Chad Heitzenrater

Cyber-Threats Information Sharing in Cloud Computing: A Game Theoretic Approach

Cybersecurity is among the highest priorities in industries, academia and governments. Cyber-threats information sharing among different organizations has the potential to maximize vulnerabilities discovery at a minimum cost. Cyber-threats information sharing has several advantages. First, it diminishes the chance that an attacker exploits the same vulnerability to launch multiple attacks in different organizations. Second, it reduces the likelihood an attacker can compromise an organization and collect data that will help him launch an attack on other organizations. Cyberspace has numerous interconnections and critical infrastructure owners are dependent on each others service. This well-known problem of cyber interdependency is aggravated in a public cloud computing platform. The collaborative effort of organizations in developing a countermeasure for a cyber-breach reduces each firms cost of investment in cyber defense. Despite its multiple advantages, there are costs and risks associated with cyber-threats information sharing. When a firm shares its vulnerabilities with others there is a risk that these vulnerabilities are leaked to the public (or to attackers) resulting in loss of reputation, market share and revenue. Therefore, in this strategic environment the firms committed to share cyber-threats information might not truthfully share information due to their own self-interests. Moreover, some firms acting selfishly may rationally limit their cybersecurity investment and rely on information shared by others to protect themselves. This can result in under investment in cybersecurity if all participants adopt the same strategy. This paper will use game theory to investigate when multiple self-interested firms can invest in vulnerability discovery and share their cyber-threat information. We will apply our algorithm to a public cloud computing platform as one of the fastest growing segments of the cyberspace.

When the Winning Move is Not to Play: Games of Deterrence in Cyber Security

We often hear of measures that promote traditional security concepts such as ‘defence in depth’ or ‘compartmentalisation’. One aspect that has been largely ignored in computer security is that of ‘deterrence’. This may be due to difficulties in applying common notions of strategic deterrence, such as attribution — resulting in previous work focusing on the role that deterrence plays in large-scale cyberwar or other esoteric possibilities. In this paper, we focus on the operational and tactical roles of deterrence in providing everyday security for individuals. As such, the challenge changes: from one of attribution to one of understanding the role of attacker beliefs and the constraints on attackers and defenders. To this end, we demonstrate the role deterrence can play as part of the security of individuals against the low-focus, low-skill attacks that pervade the Internet. Using commonly encountered problems of spam email and the security of wireless networks as examples, we demonstrate how different notions of deterrence can complement well-developed models of defence, as well as provide insights into how individuals can overcome conflicting security advice. We use dynamic games of incomplete information, in the form of screening and signalling games, as models of users employing deterrence. We find multiple equilibria that demonstrate aspects of deterrence within specific bounds of utility, and show that there are scenarios where the employment of deterrence changes the game such that the attacker is led to conclude that the best move is not to play.

Motivating Security Engineering with Economics: A Utility Function Approach

Establishing the correct mix of functionality and security is key to developing resilient systems, an imbalance will result in system failure, either in system objective or at the hands of an adversary. We present a methodology for reasoning about secure design using economic expressions. We employ Wireless Personal Area Network (WPAN) devices and the IEEE 802.15.4 specification to demonstrate how a utility-based representation can be used to analyse these competing concerns, leading to designs that can be optimised to meet resiliency objectives.

Policy‚ Statistics‚ and Questions: Reflections on UK Cyber Security Disclosures

Empirical analysis within the field of information security economics is fraught with difficulty, primarily due to a lack of data. Over the last three years, the UK Government, through the Department for Business, Innovation & Skills (BIS), has taken a lead in the area of public disclosure on corporate cyber intrusions via their Information Security Breaches Survey. The recent development of the Cyber Essentials scheme by the same department presents a unique opportunity for reasonably correlated data to be analysed against public policy. We describe some initial steps in undertaking such an analysis by performing standard economics calculations on this data. Through the examination of three key questions that are central to the relationship between these documents, economic implications of the existing policy are highlighted against the reported threats. Somewhat inevitably, the results echo the well-worn ‘it depends’ answer to the question of cyber security expenditure need; nevertheless, in doing so, they do point out the dependencies. We aim to provide further insight into the method with a view to helping inform a range of stakeholders: policy-makers; those who make decisions with respect to data disclosures; and those looking to policy to help guide their investment in cyber security.

Characterization of steganographic algorithms using software metrics

The inclusion of data hiding techniques in everything from consumer electronics to military systems is becoming more commonplace. This has resulted in a growing interest in benchmarks for embedding algorithms, which until now has focused primarily on the theoretical and product oriented aspects of algorithms (such as PSNR) rather than the factors that are often imposed by the system (e.g., size, execution speed, complexity). This paper takes an initial look at these latter issues through the application of some simple and well known software engineering metrics: McCabe Complexity and Halstead Software Measures. This paper illustrates an approach that applies these metrics to create a hypothetical, language-independent representation of an algorithm, identifying the encapsulated, measurable components that compose that algorithm. This is the first step in developing a representation that will not only allow for comparison between disparate algorithms, but describe and define algorithms in such a way as to remove language and platform dependency. Bringing these concepts to their logical conclusion highlights how such an approach would provide existing benchmarking systems a more in-depth and fair analysis of algorithms in the context of systems as a whole, and decrease variability which affects the accuracy of the theoretical and product measures used today.

A government perspective on digital data embedding: taking a systems approach

This talk will focus on the maturity of Digital Data Embedding technologies - watermarking, steganography, steganalysis, and digital data forensics. As individual methods and small systems, these algorithms have shown great potential for application to many commercial and military needs in the areas of information assurance, communication and protection. However, one largely ignored aspect of data embedding development has been the systems perspective - how these technologies will contribute and interact with other critical technologies in the development of large scale system solutions. As the military moves toward network-centric, fully integrated systems it is expected that digital data embedding technologies will play crucial roles. Data embedding provides a range of enabling technologies which can help achieve data-centric, as opposed to application-centric, information assurance.The current state of the art in digital data embedding techniques and how they have matured in recent years will be addressed. The technology will be traced through the development of standalone algorithms to the small, integrated systems that are appearing today. Applications involving digital data embedding technologies integrated with other technologies, such as biometrics and cryptography, provide the first glimpses into the systems of the future. A projection as to how these integrated systems will evolve into the net-centric, system-of-systems will be presented. This challenge will require maintaining a strong connection from research through development and use, to ensure future architectures and the needs of users are addressed. While many open questions remain, the discussion will provide perspective and illustrate some challenges to be investigated as the field moves forward.