Mapping between Classical Risk Management and Game Theoretical Approaches

In a typical classical risk assessment approach, the probabilities are usually guessed and not much guidance is provided on how to get the probabilities right. When coming up with probabilities, people are generally not well calibrated. History may not always be a very good teacher. Hence, in this paper, we explain how game theory can be integrated into classical risk management. Game theory puts emphasis on collecting representative data on how stakeholders assess the values of the outcomes of incidents rather than collecting the likelihood or probability of incident scenarios for future events that may not be stochastic. We describe how it can be mapped and utilized for risk management by relating a game theoretically inspired risk management process to ISO/IEC 27005. This shows how all the steps of classical risk management can be mapped to steps in the game theoretical model, however, some of the game theoretical steps at best have a very limited existence in ISO/IEC 27005.

[1]  Gary Stoneburner,et al.  SP 800-30. Risk Management Guide for Information Technology Systems , 2002 .

[2]  Joel Watson,et al.  Strategy : An Introduction to Game Theory , 2001 .

[3]  Jason Edwin Stamp,et al.  A classification scheme for risk assessment methods. , 2004 .

[4]  G. Stoneburner,et al.  Risk Management Guide for Information Technology Systems: Recommendations of the National Institute of Standards and Technology , 2002 .

[5]  Jr. Louis Anthony Cox,et al.  Game Theory and Risk Analysis , 2009 .

[6]  K. Hausken Probabilistic Risk Analysis and Game Theory , 2002, Risk analysis : an official publication of the Society for Risk Analysis.

[7]  Peng Liu,et al.  Incentive-based modeling and inference of attacker intent, objectives, and strategies , 2003, CCS '03.

[8]  Ronald D. Fricker,et al.  Game Theory in an Age of Terrorism: How Can Statisticians Contribute? , 2006 .

[9]  Ketil Stølen,et al.  A Guided Tour of the CORAS Method , 2011 .

[10]  Tyler Moore,et al.  Information Security Economics - and Beyond , 2007, DEON.

[11]  E. Rasmusen Games and Information: An Introduction to Game Theory , 2006 .

[12]  Lawrence Carin,et al.  Cybersecurity Strategies: The QuERIES Methodology , 2008, Computer.

[13]  Jorma Jormakka,et al.  Modelling Information Warfare as a Game , 2005 .

[14]  Alexander M. Millkey The Black Swan: The Impact of the Highly Improbable , 2009 .

[15]  FRamewoRk exceRpT The Risk IT Framework , 2010 .

[16]  Chase Qishi Wu,et al.  A Survey of Game Theory as Applied to Network Security , 2010, 2010 43rd Hawaii International Conference on System Sciences.

[17]  M. Dufwenberg Game theory. , 2011, Wiley interdisciplinary reviews. Cognitive science.

[18]  Les Labuschagne,et al.  A framework for comparing different information security risk analysis methodologies , 2005 .

[19]  Marshall F Chalverus,et al.  The Black Swan: The Impact of the Highly Improbable , 2007 .

[20]  Lawrence Carin,et al.  Cybersecurity The QuERIES Methodology , 2008 .