Games and Abstraction: The Science of Cyber Security
Games and Abstraction addresses the challenge How do we make better security decisions?
We have begun to develop new approaches to decision support based on game theory. Specifically we have formulated a notion of Security Games which model the allocation of resources to protect targets in the attack surface of a system. Our work will support professionals who are designing secure systems and also those charged with determining if systems have an appropriate level of security – in particular, systems administrators. We are developing techniques to support human decision making and techniques which enable well-founded security design decisions to be made.
We recognise that the emerging trend away from corporate IT systems towards a Bring-Your-Own-Device (BYOD) culture will bring new challenges and changes to the role of systems administrator. However, even in this brave new world, companies will continue to have core assets such as the network infrastructure and the corporate database which will need the same kind of protection. It is certainly to be expected that some of the attacks will now originate from inside the corporate firewall rather than from outside.
Our team includes researchers from the Imperial College Business School who are helping us to ensure that our models are properly reflecting these new threats.
Whilst others have used game theoretic approaches to answer these questions, much of the previous work has been more or less ad hoc. As such the resulting security decisions may be based on unsound principles. In particular, it is common to use abstractions without giving much consideration to the relationship between properties of the abstract model and the real system. Our work will enable a precise analysis of these relationships and hence provides a more robust decision support tool than has been hitherto available.