Documentos de Académico
Documentos de Profesional
Documentos de Cultura
To cite this Article Matusitz, Jonathan(2009) 'A Postmodern Theory of Cyberterrorism: Game Theory', Information
Security Journal: A Global Perspective, 18: 6, 273 — 281
To link to this Article: DOI: 10.1080/19393550903200474
URL: http://dx.doi.org/10.1080/19393550903200474
The publisher does not give any warranty express or implied or make any representation that the contents
will be complete or accurate or up to date. The accuracy of any instructions, formulae and drug doses
should be independently verified with primary sources. The publisher shall not be liable for any loss,
actions, claims, proceedings, demand or costs or damages whatsoever or howsoever caused arising directly
or indirectly in connection with or arising out of the use of this material.
Information Security Journal: A Global Perspective, 18:273–281, 2009
Copyright © Taylor & Francis Group, LLC
ISSN: 1939-3555 print / 1939-3547 online
DOI: 10.1080/19393550903200474
Game Theory
Jonathan Matusitz
A Matusitz
J. Postmodern Theory of Cyberterrorism
University of Central Florida, ABSTRACT This article analyzes how the battle between computer security
Lake Mary, Florida, USA experts and cyberterrorists can be explained through game theory. This article
is important because it not only applies game theory to the study of cyberter-
rorism, which has been rarely done so far, but it also breaks new ground by
intersecting the game theoretical model with another theory, social network
theory. An important thesis of this analysis is that under the principles of
game theory, each player is assumed to be rational; all players wish the out-
Downloaded By: [Black, dk] At: 20:41 30 November 2010
INTRODUCTION
This article analyzes how the battle between computer security experts and
cyberterrorists can be explained through game theory. This article is important
because it not only applies game theory to the study of cyberterrorism, which
has been rarely done so far (i.e., Lye & Wing, 2005), but it also breaks new
ground by intersecting the game theoretical model with another theory, social
network theory. A key premise of this analysis is that under the principles of
game theory, each player is assumed to be rational; all players wish the out-
come to be as positive or rewarding as possible. Game theory is a postmodern
theory; against opponents who wage attacks in a postmodern fashion, conven-
tional strategies lead nowhere. The cyberterrorist and the cyber forensics
expert not only engage in real-time game play but also use tactics that are not
conceivable in conventional conflict.
This article begins with an explanation of the rationale for using game theory
in the context of cyberterrorism. The article then provides an extensive literature
Address correspondence to Jonathan
review on game theory, describing the meaning of the theory, three types of
Matusitz, PhD, University of Central outcomes that result from the actions taken by the players in the game (i.e.,
Florida Partnership Center, 100 the Nash equilibrium, the zero-sum game, and the positive-sum game and the
Weldon Blvd., Sanford, FL 32773.
E-mail: matusitz@gmail.com negative-sum game), and the importance of the role of communication in
273
game theory. What comes after the literature review is he or she may suspect that an attack has occurred and
the heart of the article: the application of game theory that action must be taken immediately. This implies
to cyberterrorism. As such, this section provides a that the two players are in the same context. One
clear definition of cyberterrorism, and describes how player wants to attack a computer system; the other
game theory can be applied to this context, how the wants to protect it. The context involves short-term
theory is postmodern, and what postmodernism strategies on the part of both sides. The interactions
means. The article ends with a general explanation of between the cyberterrorist and the computer security
how game theory and social network theory can be agent are to be viewed as a postmodern two-player
intermingled. Finally, a discussion section and sugges- game. The goal here is to explain what strategies are
tions for future research are offered. used by both players and how computer security
agents can use the outcomes of the game to improve
the security of their network.
RATIONALE FOR USING GAME
THEORY
LITERATURE REVIEW
Game theory examines the relationships between
individuals or groups, using models with clear state- This literature review on game theory provides a
ments of consequences (individual payoffs) that depend description of the theory, illustrates three types of out-
on the actions taken by more than one individual comes that result from the actions taken by the players
(Aumann & Hart, 1992; Fudenberg & Tirole, 1991; von in the game (i.e., the Nash equilibrium, the zero-sum
Downloaded By: [Black, dk] At: 20:41 30 November 2010
Neumann & Morgenstern, 1944). Game theory has game, and the positive-sum game and the negative-
been applied to many disciplines: economics, political sum game), and justifies the role of communication in
science, particularly voting decisions (Bilbao, Fernandez, game theory.
Jimenez, & Lopez, 2002), as well as other numerous
domains, including two important ones for the past sev-
Description of Game Theory
eral years (law enforcement and cyber forensics (see
Fent, Feichtinger, & Tragler, 2002). The reason for using Game theory, first outlined by John von Neumann
game theory in this study is that game theory is all (von Neumann & Morgenstern, 1944), studies how
about power and control. It deals with two-person (or individuals behave when they are placed in situations
more) decision-making situations (with opposing or that require them to interact with other individuals.
joined interests). As explained later, game theory is well Game theory analyzes rational behavior in interactive
suited to the analysis of cyberterrorism. Since games fre- or interdependent situations and proposes a set of
quently reproduce or share characteristics with real situ- mathematical tools and models for analyzing these
ations, they can offer strategies for dealing with such interactive or interdependent processes (Neel, 2005). It
circumstances. The basic assumption is that the players rests on the premise that each person “must first know
(decision makers) follow specific objectives and take the decision of the other agents before knowing which
into account both their skills and expectations of the decision is best for himself or herself” (Jehle & Reny,
other player’s (decision maker’s) behavior. 2001, p. 267). As the theory suggests, a game consists
Another reason why game theory is suited for this of players. The number of players does not matter, but
study is that, in the face of opponents who carry out the theory is best applicable when the number of play-
attacks in a postmodern fashion, conventional strategies ers does not exceed “a few.” So, each person is a player
lead nowhere. The cyber attacker and the computer in the game and the player is also a decision maker,
security agent not only engage in real-time game play choosing how he or she acts. Because each player
but also use strategies that are not conceivable in con- wants the greatest possible consequence according to
ventional warfare. Game theory can explain how his or her preference, every decision made by each
viruses evolve (Turner, 2005). For this reason, the the- player will have an impact — whether positive or nega-
ory can greatly contribute to a better understanding of tive — on the outcomes of the game. In other words,
cyber strategy and its implications. For instance, when each outcome is the result of particular moves made by
a public Web server administrator notices something players at a given point in the game (Rapoport, 1974).
unusual in the network (e.g., caused by a DOS attack),
J. Matusitz 274
The fundamental characteristic of game theory is states do not depend on past states (Workman, 2004).
the assumption that players are rational and, therefore, In other words, the description of the present state
look for the maximization of the difference between completely encapsulates and provides all the informa-
their own costs and benefits when considering an tion that could affect the future evolution of the process.
action to take. With respect to decisions or moves It is a probabilistic process, not deterministic, that will
made by players, game theory shares fundamental allow future states to be reached (Markov, 1971).
similarities with social exchange theory. Coined by According to Rapoport (1974), game theory
Hormans (1958), social exchange theory posits that implies players (decision makers) and payoffs accu-
human relationships develop through the use of a mulated by each player as a consequence of each pos-
subjective cost-benefit analysis and the comparison of sible outcome. A player will always take the path that
alternatives (e.g., “what my partner gives may be a will result in a greater payoff to himself or herself
cost to him, just as what my partner gets may be a (which means that each player knows the payoffs and
reward”). Just like game theory, social exchange the- the opponent(s) at any given end state). This also
ory rests upon rationalization and the outweighing of implies that each player seeks to follow the strategies
perceived benefits. An example of rationalization that will accomplish the most beneficial goal in every
would be the following: “It was the right thing to do.” situation. Of equal relevance is that game theory is
Thibaut and Kelley (1959) go even further by integrat- the strategic thinking about how player A will act in a
ing the notion of irrational moves into the theory. situation where his or her moves will affect player B,
For instance, they illustrated vengefulness as an irra- whose moves, in turn, will have an impact on player
Downloaded By: [Black, dk] At: 20:41 30 November 2010
tional motive (e.g., “I would rather see both of us die A. What comes next is a description of three types of
than see him get off easier than I”). They also outcomes that result from the actions taken by the
explained the role of moralization (e.g., “I will be for- players in the game: (1) the Nash equilibrium, (2) the
given in Heaven”). A parallel to game theory can be zero-sum game, and (3) the positive-sum game and
drawn here, as each player is assumed to be rational. the negative-sum game.
This means they all wish the outcome to be as satis-
factory as possible according to the specific set of
reward and cost values (Sallhammar, Helvik, & Nash Equilibrium
Knapskog, 2006). The concept of Nash equilibrium was coined by
As one can see, both game theory and social John Nash (1950). It refers to the outcome of a game
exchange theory involve moves, decisions, strategies, that occurs when one player takes the best possible
or actions that look like those used in a chess game, action based on the action of another player. Likewise,
where each player does not know what moves his or the latter player takes the best possible action based on
her opponent will take. Therefore, each of the players the action of the first player. In the Nash equilibrium,
must find a strategy to examine the possible actions of both players perform their dominant strategies. What
each other in the situation. The ultimate goal is to this means is that neither of the two players would
determine the best course of action for each player change his or her strategy if offered the chance to do
(Jehle & Reny, 2001). By providing tools for analyzing so at the end of the game. So, each player makes the
strategic interactions among two or more players, best decision that he or she can, taking the actions of
game theory uses simple models to study complex his or her opponent as given (Mehlmann, 2000).
interactive relations. The advantage is that game theory In addition, the Nash equilibrium also implies that
helps illustrate the potential for, as well as the risks each player maximizes his or her own actual or expected
associated with, collaborative behavior among distrust- payoff. Recall that the payoff is the outcome obtained by
ful players in the game. Nevertheless, it is important to a combination of decisions. Again, each player takes the
note that, unlike in chess, pieces are never removed other player’s current strategies as given (Nash, 1950). So,
from the game board. As Workman (2005) puts it, a player has nothing to gain by changing only his or her
under the principles of game theory, players remain own strategy. If a player has chosen a strategy and if he
largely nomothetic, even when modeled out as a Con- or she cannot benefit by changing that strategy, while
tinuous Time Markov Chain (CTMC). According to the other player keeps his or hers unchanged as well,
the premises of CTMC, given the present state, future then the current set of strategies and the payoffs that
J. Matusitz 276
cyberterrorists, why do many of them try to destroy
the computer system of the Pentagon or other federal
agencies? Why do they not cripple more targets
outside those organizations? The answer to these to
questions is simple. Cyberterrorists like to commit
malicious acts where they believe it will help influence
those who make decisions directly in the way of the
cyberterrorists’ goals. A network of cyberterrorists has as
its main objective to cause damage to the computer sys-
tem that it attacks. This damage can take many forms.
First, any action undertaken by the computer network
to strengthen its security system against attacks gener-
FIGURE 1 The interactions between the attacker and the
ates benefits for the cyberterrorists because it imposes system modeled as a stochastic game.
costs on the computer network. Second, any move
taken by the cyberterrorists that causes damage to the
computer network increases benefits for the cyberter- Sallhammar, Helvik, and Knapskog (2005) followed
rorist (e.g., self-glorification as the “enemy” suffers). the game model as applied to attacks on computer
Conversely, the response from the computer net- networks, based on a reward and cost concept. Their
work against a cyberterrorist action can be twofold: goal for using game theory was to compute the
expected attacker behavior in regards to decision
Downloaded By: [Black, dk] At: 20:41 30 November 2010
Since these three nodes are highly connected to thou- strategies taken by the cyberterrorist fail, which
sands of computers, they are actually hubs. The cyber- happens in most cases (Mitnick & Simon, 2002). The
terrorist represents a small external node, working game can be a “cooperative” type of game if a
from a single computer. The cyberterrorist is not a cyberterrorist uses inducements to get a public Web
hub; however, his or her actions could be damaging. server administrator to take actions that will reach a
The links that we see are direct communication paths. positive outcome. The choices and actions made by
The computer security agent can work, for instance, the cyberterrorist can be influenced by the adminis-
from a private workstation and can have direct access trator (and vice versa). For example, the cyberterrorist
to all the features of the public Web server. From a can urge the administrator to install two levels of
game theory perspective, all kinds of strategies are password protection to make the effort required to
available to each player. For example, “a common target wreaking havoc more challenging to the attacker. It
for use as a launching base in an attack is the public might be the case that the cyberterrorist wants the
Web server” (Lye & Wing, 2005, p. 4). By using this network to be in a good state in order to create the
hub as a springboard from which serious damage biggest damage. After all, it takes a big target to create
could be inflicted, the cyberterrorist could try to flood a big damage.
private-home computers with viruses. Until the cyber- Based on the motives of the attacker, the adminis-
terrorist takes action, the computer security agent does trator might, in turn, increase security to prevent him
not know whether there is an attacker or not. He or or her from carrying out an evil plan. The cyberterrorist
she does not even know about the existence of the might perceive this next move as a tradeoff. Con-
node. It is important to note that not all actions taken versely, computer security agents might be able to
contemplate the idea that, while unknown cyberterrorist
actions may occur at any time, some of their moves
private
fileserver
are more likely to occur than others.
public
Cyberterrorist Webserver
we know it in actual space, is deconstructed; the the extent to which the two are intertwined. As such,
center in cyberspace is everywhere and the circumfer- it might be interesting to see whether or not those
ence nowhere. This is where the value of postmod- who defend systems and those who attack them fall
ernism comes into play: fluidity, fragmentation, and into the gray areas in between. Or, think of the follow-
decentralization. ing question: Do “good” and “evil” blur into gray? No
One conclusion that can be drawn from this theo- matter what the answer to this question may be, game
retical analysis is that cyberterrorists are postmodern theory remains a promising theory for exploring the
Internet-based terror reapers; they constantly seek to complex phenomenon of cyberspace. The informa-
turn the technological superiority and complexity of tion age has just begun and will pave the way for many
their targets into liabilities rather than assets. Just more marvels, events, and mysteries. Understanding
look at how immeasurably vulnerable our postmodern the tactics and strategies used by both cyberterrorists
society is in the face of malicious software programs, and their opponents is only a beginning step for game
destruction, or any disconnection of our information theory scholars.
systems or power supplies. Despite the fact that
abundant technical safeguards may be created by the
finest experts worldwide, the dangerous game we REFERENCES
have to face against cyberterrorists will be a strategies- Arquilla, J., Ronfeldt, D., and Zanini, M. (1999). Networks, netwar and
versus-counterstrategies game in which the players information-age terrorism. In I. O. Lesser, B. Hoffman, J. Arquilla, D.
F. Ronfeldt, M. Zanini, & B. M. Jenkins (Eds.), Countering the new
who will prevail will be those who possess the terrorism, pp. 39–88, Santa Monica, CA: RAND.
structural advantage. After all, to disrupt is structurally Aumann, R. and Hart, S. (Eds.). (1992). Handbook of game theory
with economic applications. Amsterdam: Elsevier Science
less difficult than to protect. The modern protectors
Publishers.
may be playing a losing game against the postmodern Bellomo, N. (2007). Modeling complex living systems: A kinetic theory
disruptors. and stochastic game approach. Boston: Birkhäuser.
Bilbao, J., Fernandez, J., Jimenez, N., and Lopez, J. (2002). Voting power
What this article has also shown is that game theory in the European Union enlargement. European Journal of Opera-
and social network theory can be effectively inter- tional Research, 143, 181–196.
Bubitt, S. (2002). Digital filming and special effects. In D. Harries (Ed.),
sected to explore the complicated and enigmatic phe-
The new media book, pp. 17–29, London: BFI Publishing.
nomenon of cyberterrorism. Game theory is an Carmel, D. and Markovitch, S. (1996). Learning and using opponent
inherent modeling framework for comprehending models in adversary search, Technical Report, CIS9606.
Clem, A., Galwankar, S., and Buck, G. (2003). Health Implications
how nodes in the network make independent moves of cyber-terrorism. Prehospital and Disaster Medicine, 18(3), 272–275.
J. Matusitz 280
Collin, B. (1996). The future of cyberterrorism. Proceedings of the Elev- McQuail, D. (2000). McQuail’s mass communication theory. Thousand
enth Annual International Symposium on Criminal Justice Issues, The Oaks, CA: Sage.
University of Illinois at Chicago. Mehlmann, A. (2000). The game’s afoot! Game theory in myth and par-
Conway, M. (2002). What is cyberterrorism? Current History, 2, adox. Providence, RI: American Mathematical Society.
436–440. Mitnick, K. D., and Simon, W. L. (2002). The art of deception: Controlling
Derrida, J. (1967). Writing and difference. Chicago: University of Chicago the human element of security. Indianapolis, IN: Wiley Publishing, Inc.
Press. Nash, J. (1950). Equilibrium points in n-person games. Proceedings of
Derrida, J. (1973). Speech and phenomena. Evanston, IL: Northwestern the National Academy of the USA, 36(1), 48–49.
University Press. Neel, J. J. (2005). Gametheory can be used to analyze cognitive radio.
Docherty, T. (1993). Postmodernism: A reader. London:Harvester Electronic Engineering Times, 1386, 69–72.
Wheatsheaf. Neumann, J. von and Morgenstern, O. (1944). Theory of games and
Dunnigan, J. F. (2003). The next war zone: Confronting the global threat economic behavior. Princeton, NJ: Princeton University Press.
of cyberterrorism. New York: Citadel Press. Pike, K. L. (1967). Language in relation to a unified theory of structure of
Fent, T., Feichtinger, G., and Tragler, G. (2002). A dynamic game of human behavior. The Hague: Mouton.
offending and law enforcement. International Game Theory Review, Rapoport, A. (Ed.). (1974). Game theory as a theory of conflict resolu-
4(1), 71–89. tion. Boston: D. Reidel Publishing Company.
Floyd, S. and Fall, K. (1999). Promoting the use of end-to-end Sallhammar, K., Helvik, B. E., and Knapskog, S. J. (2005). Incorporating
congestion control. IEEE/ACM Transactions on Networking, 7(4), attacker behavior in stochastic models of security. In Proceedings of
458–472. the 2005 International Conference on Security and Management,
Fudenberg, D. and Tirole, J. (1991). Game theory. Cambridge, MA: MIT Las Vegas, NV.
Press. Sallhammar, K., Helvik, B. E., and Knapskog, S. J. (2006). A game-
Gebser, J. (1985). The ever-present origin. Athens: Ohio University Press. theoretic approach to stochastic security and dependability
Homans, G. C. (1958). Social behavior as exchange. American Journal of evaluation. In Proceedings of the Second IEEE International Sym-
Sociology, 63(6), 597–606. posium on Dependable, Autonomic and Secure Computing, India-
Hsu, F., Anantharaman, S., Campbell, M. S., and Nowatzyk, A. (1990). napolis, IN.
Deep thought. In T.A. Marsland and J. Schaeffer (Eds.), Computer, Tesauro, G. (1994). TD-Gammon, a self-teaching backgammon program
chess, and cognition, pp. 55–78, New York: Springer Verlag. achieves master-level play. Neural Computation, 6, 215–219.
Downloaded By: [Black, dk] At: 20:41 30 November 2010
Jameson, F. (1991). Postmodernism, or the cultural logic of late capitalism. Thibaut, J. W. and Kelley, H. H. (1959). The social psychology of groups.
Durham, NC: Duke University Press. New York: Wiley.
Jehle, G. A. and Reny, P. J. (2001). Advanced microeconomic theory, Turkle, S. (1992). Psychoanalytic politics: Freud’s French revolution. London:
third edition. Boston: Addison-Wesley Longman. Free Association Books.
Kramer, E. M. (1997). Modern/postmodern: Off the beaten path of anti- Turner, P. E. (2005). Cheating viruses and game theory. American Sci-
modernism. Westport, CT: Praeger. entist, 93(5), 428–435.
Lister, M., Dovey, J., Giddings, S., Grant, I., and Kelly, K. (2003).New Workman, M. (2004). When all you have are nails, nothing looks like a
media: A critical introduction. New York: Routledge. hammer: Advancements in technologies and the ontological to
Littman, M. L. (1994). Markov games as a framework for multi-agent epistemic transformation. Reston, VA: Conference on Counter-Intel-
reinforcement learning. Proceedings of the Eleventh International ligence and Cyber Counter-Terrorism.
Conference on Machine Learning, pp. 157–163. Workman, M. (2005). Nomothetic and ideographic predictions: A gener-
Lye, K. W. and Wing, J. M. (2005). Game strategies in network security. alized application of Churchman heuristics in modeling attack epi-
International Journal of Information Security, 5(1), 1–10. sodes. Tampa, FL: A presentation to the Department of Defense
Markov, A. A. (1971). Extension of the limit theorems of probability theory Northern Command and the National Security Agency, Project Green
to a sum of variables connected in a chain. In R. Howard (Ed.), Dynamic Dragon.
probabilistic systems, pp. 552–577, New York: John Wiley and Sons. Workman, M. (2008). Technology: The double-edged sword in terror
McDermott, C. (1992). Essential design. London: Bloomsbury. and interdiction. Melbourne, FL: The second annual conference of
the Global Center for Preparedness, pp. 2–11.