6. The Skill of Cybersecurity: Adversarial Thinking 141 Therefore, it creates a kind of level-0 strategy—it is the obvious place to hide or seek something. So even in a game like this, level-k reasoning plays a role. Game theory researchers have also found that when people are presented with choices laid out in a row they predictably avoid end points and focus on the middle. This paired with the fact that the B box stands out, is what makes the third box the most likely to be chosen next—it is the level-1 strategy. 54% of seekers and 45% of hiders choose the third box. Interestingly, this game also illustrates asymmetry between hiders and seekers—hiders select the rightmost box twice as often as seekers (22% to 11%). This box is the level-2 choice in the game. Figure 6.6 The hide-and-seek game. Asymmetry like this naturally exists in security games. A security game is a game theoretical game involving an attacker and a defender. In security games defenders tend to start at level-0 whereas attackers tend to start at level-1. In other words, the attacker’s most obvious strategy is actually a level-1 strategy. They start at a more strategic level because they instinctively think about the other player’s perspective. Meanwhile, defenders naturally focus on what they are trying to protect instead of the adversary’s perspective, and they often make the predictable choice (i.e., the level-0 strategy). Predictable choices are not good for cybersecurity because intelligent adversaries can anticipate them. The Colonel Blotto Game At dusk and on opposite sides of a valley, Colonels Alto and Blotto survey the terrain. They know at dawn battles will commence over three distinct strategic positions. They each have nine companies of soldiers, and in the cover of darkness, they must allocate their soldiers to battlefields so that fighting can ensue over each position at first light. Since their forces are equally matched, the battlefields will go to the side that allocates more soldiers. The colonels have no way of knowing what the other side is planning. How many companies of soldiers should Colonel Blotto allocate to each of the three battlefields?
RkJQdWJsaXNoZXIy MTM4ODY=