Mapping between classical risk management and game theoretical approaches

Authors:
Lisa Rajbhandari;Einar Arthur Snekkenes
Affiliations:
Norwegian Information Security Lab, Gjøvik University College, Norway;Norwegian Information Security Lab, Gjøvik University College, Norway
Venue:
CMS'11 Proceedings of the 12th IFIP TC 6/TC 11 international conference on Communications and multimedia security
Year:
2011

Citing 8
Cited 2

Incentive-based modeling and inference of attacker intent, objectives, and strategies

Proceedings of the 10th ACM conference on Computer and communications security
A framework for comparing different information security risk analysis methodologies

SAICSIT '05 Proceedings of the 2005 annual research conference of the South African institute of computer scientists and information technologists on IT research in developing countries
The Black Swan: The Impact of the Highly Improbable

The Black Swan: The Impact of the Highly Improbable
Cybersecurity Strategies: The QuERIES Methodology

Computer
A Survey of Game Theory as Applied to Network Security

HICSS '10 Proceedings of the 2010 43rd Hawaii International Conference on System Sciences
Information security economics - and beyond

CRYPTO'07 Proceedings of the 27th annual international cryptology conference on Advances in cryptology
The Risk IT Framework

The Risk IT Framework
SP 800-30. Risk Management Guide for Information Technology Systems

SP 800-30. Risk Management Guide for Information Technology Systems

Intended actions: risk is conflicting incentives

ISC'12 Proceedings of the 15th international conference on Information Security
Risk-based adaptive security for smart IoT in eHealth

Proceedings of the 7th International Conference on Body Area Networks

Quantified Score

Hi-index	0.00

Visualization

Abstract

In a typical classical risk assessment approach, the probabilities are usually guessed and not much guidance is provided on how to get the probabilities right. When coming up with probabilities, people are generally not well calibrated. History may not always be a very good teacher. Hence, in this paper, we explain how game theory can be integrated into classical risk management. Game theory puts emphasis on collecting representative data on how stakeholders assess the values of the outcomes of incidents rather than collecting the likelihood or probability of incident scenarios for future events that may not be stochastic. We describe how it can be mapped and utilized for risk management by relating a game theoretically inspired risk management process to ISO/IEC 27005. This shows how all the steps of classical risk management can be mapped to steps in the game theoretical model, however, some of the game theoretical steps at best have a very limited existence in ISO/IEC 27005.