GAME-THEORETIC OPTIMIZATION MODEL FOR SELECTING SECURITY CONTROLS IN DISTRIBUTED INFORMATION SYSTEMS
DOI:
https://doi.org/10.28925/2663-4023.2025.30.913Keywords:
distributed information systems; cybersecurity; selection of security controls; game theory; Bayesian games; optimization; network effects; expected losses.Abstract
The article proposes a game-theoretic optimization model for selecting security controls for distributed information systems (DIS) under conditions of targeted cyber opposition. The relevance of this study is driven by the increasing architectural complexity of distributed information systems, limited security resources on the defense side, and the presence of a rational or boundedly rational adversary acting strategically. In contrast to existing optimization methods and traditional game-theoretic models, the proposed model integrates a network-based description of the DIS, the formalization of security control selection, and a Bayesian interpretation of the attacker's behavior. In this study, the DIS is represented as a directed graph with heterogeneous node criticality, accounting for the network effects of attack propagation. Security controls are modeled as discrete alternatives subject to the defender's limited budget. To assess the consequences of the conflict, a total Bayesian expected loss function is introduced. This function aggregates local damages, taking into account the prior probabilities of attacker types and their attack scenarios against the DIS. The optimal selection of a defense strategy is formulated as a problem of minimizing total Bayesian expected losses, which possesses a game-theoretic interpretation. To validate the model's functionality, computational experiments were conducted using the Python programming language within the PyCharm IDE. The obtained results confirmed the non-linear nature of the dependency between loss levels and the security budget, demonstrating the advantages of strategically balanced solutions over locally optimal approaches. These findings confirm the expediency of applying the game-theoretic optimization method for decision support in the field of distributed information systems cybersecurity.
Downloads
References
Lakhno, V., Malyukov, V., Smirnov, O., Bebeshko, B., Chubaievskiy, V., Zhumadilova, M., & Smirnov, S. (2023, December). Multifactorial Model for Targeted Attacks Counteracting Within the Framework of a Multi-Step Quality Game with Fuzzy Information. In International Symposium on Intelligent Informatics (pp. 377-389). Singapore: Springer Nature Singapore.
Faramondi, L., Oliva, G., & Setola, R. (2020). Multi-criteria node criticality assessment framework for critical infrastructure networks. International Journal of Critical Infrastructure Protection, 28, 100338.
Liu, L., Du, N., & Sheng, D. (2025). Security-centric node identification in complex networks. Scientific Reports, 15(1), 15568.
Liu, W., Gong, Q., Han, H., Wang, Z., & Wang, L. (2018). Reliability modeling and evaluation of active cyber physical distribution system. IEEE Transactions on Power Systems, 33(6), 7096-7108.
Yalagandula, P., & Dahlin, M. (2004). A scalable distributed information management system. ACM SIGCOMM Computer Communication Review, 34(4), 379-390.
Rodin, Ye. S., & Sinitsyn, I. P. (2019). Mathematical modeling of the information security budget in multifactorial distributed systems. Section 1: Modern aspects of mathematical and simulation modeling of systems in ecology, 19, 422. (in Ukrainian)
Shevchenko, A. V. (2018). Management of functional stability of information systems based on optimization of security expenditures. Collection of Scientific Works of the Center for Military-Strategic Studies of the National Defence University of Ukraine named after Ivan Cherniakhovskyi, 90-96. (in Ukrainian)
Palko, D., Hnatiienko, H., Babenko, T., & Bigdan, A. (2021, September). Determining Key Risks for Modern Distributed Information Systems. In IntSol (pp. 81-100).
Mitra, S., & Ransbotham, S. (2015). Information disclosure and the diffusion of information security attacks. Information Systems Research, 26(3), 565-584.
Roy, Ya. V., Mazur, N. P., & Skladannyi, P. M. (2018). Information security audit as a basis for effective enterprise protection. Scientific and Technical Journal "Cybersecurity: Education, Science, Technique", (1), 86-93. (in Ukrainian)
Patel, S., & Zaveri, J. (2010). A risk-assessment model for cyber attacks on information systems. Journal of Computers, 5(3), 352-359.
Glushak, O. M., & Novikov, O. M. (2013). Synthesis of the information protection system structure using a positional game of the defender and the attacker. System Research and Information Technologies, (2), 89-100. (in Ukrainian)
Arkhipov, O. Ye., Skyba, A. V., & Khorina, O. I. (2015). Expansion of economic-cost models of information risks through the use of socio-psychological types of the attacker. Information Protection, 1(17), 60-72. (in Ukrainian)
Belej, O., Spas, N., & Artyshchuk, I. (2021, September). Development of an Algorithm for Detecting Cyberattacks in Distributed Information Systems. In 2021 IEEE 16th International Conference on Computer Sciences and Information Technologies (CSIT) (Vol. 1, pp. 325-328). IEEE.
Gamundani, A. M., & Nekare, L. M. (2018, May). A review of new trends in cyber attacks: A zoom into distributed database systems. In 2018 IST-Africa Week Conference (IST-Africa) (pp. Page-1). IEEE.
Appiah-Kubi, J., & Liu, C. C. (2020). Decentralized intrusion prevention (DIP) against co-ordinated cyberattacks on distribution automation systems. IEEE Open Access Journal of Power and Energy, 7, 389-402.
Palko, D., Babenko, T., Bigdan, A., Kiktev, N., Hutsol, T., Kuboń, M., ... & Borusiewicz, A. (2023). Cyber security risk modeling in distributed information systems. Applied Sciences, 13(4), 2393.
Chronopoulos, M., Panaousis, E., & Grossklags, J. (2017). An options approach to cybersecurity investment. IEEE Access, 6, 12175-12186.
Alpcan, T., & Başar, T. (2010). Network security: A decision and game-theoretic approach. Cambridge University Press.
Lye, K. W., & Wing, J. M. (2005). Game strategies in network security. International Journal of Information Security, 4(1), 71-86.
Manshaei, M. H., Zhu, Q., Alpcan, T., Başar, T., & Hubaux, J. P. (2013). Game theory meets network security and privacy. ACM Computing Surveys (CSUR), 45(3), 1-39.
Alpcan, T., & Başar, T. (2010). Network security: A decision and game-theoretic approach. Cambridge University Press.
Siegel, C. A., & Sweeney, M. (2020). Cyber strategy: risk-driven security and resiliency. Auerbach Publications.
Dobrynin, I. S., & Borova, M. P. (2018). Optimization of the choice of information protection system construction option against attacks in an antagonistic game. Armament Systems and Military Equipment, (2), 89-93. (in Ukrainian)
Pshenychnykh, S. V., Dobrynin, I. S., & Klochkova, D. Yu. (2023). Mathematical model of optimal selection of information protection means when designing a complex protection system at an informatization object. Telecommunications Problems, (1 (32)), 45-58. (in Ukrainian)
Lakhno, V., Kryvoruchko, O., & Kalaman, Ye. (2025). Software implementation of solving the problem of optimizing the choice of information protection means based on an evolutionary algorithm. Electronic Professional Scientific Journal "Cybersecurity: Education, Science, Technique", 3(27), 257-268. (in Ukrainian)
Published
How to Cite
Issue
Section
License
Copyright (c) 2025 Юрій Яскевич
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
