Abstract:
Advanced persistent threats present significant security challenges due to their customized, stealthy and adaptive nature. Since no generic solution exists to combat advanced persistent threats, the recommended option is to employ information security best practices. While practitioner-oriented security guidelines have been published by the International Organization for Standardization and the U.S. National Institute of Standards and Technology, they cannot be employed in rigorous quantitative analyses required for objective decision making such as choosing countermeasures that balance security, cost and usability. In contrast, game-theoretic approaches, which express the behavior of rational agents that maximize their utility, provide appropriate models for objective decision making.
This chapter conducts a critical analysis of several game-theoretic approaches for analyzing advanced persistent threats. Eleven highly-cited, peer-reviewed articles from the research literature are examined in terms of their objectives, features, game models and solutions. The models provide valuable insights into advanced persistent threat behavior, support resource-optimal decision making and can be mapped to the various risk management stages. However, they have some delicate modeling and analysis limitations. The critical analysis exposes the omissions in the literature and points to future research focused on integrating practitioner perspectives in game-theoretic approaches to advance information security risk management.