6. The Skill of Cybersecurity: Adversarial Thinking 143 are no foolproof or simple solutions. It also provides valuable insights because it helps in the rigorous analysis of security scenarios. 6.3.2 Behavioral Game Theory Summary Behavioral game theory is a better predictor of strategic choices than analytical game theory for many situations because there is a limit to the degree of rationality people apply. Behavior game theory’s concept of level-k reasoning is a helpful way to approach strategic contests. Not all strategic contests lend themselves to level-k reasoning because there may not be an obvious, level-0 strategy. In some situations there are multiple dimensions of level-k reasoning in play. Studies show that two or three levels of reasoning performs well in most games because it anticipates the natural strategic choices of others. 6.4 Conclusion Cybersecurity, at its essence, is an adversarial conflict—without adversaries, there is no such thing as cybersecurity. Therefore, adversarial thinking is the hallmark of the discipline. Furthermore, it is the fundamental skill of cybersecurity—those who excel at it will be prized cyber defenders. This chapter has shown that adversarial thinking has three distinct components that map to Sternberg’s triarchic theory of intelligence. Most of cybersecurity education focuses on the first component: technological capabilities. In order to practice adversarial thinking for cybersecurity, technological capabilities are indeed vital—this levels the playing field between the attackers and the defenders. The second component, unconventional perspectives, AKA the hacker mindset, is also widely acknowledged as important for cybersecurity education. Cyber students are taught creative attack vectors through case studies and labs and are encouraged to practice outside-the-box approaches in capture-the-flag competitions. The third component, strategic reasoning, does not receive as much attention, but it is no less important. Cybersecurity practitioners need to be able to think like a hacker when it comes to planning and strategizing. In an effort to improve the reader’s strategic reasoning abilities, this chapter presented some basic game theory concepts from both analytical and behavioral game theory. The biggest takeaway is that one must consider strategic situations from the perspective of the adversary, not primarily from one’s own perspective. In cybersecurity, if we get so focused on what we are trying to defend or any one best practice, technology, or tool, that we forget about the human adversary, we do so at our own peril. We must always remember the reason it all exists: hackers! They are intelligent and study their targets, trying to anticipate what the defenders are thinking and how to outwit them. This chapter has also made it clear that when it comes to complex, real-world cybersecurity scenarios, the point is not to apply game theory to find the solution, as if only one solution exists. Rather strategic reasoning should be the lens that informs all of the day-to-day and practical decisions that must be made. Cybersecurity practitioners need
RkJQdWJsaXNoZXIy MTM4ODY=