Applications of Game Theory in Information Security

A new trend of research in information security revolves around the idea of treating individuals not as their intrinsic characteristics, e.g., honest or dishonest, but as utility maximisers. This is a special feature of the field of economics of security, namely rational security. Looking into the economic incentives of participants in a security scenario brings different insights and solutions than traditional security research in cryptography or formal method. First, traditional security mechanisms assume a set of permanently honest parties, which does not necessarily hold in economic models with utility-driven behaviours. Second, the notion of capabilities/powers/advantages of dishonest parties in traditional mechanisms may be too strong for certain scenarios (e.g., many civil purposes), leading to either impossibility results or practically infeasible security solutions.

In this thesis, we examine several security problems where above issues would emerge alongside traditional security research. We use game theory to study strategies and economic incentives of participants in these problems, e.g., attackers and defenders. Our goal is to provide, for each scenario, useful insights about the trend of behaviours/decisions these participants should take, which would be useful in understanding and predicting their actual courses of actions, thus helping future research or realistic solution design. When possible, we also propose security solutions, such as protocols or contracts that, under rational security, would lead to desirable outcomes in which, for example, attacks do not occur. Our research involves both high-level (e.g., investment) and low-level (e.g., network communication) security problems.