Strategic Discovery and Sharing of Vulnerabilities in Competitive Environments

Khouzani, M. H. R.; Pham, Viet; Cid, Carlos

doi:10.1007/978-3-319-12601-2_4

Cited by 19 publications

(8 citation statements)

References 14 publications

(18 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Let O = {o 1 , ..., on} represent the organizations participating in cybersecurity information sharing. Although various information can be shared among organizations such as raw network logs, attackers techniques, the signature of attacks, and the vulnerabilities' details, in this work, we particularly focus on sharing discovered security vulnerabilities as in [8]. In each sharing cycle, a set of vulnerabilities V = {v 1 , ..., vm} will be detected by the participant organizations.…”

Section: Overview and Problem Statementmentioning

confidence: 99%

“…To facilitate sharing the cybersecurity information, various protocols and standards have been proposed such as TAXII, STIX, and CybOX [14,15]. The cybersecurity information sharing in competitive environments with the game theory approach has been studied in [7,8]. Economic analyses of cybersecurity information sharing and applying incentives for motivation have been studied in [6].…”

Section: Cybersecurity Information Sharingmentioning

confidence: 99%

“…Recently, plenty of research has been done in modelling the benefit and cost of the cybersecurity information sharing by applying game theory [6][7][8]. Traditionally the cybersecurity information sharing is modelled as a non-cooperative game where the players are the organisations, and the strategies are choosing between sharing and not-sharing.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Fair and private rewarding in a coalitional game of cybersecurity information sharing

Vakilinia

Sengupta

2019

IET Inf. secur

View full text Add to dashboard Cite

Cybersecurity information sharing is a key factor of cyber threat intelligence, allowing organizations to detect and prevent malicious behaviors proactively. However, stimulating organizations to participate and deterring free-riding in such sharing is a big challenge. To this end, the sharing system should be equipped with a rewarding and participation-fees allocation mechanisms to encourage sharing behavior. The problem of cybersecurity information sharing as a non-cooperative game has been studied extensively. In contrast, in this paper, we model such a problem as a coalitional game. We investigate a rewarding and participation-fees calculation based on profit sharing in coalitional game theory. In particular, we formulate a coalitional game between organizations and analyze the well-known Shapley value and Nucleolus solution concepts in the cybersecurity information sharing system. Moreover, as the participation-fees may leak sensitive information about the organizations' cyber-infrastructure, we study the application of differential privacy in the coalitional game theory to protect the organization's fees while approximating the fairness.

show abstract

Section: Overview and Problem Statementmentioning

confidence: 99%

Section: Cybersecurity Information Sharingmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Fair and private rewarding in a coalitional game of cybersecurity information sharing

Vakilinia

Sengupta

2019

IET Inf. secur

View full text Add to dashboard Cite

show abstract

“…The researches in [12][13] [14][15][2] [16] analyze information sharing in the context of cybersecurity. Those papers show that multiple factors impact cyber threat information sharing including competition [14], free riding [2], interconnection [17], and the possibility to exploit vulnerabilities for cyber war [16]. However, none of those work look into sharing cybersecurity information in cloud computing.…”

Section: Background On Cloud Computing Security and Information Smentioning

confidence: 99%

“…In our past work [18], we present an evolutionary game theoretic model to self-enforce firms toward participating in sharing framework by utilizing the participation cost in a tactical way. The work in [14] uses a two stage Bayesian game to analyze the information sharing decision of two strategic and competing firms. They established that the sharing strategies are unique and dominant, and are in the simple forms of full-sharing or no sharing completely determined by the competitive nature of the security findings.…”

Section: Background On Cloud Computing Security and Information Smentioning

confidence: 99%

Cyber-Threats Information Sharing in Cloud Computing: A Game Theoretic Approach

Kamhoua

Martin

Tosh

et al. 2015

2015 IEEE 2nd International Conference on Cyber Security and Cloud Computing

View full text Add to dashboard Cite

Cybersecurity is among the highest priorities in industries, academia and governments. Cyber-threats information sharing among different organizations has the potential to maximize vulnerabilities discovery at a minimum cost. Cyberthreats information sharing has several advantages. First, it diminishes the chance that an attacker exploits the same vulnerability to launch multiple attacks in different organizations. Second, it reduces the likelihood an attacker can compromise an organization and collect data that will help him launch an attack on other organizations. Cyberspace has numerous interconnections and critical infrastructure owners are dependent on each other's service. This well-known problem of cyber interdependency is aggravated in a public cloud computing platform. The collaborative effort of organizations in developing a countermeasure for a cyber-breach reduces each firm's cost of investment in cyber defense.Despite its multiple advantages, there are costs and risks associated with cyber-threats information sharing. When a firm shares its vulnerabilities with others there is a risk that these vulnerabilities are leaked to the public (or to attackers) resulting in loss of reputation, market share and revenue. Therefore, in this strategic environment the firms committed to share cyberthreats information might not truthfully share information due to their own self-interests. Moreover, some firms acting selfishly may rationally limit their cybersecurity investment and rely on information shared by others to protect themselves. This can result in under investment in cybersecurity if all participants adopt the same strategy. This paper will use game theory to investigate when multiple self-interested firms can invest in vulnerability discovery and share their cyber-threat information. We will apply our algorithm to a public cloud computing platform as one of the fastest growing segments of the cyberspace.

show abstract

Paying Firms to Share Cyber Threat Intelligence

Collins

Brown

2021

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Strategic Discovery and Sharing of Vulnerabilities in Competitive Environments

Cited by 19 publications

References 14 publications

Fair and private rewarding in a coalitional game of cybersecurity information sharing

Fair and private rewarding in a coalitional game of cybersecurity information sharing

Cyber-Threats Information Sharing in Cloud Computing: A Game Theoretic Approach

Paying Firms to Share Cyber Threat Intelligence

Contact Info

Product

Resources

About