Game-Theoretic Cybersecurity: the Good, the Bad and the Ugly

Given the scale of consequences attributable to cyber attacks, the field of cybersecurity has long outgrown ad-hoc decision-making. A popular choice to provide disciplined decision-making in cybersecurity is Game Theory, which seeks to mathematically understand strategic interaction. In practice though, game-theoretic approaches are scarcely utilized (to our knowledge), highlighting the need to understand the deficit between the existing state-of-the-art and the needs of cybersecurity practitioners. Therefore, we develop a framework to characterize the function and assumptions of existing works as applied to cybersecurity and leverage it to characterize 80 unique technical papers. Then, we leverage this information to analyze the capabilities of the proposed models in comparison to the application-specific needs they are meant to serve, as well as the practicality of implementing the proposed solution. Our main finding is that Game Theory largely fails to incorporate notions of uncertainty critical to the application being considered. To remedy this, we provide guidance in terms of how to incorporate uncertainty in a model, what forms of uncertainty are critical to consider in each application area, and how to model the information that is available in each application area.