Increasing the Confidence in Security Assurance Cases using Game Theory
Paper in proceeding, 2024

Security assurance cases (SACs) consist of arguments that are supported by evidence to justify that a system is acceptably secure. However, they are a relatively static representation of the system's security and therefore currently not effective at runtime which make them difficult to maintain and unable to support users during threats. The aim of this paper is to investigate how SACs can be adapted to become more effective at runtime and increase confidence in the system's security. We extend an example SAC with game theory, which models the interaction between the system and attacker and identifies their optimal strategies based on their payoffs and likelihoods. The extension was added as a security control in the assurance case, where a security claim indicates what strategy should be taken at runtime. This claim changes dynamically with the recommended strategy output by the game-theoretic model at runtime. Based on the results of the evaluation, the extension was considered to be potentially effective, however this would further depend on how it is implemented in practice.

Runtime

Assurance Cases

Bayesian Games

Game Theory

Security

Author

Antonia Welzel

Software Engineering 1

Rebekka Wohlrab

Software Engineering 1

Mazen Mohamad

Software Engineering 2

ACM International Conference Proceeding Series

35
9798400717185 (ISBN)

19th International Conference on Availability, Reliability and Security, ARES 2024
Vienna, Austria,

Subject Categories

Computer Science

Computer Systems

DOI

10.1145/3664476.3664501

More information

Latest update

8/13/2024