Impact of computer users on cyber defense strategies

Cybersecurity research often focuses primarily or exclusively on the interactions between the attacker, trying to exploit the computer system, and the defender, trying to protect it. However, including the computer users is important because the users’ requirements are the reason the computer system exists.An extension of the Petri net formalism, Petri Nets with Players, Strategies, and Costs (PNPSC) was used to model cyberattacks described in the MITRE Common Attack Pattern Enumeration and Classification database. PNPSC models include the attacker, defender, and computer user as “players” attempting to achieve competing goals. Each player can observe the current marking of a subset of the PNPSC net's places and change the stochastic firing rates of a subset of the net's transitions in order to achieve their goals. A mapping between the markings of a player's observable places and the desired firing rates of player's controllable transitions is the player's strategy.A reinforcement learning algorithm was integrated with PNPSC models of three cyberattack patterns to learn strategies for the defender in simulations both with and without a representation of the computer user. A simulation experiment showed that the defender's reward was lower and the defender's learned strategy was different when the user was represented. A second simulation experiment and statistical analysis confirmed that the differences were not due simply to randomness. With the user represented, the system defender must balance security against usability. This research provides a more complete cyberattack model and shows that user models are important in future cybersecurity simulation.