment of firm, optimal efforts of attackers and their economic utilities are determined. Design/methodology/approach Throughout the analysis, a single firm and two attackers for a “firm as a leader” in a sequential game setting and “firm versus attackers” in a simultaneous game setting are considered. While the firm makes investments to secure its information assets, the attackers spend their efforts to launch breaches. Findings It is observed that the firm needs to invest more when it announces its security investment decisions ahead of attacks. In contrast, the firm can invest relatively less when all agents are unaware of each other’s choices in advance. Further, the study reveals that attackers need to exert higher effort when no agent enjoys the privilege of being a leader. Research limitations/implications In a novel approach, inherent system vulnerability of the firm, financial benefit of attackers from the breach and monetary loss suffered by the firm are considered, as fuzzy variables in the well-recognized Gordon – Loeb breach function, with the help of fuzzy expectation operator. Practical implications This study reports that the optimal breach effort exerted by each attacker is proportional to its obtained economic benefit for both sequential and simultaneous attack scenarios. A set of numerical experiments and sensitivity analyzes complement the analytical modeling. Originality/value In a novel approach, inherent system vulnerability of the firm, financial benefit of attackers from the breach and monetary loss suffered by the firm are considered, as fuzzy variables in the well-recognized Gordon – Loeb breach function, with the help of fuzzy expectation operator.

show abstract

Section: Literature Reviewmentioning

confidence: 99%

Section: Literature Reviewmentioning

confidence: 99%

Section: Literature Reviewmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Firm investment decisions for information security under a fuzzy environment: a game-theoretic approach

Gupta

Biswas

et al. 2020

ICS

View full text Add to dashboard Cite

show abstract

“…We consider a two‐period game where the defender moves first and distributes its resources among y selected elements. For simplicity, we do not consider repeated interactions (Shan & Zhuang, ) or multiple attackers (Xu & Zhuang, ). The defender only discloses the number of protected elements y , so the attacker does not know precisely which elements are protected.…”

Section: The Modelmentioning

confidence: 99%

Defender–Attacker Games with Asymmetric Player Utilities

2019

Self Cite

View full text Add to dashboard Cite

The presence of strategic attackers has become an important factor in the security and protection of systems, especially since the 9/11/2001 attacks, and considerable efforts have been dedicated to its study. When defending against the strategic attacker, many existing studies assume that the attacker would seek to minimize the defender's utility, which implies that the defender and attacker have symmetric utilities. However, the attacker's objective is determined by its own valuation of the system and target of the attack, which is not necessarily consistent with the defender's utility. If the attacker unexpectedly targets a different utility, then the defense strategy might no longer be optimal. In particular, the defense strategy could be inferior if the attacker's utility is not known to the defender. This study considers a situation where the defender's utility is the system survivability and the attacker's utility is the expected number of destroyed elements in the system. We investigate possible attack strategies under these two different utilities and compare (a) the conservative defense strategy when the attack utility is unknown to the defender with (b) the optimal defense strategy when the attack utility is known to the defender. We show that the conservative protection strategy is still optimal under asymmetric utilities when the contest intensity is smaller than one.

show abstract

Information security investment and purchase decision for personalized products

Yao

2022

Manage Decis Econ

View full text Add to dashboard Cite

Considering information security and personalization paradoxes, this paper investigates the optimal information security investments of a firm and purchasing decisions of consumers with different privacy concerns in online personalization. It is found that consumers and firm tend to fall into a prisoner's dilemma in Nash equilibrium. To improve security investment efficiency and boost personalization consumption, firm‐led Stackelberg game and firm‐led Stackelberg game with punishment mechanism are proposed and analyzed. The results indicate that the security information measures firm take in advance can effectively increase the waverers' willingness to purchase personalized products. Government punishment helps to facilitate a win‐win situation but does not work when proportion of wavers in the market is very small. Furthermore, the responses of equilibrium strategies and payoffs to related characteristics are discussed numerically. Finally, some managerial insights are recommended to firms who provide personalized products for making proper security investment and to government departments for formulating security punishment policies.

show abstract

A Study on a Sequential One‐Defender‐N‐Attacker Game

Cited by 28 publications

References 31 publications

Firm investment decisions for information security under a fuzzy environment: a game-theoretic approach

Firm investment decisions for information security under a fuzzy environment: a game-theoretic approach

Defender–Attacker Games with Asymmetric Player Utilities

Information security investment and purchase decision for personalized products

Contact Info

Product

Resources

About