Model of cybersecurity means financing with the procedure of additional data obtaining by the protection side

The article describes the model of cybersecurity means financing strategies of the information object with incomplete information about the financial resources of the attacking side. The proposed model is the core of the module of the developed decision support system in the problems of choosing rational investing variants for information protection and cybersecurity of various information objects. The model allows to find financial solutions using the tools of the theory of multistep games with several terminal surfaces. The authors proposed an approach that allows information security management to make a preliminary assessment of strategies for financing the effective cybersecurity systems. The model is distinguished by the assumption that the protection side does not have complete information, both about the financing strategies of the attacking side, and about its financial resources state aimed at overcoming cybersecurity lines of the information object. At the same time, the protection side has the opportunity to obtain additional information by the part of its financial resources. This makes it possible for the protection side to obtain a positive result for itself in the case when it can not be received without this procedure. The solution was found using a mathematical apparatus of a nonlinear multistep quality game with several terminal surfaces with alternate moves. In order to verify the adequacy of the model there was implemented a multivariate computational experiment. The results of this experiment are described in the article. © 2005 - ongoing JATIT & LL

A Comprehensive Insight into Game Theory in relevance to Cyber Security

The progressively ubiquitous connectivity in the present information systems pose newer challenges tosecurity. The conventional security mechanisms have come a long way in securing the well-definedobjectives of confidentiality, integrity, authenticity and availability. Nevertheless, with the growth in thesystem complexities and attack sophistication, providing security via traditional means can beunaffordable. A novel theoretical perspective and an innovative approach are thus required forunderstanding security from decision-making and strategic viewpoint. One of the analytical tools whichmay assist the researchers in designing security protocols for computer networks is game theory. Thegame-theoretic concept finds extensive applications in security at different levels, including thecyberspace and is generally categorized under security games. It can be utilized as a robust mathematicaltool for modelling and analyzing contemporary security issues. Game theory offers a natural frameworkfor capturing the defensive as well as adversarial interactions between the defenders and the attackers.Furthermore, defenders can attain a deep understanding of the potential attack threats and the strategiesof attackers by equilibrium evaluation of the security games. In this paper, the concept of game theoryhas been presented, followed by game-theoretic applications in cybersecurity including cryptography.Different types of games, particularly those focused on securing the cyberspace, have been analysed andvaried game-theoretic methodologies including mechanism design theories have been outlined foroffering a modern foundation of the science of cybersecurity

The THREAT-ARREST Cyber-Security Training Platform

Cyber security is always a main concern for critical infrastructures and nation-wide safety and sustainability. Thus, advanced cyber ranges and security training is becoming imperative for the involved organizations. This paper presets a cyber security training platform, called THREAT-ARREST. The various platform modules can analyze an organization’s system, identify the most critical threats, and tailor a training program to its personnel needs. Then, different training programmes are created based on the trainee types (i.e. administrator, simple operator, etc.), providing several teaching procedures and accomplishing diverse learning goals. One of the main novelties of THREAT-ARREST is the modelling of these programmes along with the runtime monitoring, management, and evaluation operations. The platform is generic. Nevertheless, its applicability in a smart energy case study is detailed

Modelling Telecommunications Operators and Adversaries using Game Theory

Telecommunications systems being inherently distributed and collaborative in nature present a plurality of attack surfaces to malicious entities and hence vulnerable to many potential attacks even indirectly demanding a need in prioritising security. The choice of security implementations depends upon the currently understood threats, future possible threat vectors, and the dependencies between systems. Executing these choices while contemplating the financial aspects is exceptionally difficult. It is thus critical to have a perceptible decision support framework for better security decision-making. This thesis studies the strategic nature of the interaction between the Telecoms operators and attackers utilising game theory to understand their strategic decision-making characteristics strengthening security decisions. To understand the security investment decision-making criteria of operators, this thesis utilises static security investment games. Through these games, we study the effects of security investment decision of an operator on other operators' behaviour. We determine conditions supporting the security investment decisions and propose strategic recommendations supplementing the dependency conditions. We then study attackers' behaviour considering them with strategic incentives in contrary to their strictly-bounded rationality in traditional game-theoretic modelling approaches. We utilise a behavioural approach and design a decision-flow model capturing the choices of attackers in the attack process. An outcome of this work is a generalised attack framework. Moreover, using this framework, we derive attack strategies optimising attackers' effort. Through this work, we are probing the foundations for drawing inferences about attackers' strategic characteristics from a cybersecurity perspective

Gamificação aplicada à formação em cibersegurança de profissionais de saúde: uma prova de conceito

Mestrado em Gestão e Avaliação de Tecnologias em SaúdeIntrodução: O sector da saúde é fortemente afetado pelo cibercrime, com as principais técnicas de ataque a serem direcionadas para os utilizadores. Por isso, os profissionais de saúde têm um papel fundamental na minimização destes ataques, quando devidamente treinados. As estratégias de formação gamificada em cibersegurança têm resultados bastante positivos ao nível da aquisição e retenção de conhecimento, tendo vantagens ao nível da gestão dos recursos e do tempo. Objetivos: Descrever o estado da arte relacionado com o impacto da cibersegurança no sector da saúde e com a gamificação; identificar os componentes associados ao desenvolvimento de soluções de gamificação; comparar as plataformas de gamificação existentes; definir uma metodologia de gamificação adequada para a formação em cibersegurança de profissionais de saúde e desenvolver uma ferramenta de gamificação para a sensibilização em cibersegurança de profissionais de saúde. Metodologia: Desenvolveu-se uma metodologia de gamificação para a formação em cibersegurança dos profissionais de saúde. Foi igualmente desenvolvido um protótipo da estratégia de formação gamificada, específica para o setor da saúde, onde consta um piloto da aplicação (Health-Cy-Game). Resultados: Desenvolvimento do protótipo da estratégia de formação gamificada – Health-Cy-Game – de acordo com o perfil de conhecimentos estabelecido: conhecimento geral de tecnologia; autenticação e gestão de palavras-passe; técnicas de ciberataques dirigidas ao sector da saúde; gestão da informação; manutenção e atualização de software, e procedimentos e regulamentos em cibersegurança das instituições de saúde. Disposições finais: No setor da saúde, a cibersegurança deverá constituir uma preocupação central dos planos estratégicos de segurança e qualidade dos cuidados. Para atingir este estado de segurança, é preciso munir os utilizadores da tecnologia de conhecimento adequados. “Health-Cy-Game” foi construído tendo em conta o perfil de competências destes profissionais e as especificidades deste sector, de acordo com o Referencial de Competências e Conhecimentos do Centro Nacional de Cibersegurança e as escalas Risky Cybersecurity Behaviours Scale (RsCB) e Security Behaviour Intentions Scale (SeBIS).ABSTRACT - Introduction: The healthcare sector is heavily affected by cybercrime, with the majority of techniques used being addressed to its users. Health professionals have a key role in minimizing these attacks when properly trained. Gamified training strategies in cybersecurity have very positive results in terms of knowledge acquisition and retention, with advantages in terms of resources and time management. Objectives: To describe the state-of-the-art related to the impact of cybersecurity in the health sector and with gamification; identify the components associated with the development of gamification solutions; compare existing gamification platforms; define an appropriate gamification methodology for training health professionals in cybersecurity and develop a gamification tool to raise awareness of cybersecurity among health professionals. Methodology: A gamification methodology was developed for training health professionals in cybersecurity. A prototype of the gamified training strategy, specific for the health sector, was also developed, which contains a pilot application (Health-Cy-Game). Results: Development of the prototype of the gamified training strategy – Health-Cy-Game – according to the knowledge profile established: general knowledge of technology; authentication and password management; cyberattack techniques targeting the health sector; information management; maintenance and updating of software, and procedures and regulations in cybersecurity of health institutions. Final Provisions: In the healthcare sector, cybersecurity must be a central concern of strategic plans addressed to safety and quality of care. To achieve this state of security, it is necessary to provide adequate training to healthcare professionals. “Health-Cy-Game” was built taking into account the skills profile of these professionals and the specificities of this sector, in accordance with Centro Nacional de Cibersegurança’s roadmap “Competências e Conhecimentos”, the Risky Cybersecurity Behaviours Scale (RsCB) and Security Behaviour Intentions Scale (SeBIS).N/