SlideShare a Scribd company logo
Games We Play
Defenses and Disincentives
Allison Miller
Overview
Overview of econ & game theory concepts

Game theory games

Infosec issues as games

Designing games to win

Walk-through a defense built on
disincentives

Wrap-up
Economics applied to security
Utility theory

Externalities 

Information Asymmetries

Signaling 

Marginal cost
Game theory
Branch of applied mathematics

Studies decisions made by players
interacting (or competing)

- Scenarios have rules and pay-offs

- Costs & benefits dependent on decisions of other
players

Used as a framework in economics, comp
sci, biology, & philosophy

- Also business, negotiation, and military strategy
Discussing Games
Mechanics of a payoff matrix
Player 2
A B
Player 1
A A1, A2 A1, B2
B B1, A2 B1, B2
Discussing Games
Mechanics of decision trees
UP
DOWN
CIRCLE
RED
BLUE
MARIO
LUIGI
KIRBY
GIZMO
10, 3
2, 10
2, 5
-3, 3
A
B
B
A
A
A
Typical game theory "games"
Chicken / Brinkmanship

- Push it to the edge

Volunteer’s Dilemma

- For the greater good

Tragedy of the Commons

- Share and share alike (cumulative effect of
cheating)

Prisoner’s Dilemma
Discussing Games
Prisoner’s Dilemma
Player 2
Keep quiet Confess
Player 1
Keep
quiet
-1, -1

Mutual cooperation
0, -10

Individual defection
Confess -10, 0

Individual defection
-3, -3

Mutual punishment
Predicting outcomes
Cooperation

Defection

Dominant
strategies

Equilibrium
Nash Equilibrium
Equilibrium is reached when:

- Players in a game have selected a strategy

- Neither side can change it’s strategy
independently & improve position

Optimal solution in games with limited
outcomes
Discussing Games
Prisoner’s Dilemma
Player 2
Keep quiet Confess
Player 1
Keep
quiet
-1, -1

Mutual cooperation
0, -10

Individual defection
Confess -10, 0

Individual defection
-3, -3

Mutual punishment
Setting up risk problems as games
Identify players in the game

Clarify the “rules”

Show me your moves

Describe payoffs

Single move or repeated game
Discussing Games
Tragedy of the Commons: Spam, Bandwidth usage
Everyone else’s choices
> n choose wise
usage
Less than n choose
wise usage
Individual
choice
Use
resource
wisely
Cost, but
social benefit

Mutual cooperation
Cost

(Subsidize social
use)
Overuse
resource
Social benefit

(Benefit w/o cost)
0

Resources depleted
Discussing Games
Chicken/Brinkmanship: Vulnerability Disclosure
Vulnerability Researcher
Report Exploit
Asset
Owner
Reward /
Respond
0, 0

Responsible
disclosure
-2, +2

Early disclosure
Ignore /
Deny
+2, -2

Defer vulnerability
-10, -10

0-day go boom
Discussing Games
Volunteer’s Dilemma: Data breach cost info sharing
All other victims
At least one
shares
All keep quiet
Victim
Share 0 0

Cost, limited benefit
Keep
quiet
1

Benefit w/o cost
-10

Everyone’s in the
dark
How games are won
Clarify dominant strategies

Find equilibrium

Pursue equilibrium or change the
payoffs
Moves
Current game-play

- Controls are layered or chained until we're satisfied that for some set of attackers,
the cost of the attack is higher than the utility associated with their payoff 

Reputation requirements for participation

Role requirements for participation (access control) 

Incremental authentication

Content/context based filtering

Blacklisting / whitelisting

Rate limiting 

Bot limiters (Captcha)

Obfuscation/Encryption
Counter-moves
For every move there is
a counter-move
Putting the pieces on the board
The amount of friction inserted into the
system depends on:

- Value of asset to the owner

- Value of the asset to potential attackers

- Number of attackers expected

- Portion of attacks that must be averted

- Disincentive value of each layer of friction for an
attacker

Now it’s time to play our game
Does this sound familiar?
Managing Decisions
Game Theory is a framework for studying decisions

- Since payoffs depends on the choices of other players, moves
are risky

- Players play based on their risk appetite

- Risk management = decision management

Defenders design control systems that make decisions

- Where risks manifest in observable behavior

- That make moves/counter-moves depending on the context
and understanding of an actor’s identity or intent

- Where system or individual costs/payoffs depend on the
outcome of an actor’s actions
SHALL WE PLAY A GAME?
(SINCE WE CAN’T PLAY “CLUE” FOR EVERY LOGIN
TRANSACTION
NEW USER
MESSAGE
FRIEND REQUEST
ATTACHMENT
PACKET
WINK
POKE
CLICK
WE BUILD RISK MODELS)
Applying Decisions
Risk management is
decision management
ACTOR
ATTEMPTS
ACTION
SUBMIT
WHAT IS THE
REQUEST
HOW TO
HONOR THE
REQUEST
SHOULD WE
HONOR?
RESULT
ACTION
OCCURS
Not all risk decisions have a
competitive element, but all
competition / games have risks
Create account using fake identity
Script completion of verifications
Outsource captcha
Create accounts across virtual
devices
Distribute creation of accts using
botnet
Scrape identities from public sites
Age accounts, then reactivate
Use stolen credentials
Defraud verification process
...
Require email verification
Test for human behind keyboard
Rate limit by device ID
Rate limit by IP/location
Look for similarities across
accounts
Require reputation level to
proceed
Filter for content / context, add
auth challenge
Require manual verification
Manual review of account/event
...
Except one small thing...
...what kind of game is this?
Multi-player Mode
Offense
Attempt Success
Defense
Deflect
4, 4
 0, 10

Ignore
10, 0
 1, 1
 Offense
Attempt Success
Defense
Deflect
4, 4
 0, 10

Ignore
10, 0
 1, 1
Offense
Attempt Success
Defense
Deflect
4, 4
 0, 10

Ignore
10, 0
 1, 1

Offense
Attempt Success
Defense
Deflect
4, 4
 0, 10

Ignore
10, 0
 1, 1

Attackers are not the only players in
the game

Legitimate users that are also
affected by added friction
Team Dynamics
So this adds another factor into the
appropriate level of friction question,
which is:

- Disincentive value of each layer of friction for
an innocent

- Likelihood the disincentive will be incorrectly
applied to an innocent

- Likelihood the disincentive value > payoff
value for the innocent (go find a new game)
Decisions, Decisions
Authorize Block
Good
false
positive
Bad
false
negative
RESPONSE
POPULATION
Incorrect decisions have a cost 

Correct decisions are free (usually)
Good Action
Gets
Blocked
Bad Action
Gets
Through
Downstream
Impacts
GAME OVER
1-UP?
Why are we still playing?
Economic/mathematical models
depend on rational participants

Free will doesn’t imply rationality

Economics studies what should
happen, behavioral economics
studies what does happen
Example of rational irrationality
Ultimatum Game

- Player A given $1000

Player A needs to split the $ with Player B

Player A gets to choose the split

- Player B receives offer

If B accepts, both get $

If B rejects, both get 0
Take it or leave it
Outcomes

- Player A’s usually offer ~50%

- Player B’s often reject if offered <30%

- This behavior occurs across cultures, levels of wealth

Emotions matter

- Heightened brain activity in 

Bilateral antierior insula (disgust) w/low offers

Dorsolateral prefrontal cortext (cognitive decision making)
w/high offers

- Fairness, Fear, Punishing the mean
Therefore: Winning strategies
depend on understanding behavior
Both attackers and defenders may exhibit bias when
making decisions - about the game and other players

Retrofit conceptual models to actual experiences

Fill in the blanks on player costs/payoffs

Risk controls still either need to

- Change friction (cost), or

- Change expected value of pay-off

Continue to analyze game dynamics over time 

- Low-risk, high frequency interactions (data) 

- High-risk, low frequency interactions (negotiation)
Prediction is very difficult, especially
about the future
Niels Bohr
Allison Miller
@selenakyle
Some references
Axelrod, Robert. The Evolution of Cooperation.

Dixit, Avinash and Nalebuff, Barry. The Art of Strategy: A
Game Theorist’s Guide to Success in Business and in Life.

Fisher, Len. Rock, Paper, Scissors: Game Theory in
Everyday Life.

Gibbons, Robert. Game Theory for Applied Economists.

Meadows, Donella. Thinking in Systems: A Primer.

Wikipedia’s sections on Game Theory, Economics, &
Probability.

More Related Content

What's hot

Game theory
Game theoryGame theory
Game theory
Amritanshu Mehra
 
Advanced Game Theory guest lecture
Advanced Game Theory guest lectureAdvanced Game Theory guest lecture
Advanced Game Theory guest lecture
Jonas Heide Smith
 
Game theory application
Game theory applicationGame theory application
Game theory application
shakebaumar
 
An introduction to Game Theory
An introduction to Game TheoryAn introduction to Game Theory
An introduction to Game Theory
Paul Trafford
 
Ssrn a brief inrtoduction to the basic of game theory
Ssrn a brief inrtoduction to the basic of game theorySsrn a brief inrtoduction to the basic of game theory
Ssrn a brief inrtoduction to the basic of game theory
Ying wei (Joe) Chou
 
Game theory in Economics
Game theory in EconomicsGame theory in Economics
Game theory in Economics
Elvin Aghammadzada
 
Lecture 1 - Game Theory
Lecture 1 - Game TheoryLecture 1 - Game Theory
Lecture 1 - Game Theory
Luke Dicken
 
Game
Game Game
Game theory project
Game theory projectGame theory project
Game theory project
Aagam Shah
 
Applications of game theory on event management
Applications of game theory on event management Applications of game theory on event management
Applications of game theory on event management
Sameer Dhurat
 
Introduction to Game Theory
Introduction to Game TheoryIntroduction to Game Theory
Introduction to Game Theory
Cesar Sobrino
 
Science of negotiation
Science of negotiationScience of negotiation
Science of negotiation
Alexander Carter-Silk
 
Game theory
Game theory Game theory
Game theory
Dr. Sinem Bulkan
 
Prisoner's Dilemma
Prisoner's DilemmaPrisoner's Dilemma
Prisoner's Dilemma
Acquate
 
Dynamics
DynamicsDynamics
Dynamics
urinadav
 
Exposé biad game-theory
Exposé biad game-theoryExposé biad game-theory
Exposé biad game-theory
Malak Souf
 
Cognitive Bias in Risk-Reward Analysis
Cognitive Bias in Risk-Reward AnalysisCognitive Bias in Risk-Reward Analysis
Cognitive Bias in Risk-Reward Analysis
Damon Levine, CFA, ARM, CRCMP, Open FAIR
 
A brief introduction to the basics of game theory
A brief introduction to the basics of game theoryA brief introduction to the basics of game theory
A brief introduction to the basics of game theory
Ying wei (Joe) Chou
 
Game Theory - An Introduction (2009)
Game Theory - An Introduction (2009)Game Theory - An Introduction (2009)
Game Theory - An Introduction (2009)
mattbentley34
 
GT Presentation
GT PresentationGT Presentation
GT Presentation
Arif Hussain
 

What's hot (20)

Game theory
Game theoryGame theory
Game theory
 
Advanced Game Theory guest lecture
Advanced Game Theory guest lectureAdvanced Game Theory guest lecture
Advanced Game Theory guest lecture
 
Game theory application
Game theory applicationGame theory application
Game theory application
 
An introduction to Game Theory
An introduction to Game TheoryAn introduction to Game Theory
An introduction to Game Theory
 
Ssrn a brief inrtoduction to the basic of game theory
Ssrn a brief inrtoduction to the basic of game theorySsrn a brief inrtoduction to the basic of game theory
Ssrn a brief inrtoduction to the basic of game theory
 
Game theory in Economics
Game theory in EconomicsGame theory in Economics
Game theory in Economics
 
Lecture 1 - Game Theory
Lecture 1 - Game TheoryLecture 1 - Game Theory
Lecture 1 - Game Theory
 
Game
Game Game
Game
 
Game theory project
Game theory projectGame theory project
Game theory project
 
Applications of game theory on event management
Applications of game theory on event management Applications of game theory on event management
Applications of game theory on event management
 
Introduction to Game Theory
Introduction to Game TheoryIntroduction to Game Theory
Introduction to Game Theory
 
Science of negotiation
Science of negotiationScience of negotiation
Science of negotiation
 
Game theory
Game theory Game theory
Game theory
 
Prisoner's Dilemma
Prisoner's DilemmaPrisoner's Dilemma
Prisoner's Dilemma
 
Dynamics
DynamicsDynamics
Dynamics
 
Exposé biad game-theory
Exposé biad game-theoryExposé biad game-theory
Exposé biad game-theory
 
Cognitive Bias in Risk-Reward Analysis
Cognitive Bias in Risk-Reward AnalysisCognitive Bias in Risk-Reward Analysis
Cognitive Bias in Risk-Reward Analysis
 
A brief introduction to the basics of game theory
A brief introduction to the basics of game theoryA brief introduction to the basics of game theory
A brief introduction to the basics of game theory
 
Game Theory - An Introduction (2009)
Game Theory - An Introduction (2009)Game Theory - An Introduction (2009)
Game Theory - An Introduction (2009)
 
GT Presentation
GT PresentationGT Presentation
GT Presentation
 

Viewers also liked

Boomtime: Risk as Economics (Allison Miller, SiRAcon15)
Boomtime: Risk as Economics (Allison Miller, SiRAcon15)Boomtime: Risk as Economics (Allison Miller, SiRAcon15)
Boomtime: Risk as Economics (Allison Miller, SiRAcon15)
Allison Miller
 
2010.08 Applied Threat Modeling: Live (Hutton/Miller)
2010.08 Applied Threat Modeling: Live (Hutton/Miller)2010.08 Applied Threat Modeling: Live (Hutton/Miller)
2010.08 Applied Threat Modeling: Live (Hutton/Miller)
Allison Miller
 
2012.09 A Million Mousetraps: Using Big Data and Little Loops to Build Better...
2012.09 A Million Mousetraps: Using Big Data and Little Loops to Build Better...2012.09 A Million Mousetraps: Using Big Data and Little Loops to Build Better...
2012.09 A Million Mousetraps: Using Big Data and Little Loops to Build Better...
Allison Miller
 
Smallbizhouston Company Ppt
Smallbizhouston Company PptSmallbizhouston Company Ppt
Smallbizhouston Company Ppt
Gordon LaFleur, LUTCF
 
8 Places to use Keywords on Your Website
8 Places to use Keywords on Your Website8 Places to use Keywords on Your Website
8 Places to use Keywords on Your Website
Wired Flare
 
Redbrick safety sneakers Redbrick veiligheidsschoenen - werkschoenen by woltex
Redbrick safety sneakers Redbrick veiligheidsschoenen - werkschoenen by woltexRedbrick safety sneakers Redbrick veiligheidsschoenen - werkschoenen by woltex
Redbrick safety sneakers Redbrick veiligheidsschoenen - werkschoenen by woltex
Woltex.nl
 
Do you get alerts before your contracts expire
Do you get alerts before your contracts expireDo you get alerts before your contracts expire
Do you get alerts before your contracts expire
Practice-League
 
9 claves de la Ley de Cestaticket Socialista
9 claves de la Ley de Cestaticket Socialista9 claves de la Ley de Cestaticket Socialista
9 claves de la Ley de Cestaticket Socialista
Nayma Consultores
 
The Microsoft platform for education analytics (mpea)
The Microsoft platform for education analytics (mpea)The Microsoft platform for education analytics (mpea)
The Microsoft platform for education analytics (mpea)
Willy Marroquin (WillyDevNET)
 
Patterson Boulevard Canal Parkway - Before and After
Patterson Boulevard Canal Parkway - Before and AfterPatterson Boulevard Canal Parkway - Before and After
Patterson Boulevard Canal Parkway - Before and After
City of Dayton
 
Philanthropic Curve
Philanthropic CurvePhilanthropic Curve
Castañeda y ppk
Castañeda y ppkCastañeda y ppk
Castañeda y ppk
Jim Andrew Uni Diverso
 
Чат боты как пробный, коммуникационный, шар ии на пути иичу
Чат боты как пробный, коммуникационный, шар ии на пути иичуЧат боты как пробный, коммуникационный, шар ии на пути иичу
Чат боты как пробный, коммуникационный, шар ии на пути иичу
Sergey Skabelkin
 
APPRAISAL OF GROUND WATER CHARACTERISTICS AND WATER QUALITY INDEX OF RICH IRO...
APPRAISAL OF GROUND WATER CHARACTERISTICS AND WATER QUALITY INDEX OF RICH IRO...APPRAISAL OF GROUND WATER CHARACTERISTICS AND WATER QUALITY INDEX OF RICH IRO...
APPRAISAL OF GROUND WATER CHARACTERISTICS AND WATER QUALITY INDEX OF RICH IRO...
AM Publications
 
Iva Natura- Kozmetik sektörünün dünü, bugünü ve yarını
Iva Natura- Kozmetik sektörünün dünü, bugünü ve yarınıIva Natura- Kozmetik sektörünün dünü, bugünü ve yarını
Iva Natura- Kozmetik sektörünün dünü, bugünü ve yarını
IVA NATURA
 
NSPCC Silent Auction Sponsored by GB Consultancy UK Ltd
NSPCC Silent Auction Sponsored by GB Consultancy UK LtdNSPCC Silent Auction Sponsored by GB Consultancy UK Ltd
NSPCC Silent Auction Sponsored by GB Consultancy UK Ltd
Gary Boys
 

Viewers also liked (16)

Boomtime: Risk as Economics (Allison Miller, SiRAcon15)
Boomtime: Risk as Economics (Allison Miller, SiRAcon15)Boomtime: Risk as Economics (Allison Miller, SiRAcon15)
Boomtime: Risk as Economics (Allison Miller, SiRAcon15)
 
2010.08 Applied Threat Modeling: Live (Hutton/Miller)
2010.08 Applied Threat Modeling: Live (Hutton/Miller)2010.08 Applied Threat Modeling: Live (Hutton/Miller)
2010.08 Applied Threat Modeling: Live (Hutton/Miller)
 
2012.09 A Million Mousetraps: Using Big Data and Little Loops to Build Better...
2012.09 A Million Mousetraps: Using Big Data and Little Loops to Build Better...2012.09 A Million Mousetraps: Using Big Data and Little Loops to Build Better...
2012.09 A Million Mousetraps: Using Big Data and Little Loops to Build Better...
 
Smallbizhouston Company Ppt
Smallbizhouston Company PptSmallbizhouston Company Ppt
Smallbizhouston Company Ppt
 
8 Places to use Keywords on Your Website
8 Places to use Keywords on Your Website8 Places to use Keywords on Your Website
8 Places to use Keywords on Your Website
 
Redbrick safety sneakers Redbrick veiligheidsschoenen - werkschoenen by woltex
Redbrick safety sneakers Redbrick veiligheidsschoenen - werkschoenen by woltexRedbrick safety sneakers Redbrick veiligheidsschoenen - werkschoenen by woltex
Redbrick safety sneakers Redbrick veiligheidsschoenen - werkschoenen by woltex
 
Do you get alerts before your contracts expire
Do you get alerts before your contracts expireDo you get alerts before your contracts expire
Do you get alerts before your contracts expire
 
9 claves de la Ley de Cestaticket Socialista
9 claves de la Ley de Cestaticket Socialista9 claves de la Ley de Cestaticket Socialista
9 claves de la Ley de Cestaticket Socialista
 
The Microsoft platform for education analytics (mpea)
The Microsoft platform for education analytics (mpea)The Microsoft platform for education analytics (mpea)
The Microsoft platform for education analytics (mpea)
 
Patterson Boulevard Canal Parkway - Before and After
Patterson Boulevard Canal Parkway - Before and AfterPatterson Boulevard Canal Parkway - Before and After
Patterson Boulevard Canal Parkway - Before and After
 
Philanthropic Curve
Philanthropic CurvePhilanthropic Curve
Philanthropic Curve
 
Castañeda y ppk
Castañeda y ppkCastañeda y ppk
Castañeda y ppk
 
Чат боты как пробный, коммуникационный, шар ии на пути иичу
Чат боты как пробный, коммуникационный, шар ии на пути иичуЧат боты как пробный, коммуникационный, шар ии на пути иичу
Чат боты как пробный, коммуникационный, шар ии на пути иичу
 
APPRAISAL OF GROUND WATER CHARACTERISTICS AND WATER QUALITY INDEX OF RICH IRO...
APPRAISAL OF GROUND WATER CHARACTERISTICS AND WATER QUALITY INDEX OF RICH IRO...APPRAISAL OF GROUND WATER CHARACTERISTICS AND WATER QUALITY INDEX OF RICH IRO...
APPRAISAL OF GROUND WATER CHARACTERISTICS AND WATER QUALITY INDEX OF RICH IRO...
 
Iva Natura- Kozmetik sektörünün dünü, bugünü ve yarını
Iva Natura- Kozmetik sektörünün dünü, bugünü ve yarınıIva Natura- Kozmetik sektörünün dünü, bugünü ve yarını
Iva Natura- Kozmetik sektörünün dünü, bugünü ve yarını
 
NSPCC Silent Auction Sponsored by GB Consultancy UK Ltd
NSPCC Silent Auction Sponsored by GB Consultancy UK LtdNSPCC Silent Auction Sponsored by GB Consultancy UK Ltd
NSPCC Silent Auction Sponsored by GB Consultancy UK Ltd
 

Similar to 2012.12 Games We Play: Defenses & Disincentives

gt_2007
gt_2007gt_2007
gt_2007
webuploader
 
Bec doms ppt on the economics of information and uncertainty
Bec doms ppt on the economics of information and uncertaintyBec doms ppt on the economics of information and uncertainty
Bec doms ppt on the economics of information and uncertainty
Babasab Patil
 
Game Analytics: Opening the Black Box
Game Analytics: Opening the Black BoxGame Analytics: Opening the Black Box
Game Analytics: Opening the Black Box
Anders Drachen
 
Libratus
LibratusLibratus
Libratus
Anatol Alizar
 
Writing a gaming proposal
Writing a gaming proposalWriting a gaming proposal
Writing a gaming proposal
J'ette Novakovich
 
LAFS Game Mechanics - Information and Game Mechanics
LAFS Game Mechanics - Information and Game MechanicsLAFS Game Mechanics - Information and Game Mechanics
LAFS Game Mechanics - Information and Game Mechanics
David Mullich
 
Lecture 2 Social Preferences I
Lecture 2 Social Preferences ILecture 2 Social Preferences I
Lecture 2 Social Preferences I
Alexandros Karakostas
 
Something Wicked
Something WickedSomething Wicked
Something Wicked
Allison Miller
 
Game Theory Introduction
Game Theory IntroductionGame Theory Introduction
Game Theory Introduction
Robin Anderson
 
Learning Through Gaming
Learning Through GamingLearning Through Gaming
Learning Through Gaming
Colin Smith-Clark
 
Volatile Memory: Behavioral Game Theory in Defensive Security
Volatile Memory: Behavioral Game Theory in Defensive SecurityVolatile Memory: Behavioral Game Theory in Defensive Security
Volatile Memory: Behavioral Game Theory in Defensive Security
Kelly Shortridge
 
James Gatto
James GattoJames Gatto
James Gatto
Mediabistro
 
James Gatto
James GattoJames Gatto
James Gatto
Mediabistro
 
Big Game Theory Hunting: The Peculiarities of Human Behavior in the InfoSec Game
Big Game Theory Hunting: The Peculiarities of Human Behavior in the InfoSec GameBig Game Theory Hunting: The Peculiarities of Human Behavior in the InfoSec Game
Big Game Theory Hunting: The Peculiarities of Human Behavior in the InfoSec Game
Kelly Shortridge
 
Mba Ebooks ! Edhole
Mba Ebooks ! EdholeMba Ebooks ! Edhole
Mba Ebooks ! Edhole
Edhole.com
 
Security Issues in Massively Multiplayer Online Games
Security Issues in Massively Multiplayer Online GamesSecurity Issues in Massively Multiplayer Online Games
Security Issues in Massively Multiplayer Online Games
DebbieJiang
 
Trees Are Our Best Friend Essay In English
Trees Are Our Best Friend Essay In EnglishTrees Are Our Best Friend Essay In English
Trees Are Our Best Friend Essay In English
Sharon Miller
 
LAFS Game Mechanics - Narrative Elements
LAFS Game Mechanics - Narrative ElementsLAFS Game Mechanics - Narrative Elements
LAFS Game Mechanics - Narrative Elements
David Mullich
 
20131105 concepts of game design
20131105 concepts of game design20131105 concepts of game design
20131105 concepts of game design
Christina Hsu
 
Future of Monetizing Social Games
Future of Monetizing Social GamesFuture of Monetizing Social Games
Future of Monetizing Social Games
Elvin Li
 

Similar to 2012.12 Games We Play: Defenses & Disincentives (20)

gt_2007
gt_2007gt_2007
gt_2007
 
Bec doms ppt on the economics of information and uncertainty
Bec doms ppt on the economics of information and uncertaintyBec doms ppt on the economics of information and uncertainty
Bec doms ppt on the economics of information and uncertainty
 
Game Analytics: Opening the Black Box
Game Analytics: Opening the Black BoxGame Analytics: Opening the Black Box
Game Analytics: Opening the Black Box
 
Libratus
LibratusLibratus
Libratus
 
Writing a gaming proposal
Writing a gaming proposalWriting a gaming proposal
Writing a gaming proposal
 
LAFS Game Mechanics - Information and Game Mechanics
LAFS Game Mechanics - Information and Game MechanicsLAFS Game Mechanics - Information and Game Mechanics
LAFS Game Mechanics - Information and Game Mechanics
 
Lecture 2 Social Preferences I
Lecture 2 Social Preferences ILecture 2 Social Preferences I
Lecture 2 Social Preferences I
 
Something Wicked
Something WickedSomething Wicked
Something Wicked
 
Game Theory Introduction
Game Theory IntroductionGame Theory Introduction
Game Theory Introduction
 
Learning Through Gaming
Learning Through GamingLearning Through Gaming
Learning Through Gaming
 
Volatile Memory: Behavioral Game Theory in Defensive Security
Volatile Memory: Behavioral Game Theory in Defensive SecurityVolatile Memory: Behavioral Game Theory in Defensive Security
Volatile Memory: Behavioral Game Theory in Defensive Security
 
James Gatto
James GattoJames Gatto
James Gatto
 
James Gatto
James GattoJames Gatto
James Gatto
 
Big Game Theory Hunting: The Peculiarities of Human Behavior in the InfoSec Game
Big Game Theory Hunting: The Peculiarities of Human Behavior in the InfoSec GameBig Game Theory Hunting: The Peculiarities of Human Behavior in the InfoSec Game
Big Game Theory Hunting: The Peculiarities of Human Behavior in the InfoSec Game
 
Mba Ebooks ! Edhole
Mba Ebooks ! EdholeMba Ebooks ! Edhole
Mba Ebooks ! Edhole
 
Security Issues in Massively Multiplayer Online Games
Security Issues in Massively Multiplayer Online GamesSecurity Issues in Massively Multiplayer Online Games
Security Issues in Massively Multiplayer Online Games
 
Trees Are Our Best Friend Essay In English
Trees Are Our Best Friend Essay In EnglishTrees Are Our Best Friend Essay In English
Trees Are Our Best Friend Essay In English
 
LAFS Game Mechanics - Narrative Elements
LAFS Game Mechanics - Narrative ElementsLAFS Game Mechanics - Narrative Elements
LAFS Game Mechanics - Narrative Elements
 
20131105 concepts of game design
20131105 concepts of game design20131105 concepts of game design
20131105 concepts of game design
 
Future of Monetizing Social Games
Future of Monetizing Social GamesFuture of Monetizing Social Games
Future of Monetizing Social Games
 

Recently uploaded

Lee Barnes - Path to Becoming an Effective Test Automation Engineer.pdf
Lee Barnes - Path to Becoming an Effective Test Automation Engineer.pdfLee Barnes - Path to Becoming an Effective Test Automation Engineer.pdf
Lee Barnes - Path to Becoming an Effective Test Automation Engineer.pdf
leebarnesutopia
 
JavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green MasterplanJavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green Masterplan
Miro Wengner
 
QR Secure: A Hybrid Approach Using Machine Learning and Security Validation F...
QR Secure: A Hybrid Approach Using Machine Learning and Security Validation F...QR Secure: A Hybrid Approach Using Machine Learning and Security Validation F...
QR Secure: A Hybrid Approach Using Machine Learning and Security Validation F...
AlexanderRichford
 
GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)
Javier Junquera
 
"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota
Fwdays
 
Christine's Product Research Presentation.pptx
Christine's Product Research Presentation.pptxChristine's Product Research Presentation.pptx
Christine's Product Research Presentation.pptx
christinelarrosa
 
Leveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and StandardsLeveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and Standards
Neo4j
 
Call Girls Chandigarh🔥7023059433🔥Agency Profile Escorts in Chandigarh Availab...
Call Girls Chandigarh🔥7023059433🔥Agency Profile Escorts in Chandigarh Availab...Call Girls Chandigarh🔥7023059433🔥Agency Profile Escorts in Chandigarh Availab...
Call Girls Chandigarh🔥7023059433🔥Agency Profile Escorts in Chandigarh Availab...
manji sharman06
 
Must Know Postgres Extension for DBA and Developer during Migration
Must Know Postgres Extension for DBA and Developer during MigrationMust Know Postgres Extension for DBA and Developer during Migration
Must Know Postgres Extension for DBA and Developer during Migration
Mydbops
 
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge GraphGraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
Neo4j
 
Northern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving | Modern Metal Trim, Nameplates and Appliance PanelsNorthern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving
 
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and BioinformaticiansBiomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Neo4j
 
Apps Break Data
Apps Break DataApps Break Data
Apps Break Data
Ivo Velitchkov
 
Getting the Most Out of ScyllaDB Monitoring: ShareChat's Tips
Getting the Most Out of ScyllaDB Monitoring: ShareChat's TipsGetting the Most Out of ScyllaDB Monitoring: ShareChat's Tips
Getting the Most Out of ScyllaDB Monitoring: ShareChat's Tips
ScyllaDB
 
QA or the Highway - Component Testing: Bridging the gap between frontend appl...
QA or the Highway - Component Testing: Bridging the gap between frontend appl...QA or the Highway - Component Testing: Bridging the gap between frontend appl...
QA or the Highway - Component Testing: Bridging the gap between frontend appl...
zjhamm304
 
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
Jason Yip
 
inQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
inQuba Webinar Mastering Customer Journey Management with Dr Graham HillinQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
inQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
LizaNolte
 
AI in the Workplace Reskilling, Upskilling, and Future Work.pptx
AI in the Workplace Reskilling, Upskilling, and Future Work.pptxAI in the Workplace Reskilling, Upskilling, and Future Work.pptx
AI in the Workplace Reskilling, Upskilling, and Future Work.pptx
Sunil Jagani
 
AppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSFAppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSF
Ajin Abraham
 
A Deep Dive into ScyllaDB's Architecture
A Deep Dive into ScyllaDB's ArchitectureA Deep Dive into ScyllaDB's Architecture
A Deep Dive into ScyllaDB's Architecture
ScyllaDB
 

Recently uploaded (20)

Lee Barnes - Path to Becoming an Effective Test Automation Engineer.pdf
Lee Barnes - Path to Becoming an Effective Test Automation Engineer.pdfLee Barnes - Path to Becoming an Effective Test Automation Engineer.pdf
Lee Barnes - Path to Becoming an Effective Test Automation Engineer.pdf
 
JavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green MasterplanJavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green Masterplan
 
QR Secure: A Hybrid Approach Using Machine Learning and Security Validation F...
QR Secure: A Hybrid Approach Using Machine Learning and Security Validation F...QR Secure: A Hybrid Approach Using Machine Learning and Security Validation F...
QR Secure: A Hybrid Approach Using Machine Learning and Security Validation F...
 
GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)
 
"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota
 
Christine's Product Research Presentation.pptx
Christine's Product Research Presentation.pptxChristine's Product Research Presentation.pptx
Christine's Product Research Presentation.pptx
 
Leveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and StandardsLeveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and Standards
 
Call Girls Chandigarh🔥7023059433🔥Agency Profile Escorts in Chandigarh Availab...
Call Girls Chandigarh🔥7023059433🔥Agency Profile Escorts in Chandigarh Availab...Call Girls Chandigarh🔥7023059433🔥Agency Profile Escorts in Chandigarh Availab...
Call Girls Chandigarh🔥7023059433🔥Agency Profile Escorts in Chandigarh Availab...
 
Must Know Postgres Extension for DBA and Developer during Migration
Must Know Postgres Extension for DBA and Developer during MigrationMust Know Postgres Extension for DBA and Developer during Migration
Must Know Postgres Extension for DBA and Developer during Migration
 
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge GraphGraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
 
Northern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving | Modern Metal Trim, Nameplates and Appliance PanelsNorthern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
 
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and BioinformaticiansBiomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
 
Apps Break Data
Apps Break DataApps Break Data
Apps Break Data
 
Getting the Most Out of ScyllaDB Monitoring: ShareChat's Tips
Getting the Most Out of ScyllaDB Monitoring: ShareChat's TipsGetting the Most Out of ScyllaDB Monitoring: ShareChat's Tips
Getting the Most Out of ScyllaDB Monitoring: ShareChat's Tips
 
QA or the Highway - Component Testing: Bridging the gap between frontend appl...
QA or the Highway - Component Testing: Bridging the gap between frontend appl...QA or the Highway - Component Testing: Bridging the gap between frontend appl...
QA or the Highway - Component Testing: Bridging the gap between frontend appl...
 
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
 
inQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
inQuba Webinar Mastering Customer Journey Management with Dr Graham HillinQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
inQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
 
AI in the Workplace Reskilling, Upskilling, and Future Work.pptx
AI in the Workplace Reskilling, Upskilling, and Future Work.pptxAI in the Workplace Reskilling, Upskilling, and Future Work.pptx
AI in the Workplace Reskilling, Upskilling, and Future Work.pptx
 
AppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSFAppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSF
 
A Deep Dive into ScyllaDB's Architecture
A Deep Dive into ScyllaDB's ArchitectureA Deep Dive into ScyllaDB's Architecture
A Deep Dive into ScyllaDB's Architecture
 

2012.12 Games We Play: Defenses & Disincentives

  • 1. Games We Play Defenses and Disincentives Allison Miller
  • 2. Overview Overview of econ & game theory concepts Game theory games Infosec issues as games Designing games to win Walk-through a defense built on disincentives Wrap-up
  • 3. Economics applied to security Utility theory Externalities Information Asymmetries Signaling Marginal cost
  • 4. Game theory Branch of applied mathematics Studies decisions made by players interacting (or competing) - Scenarios have rules and pay-offs - Costs & benefits dependent on decisions of other players Used as a framework in economics, comp sci, biology, & philosophy - Also business, negotiation, and military strategy
  • 5. Discussing Games Mechanics of a payoff matrix Player 2 A B Player 1 A A1, A2 A1, B2 B B1, A2 B1, B2
  • 6. Discussing Games Mechanics of decision trees UP DOWN CIRCLE RED BLUE MARIO LUIGI KIRBY GIZMO 10, 3 2, 10 2, 5 -3, 3 A B B A A A
  • 7. Typical game theory "games" Chicken / Brinkmanship - Push it to the edge Volunteer’s Dilemma - For the greater good Tragedy of the Commons - Share and share alike (cumulative effect of cheating) Prisoner’s Dilemma
  • 8. Discussing Games Prisoner’s Dilemma Player 2 Keep quiet Confess Player 1 Keep quiet -1, -1 Mutual cooperation 0, -10 Individual defection Confess -10, 0 Individual defection -3, -3 Mutual punishment
  • 10. Nash Equilibrium Equilibrium is reached when: - Players in a game have selected a strategy - Neither side can change it’s strategy independently & improve position Optimal solution in games with limited outcomes
  • 11. Discussing Games Prisoner’s Dilemma Player 2 Keep quiet Confess Player 1 Keep quiet -1, -1 Mutual cooperation 0, -10 Individual defection Confess -10, 0 Individual defection -3, -3 Mutual punishment
  • 12. Setting up risk problems as games Identify players in the game Clarify the “rules” Show me your moves Describe payoffs Single move or repeated game
  • 13. Discussing Games Tragedy of the Commons: Spam, Bandwidth usage Everyone else’s choices > n choose wise usage Less than n choose wise usage Individual choice Use resource wisely Cost, but social benefit Mutual cooperation Cost (Subsidize social use) Overuse resource Social benefit (Benefit w/o cost) 0 Resources depleted
  • 14. Discussing Games Chicken/Brinkmanship: Vulnerability Disclosure Vulnerability Researcher Report Exploit Asset Owner Reward / Respond 0, 0 Responsible disclosure -2, +2 Early disclosure Ignore / Deny +2, -2 Defer vulnerability -10, -10 0-day go boom
  • 15. Discussing Games Volunteer’s Dilemma: Data breach cost info sharing All other victims At least one shares All keep quiet Victim Share 0 0 Cost, limited benefit Keep quiet 1 Benefit w/o cost -10 Everyone’s in the dark
  • 16. How games are won Clarify dominant strategies Find equilibrium Pursue equilibrium or change the payoffs
  • 17. Moves Current game-play - Controls are layered or chained until we're satisfied that for some set of attackers, the cost of the attack is higher than the utility associated with their payoff Reputation requirements for participation Role requirements for participation (access control) Incremental authentication Content/context based filtering Blacklisting / whitelisting Rate limiting Bot limiters (Captcha) Obfuscation/Encryption
  • 18. Counter-moves For every move there is a counter-move
  • 19. Putting the pieces on the board The amount of friction inserted into the system depends on: - Value of asset to the owner - Value of the asset to potential attackers - Number of attackers expected - Portion of attacks that must be averted - Disincentive value of each layer of friction for an attacker Now it’s time to play our game
  • 20. Does this sound familiar?
  • 21. Managing Decisions Game Theory is a framework for studying decisions - Since payoffs depends on the choices of other players, moves are risky - Players play based on their risk appetite - Risk management = decision management Defenders design control systems that make decisions - Where risks manifest in observable behavior - That make moves/counter-moves depending on the context and understanding of an actor’s identity or intent - Where system or individual costs/payoffs depend on the outcome of an actor’s actions
  • 22. SHALL WE PLAY A GAME? (SINCE WE CAN’T PLAY “CLUE” FOR EVERY LOGIN TRANSACTION NEW USER MESSAGE FRIEND REQUEST ATTACHMENT PACKET WINK POKE CLICK WE BUILD RISK MODELS)
  • 23. Applying Decisions Risk management is decision management ACTOR ATTEMPTS ACTION SUBMIT WHAT IS THE REQUEST HOW TO HONOR THE REQUEST SHOULD WE HONOR? RESULT ACTION OCCURS
  • 24. Not all risk decisions have a competitive element, but all competition / games have risks
  • 25. Create account using fake identity Script completion of verifications Outsource captcha Create accounts across virtual devices Distribute creation of accts using botnet Scrape identities from public sites Age accounts, then reactivate Use stolen credentials Defraud verification process ... Require email verification Test for human behind keyboard Rate limit by device ID Rate limit by IP/location Look for similarities across accounts Require reputation level to proceed Filter for content / context, add auth challenge Require manual verification Manual review of account/event ...
  • 26. Except one small thing... ...what kind of game is this?
  • 27. Multi-player Mode Offense Attempt Success Defense Deflect 4, 4 0, 10 Ignore 10, 0 1, 1 Offense Attempt Success Defense Deflect 4, 4 0, 10 Ignore 10, 0 1, 1 Offense Attempt Success Defense Deflect 4, 4 0, 10 Ignore 10, 0 1, 1 Offense Attempt Success Defense Deflect 4, 4 0, 10 Ignore 10, 0 1, 1 Attackers are not the only players in the game Legitimate users that are also affected by added friction
  • 28. Team Dynamics So this adds another factor into the appropriate level of friction question, which is: - Disincentive value of each layer of friction for an innocent - Likelihood the disincentive will be incorrectly applied to an innocent - Likelihood the disincentive value > payoff value for the innocent (go find a new game)
  • 29. Decisions, Decisions Authorize Block Good false positive Bad false negative RESPONSE POPULATION Incorrect decisions have a cost Correct decisions are free (usually) Good Action Gets Blocked Bad Action Gets Through Downstream Impacts
  • 31. Why are we still playing? Economic/mathematical models depend on rational participants Free will doesn’t imply rationality Economics studies what should happen, behavioral economics studies what does happen
  • 32. Example of rational irrationality Ultimatum Game - Player A given $1000 Player A needs to split the $ with Player B Player A gets to choose the split - Player B receives offer If B accepts, both get $ If B rejects, both get 0
  • 33. Take it or leave it Outcomes - Player A’s usually offer ~50% - Player B’s often reject if offered <30% - This behavior occurs across cultures, levels of wealth Emotions matter - Heightened brain activity in Bilateral antierior insula (disgust) w/low offers Dorsolateral prefrontal cortext (cognitive decision making) w/high offers - Fairness, Fear, Punishing the mean
  • 34. Therefore: Winning strategies depend on understanding behavior Both attackers and defenders may exhibit bias when making decisions - about the game and other players Retrofit conceptual models to actual experiences Fill in the blanks on player costs/payoffs Risk controls still either need to - Change friction (cost), or - Change expected value of pay-off Continue to analyze game dynamics over time - Low-risk, high frequency interactions (data) - High-risk, low frequency interactions (negotiation)
  • 35. Prediction is very difficult, especially about the future Niels Bohr Allison Miller @selenakyle
  • 36. Some references Axelrod, Robert. The Evolution of Cooperation. Dixit, Avinash and Nalebuff, Barry. The Art of Strategy: A Game Theorist’s Guide to Success in Business and in Life. Fisher, Len. Rock, Paper, Scissors: Game Theory in Everyday Life. Gibbons, Robert. Game Theory for Applied Economists. Meadows, Donella. Thinking in Systems: A Primer. Wikipedia’s sections on Game Theory, Economics, & Probability.