# How game theory and Nash equilibrium can help decide cybersecurity responses

Should you respond to a cyber incident? The answer isn't always clear. But researchers have developed a model that should make the decision easier.

Watching the movie A Beautiful Mind, where Russell Crowe played John Nash, a professor of mathematics who won the Nobel Prize for his contributions to a complex concept called game theory, one would never guess that a hypothesis of his—Nash equilibrium—would someday help improve cybersecurity strategy.

Nash equilibrium is a fundamental part of the theory of games and currently the most widely used method of predicting the outcome of a strategic interaction. Although the term game is used, it is far from what most of us would consider an amusement. To Nash and other academics in this field, a game consists of the following elements:

• A set of players
• A set of actions (pure strategies) that are available to each player
• A payoff (utility) function for each player

This Economist article helps explain what Nash discovered:

"In a Nash equilibrium, no one can improve their situation by changing strategy: each person is doing as well as they possibly can, even if that does not mean the optimal outcome for society. With a flourish of elegant mathematics, Nash showed that every game with a finite number of players, each with a finite number of options to choose from, would have at least one such equilibrium."

## Nash equilibrium and cybersecurity

One aspect of cybersecurity that's tricky to navigate is who do you blame for a cyber incident and more important, is it even a good idea to assign blame? It is not hard to see that knowing the answers to these questions would be beneficial to victims of a cyber attack.

This is where the Nash equilibrium comes into play. Researchers from the University of New Mexico and IBM Research, along with the University of Michigan's Robert Axelrod (famous for solving the prisoner's dilemma), determined that with some rework, the Nash equilibrium could help answer the above questions.

## The blame game

The team published its findings in the Proceedings of the National Academy of Sciences (PNAS) article Strategic aspects of cyber attack, attribution, and blame. The article examines when a victim should publish information about a cyber attack, when a victim should respond, and what kind of response is appropriate. Nicole Casal Moore, in this University of Michigan press release, said, "The researchers... use historical examples to illustrate how the Blame Game model applies to cases of cyber or traditional conflict involving the United States, Russia, China, Japan, North Korea, Estonia, Israel, Iran, and Syria."

In the PNAS article, the researchers said:

"Attribution of cyber attacks has strategic and technical components. We provide a formal model that incorporates both elements and shows the conditions under which it is rational to tolerate an attack and when it is better to assign blame publicly."

The researchers then suggested that victims currently make strategic choices based on the ability to identify the attacker and whether they can successfully retaliate. Besides being able to assign blame and punish, the research team's Blame Game model takes the following into consideration:

• Vulnerability of the attacker
• Knowledge level of the victim
• Payoffs for different outcomes
• Beliefs of each player about their opponent

## To blame or not to blame?

The tech media is littered with news of victim nation states, public organizations, and businesses blaming some faction or another for a cyber attack. Interestingly, the researchers suggest caution in this regard: Pointing fingers will raise expectations that something will be done. However, it is not always possible to retaliate. Something else to consider is whether the cost will be greater to publically name the attacker or do nothing.

#### SEE: Cybersecurity in 2017: A roundup of predictions (Tech Pro Research)

Stephanie Forrest, a distinguished professor at the University of New Mexico, brings up another good point. In this University of New Mexico press release, she said, "Unlike nuclear technology, it can be extremely challenging to identify the party responsible for a cyber attack, and this complicates the strategic decision of when to assign blame."

## The first step should be...

That is why Axelrod and the other researchers believe the first step should be determining whether the assumed attacker is vulnerable. To that end, the Blame Game platform offers a series of questions that policymakers can ask as they decide whether it's feasible to respond to a cyber attack. "Vulnerability comes in several forms," Moore said. "It could mean a nation is susceptible to a counter cyber attack. It could also mean the attacker is in a difficult geopolitical position and being blamed for a high-profile cyber breach could be detrimental."

## It is only beginning

The research team is concerned that cyber attacks will only increase, as will blame and retaliation. In an attempt to calm the digital waters, Axelrod told Moore, "It pays to try to understand as much as we can about the incentives and dynamics so we can think about how to prevent them. We hope our model will help policymakers identify gaps in their knowledge and focus on estimating parameters in advance of new cyber attacks."