Games and Abstraction: The Science of Cybersecurity

In Summer 2021, PaCCS Communications Officer Kate McNeil sat down with Professor Pasquale Malacaria, a mathematician and computer sciences researcher at Queen Mary University of London, to discuss his work on Games and Abstraction: The Science of Cybersecurity. This project was funded by the EPSRC. This conversation has been edited and condensed for clarity and concision.

Kate McNeil: Thank you for taking the time to speak with me today! Would you mind getting started by telling me a bit about your research background, and how you ended up working on the Games and Abstraction: The Science of Cybersecurity project?

Professor Pasquale Malacaria: My background is in theoretical computer science: in the past I worked mainly on mathematical foundations for computer programs. I am interested in the mathematical objects that computer programs are, and I more recently have begun to explore the mathematical foundations of computer security. My interest in the Science of Cybersecurity project was fueled by an interest in what it means for a system to be secure from a mathematical point of view, and the project also drew on my interests in game theory and information theory in mathematical disciplines.

What were some of the main aims of the project, and what are some of the theoretical advances you were able to make?

This project really emerged from collaboration with Chris Hankin, a colleague at Imperial College. That collaboration was driven by the question “how can we help people make better security decisions using game theory?” Out of that question emerged two main objectives, the first of which was to examine game theory in cybersecurity modelling. Game theory is the mathematical theory for modelling adversarial behavior. It can naturally be applied to the kinds of conflicts that involve organizations or security rules. While people had written about game theory and cybersecurity before, we thought the existing theories were leaving out some important components. For example, if your idea of security is changing your password every day because you think that is the most secure way of dealing with passwords, then there are consequences to your policy – namely that you will forget your password. So, we argued that any kind of security measures that may be positive, can also have some negative consequences – and our work introduced those consequences to the modelling, which increased the model’s sophistication.

Secondly, in terms of the advances were able to make in mathematics, these kinds of games could not be solved well with existing mathematical techniques, because there are many possible strategies, which made doing the calculations very difficult. Our work has been looking for a way to solve these kinds of games more efficiently.

Can also you tell me a bit about the more practical side of your research?

At this stage, we are very happy with the theories that we developed, so the important next step for us is to look for a case study where we can showcase our work. One area of potential application is critical infrastructure, in areas such as electricity grids, or water or gas supplies. This kind of infrastructure is clearly a big target for cyberattacks, as exemplified by the recent cyberattack on a gas pipeline in the United States. So, it is very important to have optimal cybersecurity in these contexts, and we are developing a case to use our tools and techniques to optimize cyber defenses for these types of infrastructures.

At the same time, we are also developing a case study for a hospital. Cybersecurity in hospitals is also very important, because you want to protect patient data, and you do not want attackers to take control of machines which could cause damage, for example x-rays or scans with electromagnetic resonance that could be harmful.

Based on the findings of your recent research into cybersecurity, do you have any recommendations for regulators or policymakers?

There are some particular challenges in cybersecurity that fall outside of the work of academics. My background is as a theoretician, but in cybersecurity the theory is only one of the things involved. Cybersecurity also involves financial commitments, and it involves data. Organizations often do not want to disclose cybersecurity data, because it does not look good for them if people know that an organization is often being attacked. However, that makes it very difficult for us mathematicians to have the data we need to test and improve cybersecurity theories. We need policymakers to help by creating the space for testbeds for cybersecurity ideas, and we need policymakers to help facilitate the links with industries and data we can use to help tackle the cybersecurity challenge.

Where do you see your research in this area going from here?

After our initial round of EPSRC funding, we received additional funding which has helped to fund our case study research. At the moment, I am also working on a follow-up project focusing on AI cyberthreats in a home environment. With that project, we are exploring the threats home users may face as we are exposed to devices that are more and more intelligent, and therefore potentially more of a threat in terms of their capabilities. So, we want to develop strategies to help protect home users, and at this stage I am beginning to involve industrial organizations in applying this idea, because the theory is quite mature.