Games and Abstraction: The Science of Cyber Security

Funded by the Engineering and Physical Sciences Research Council (EPSRC), the Government Communications Headquarters (GCHQ) and the Department for Business, Innovation and Skills (BIS) under the UK’s First Academic Research Institute: ``Science of Cyber Security’’ (01 January 2013 to 30 June 2016)

This proposal addresses the challenge “How do we make better security decisions?”. Specifically we propose to develop new approaches to decision support based on mathematical game theory. Our work will support professionals who are designing secure systems and also those charged with determining if systems have an appropriate level of security – in particular, systems administrators. We will develop techniques to support human decision making and techniques which enable well-founded security design decisions to be made.

We recognise that the emerging trend away from corporate IT systems towards a Bring-Your-Own-Device (BYOD) culture will bring new challenges and changes to the role of systems administrator. However, even in this brave new world, companies will continue to have core assets such as the network infrastructure and the corporate database which will need the same kind of protection. It is certainly to be expected that some of the attacks will now originate from inside the corporate

firewall rather than from outside. Our team will include researchers from the Imperial College Business School who will help us to ensure that our models are properly reflecting these new threats.

Whilst others have used game theoretic approaches to answer these questions, much of the previous work has been more or less ad hoc. As such the resulting

security decisions may be based on unsound principles. In particular, it is common to use abstractions without giving much consideration to the relationship between properties of the abstract model and the real system. We will develop a new game theoretic framework which enables a precise analysis of these relationships and hence provides a more robust decision support and h) empowering EU-wide consensus. Within SPEAR, four proof-of-concept Use Cases are planned in order to validate and assess the implemented security and privacy tools.

Role: Postdoctoral fellowship at Queen Mary University of London; visiting researcher at Imperial College London, PIs: Pasquale Malacaria, Chris Hankin

Pasquale Malacaria
Pasquale Malacaria
Professor of Computer Science