This is the second installment in a series on insider threats, industrial sabotage and game theory. Be sure to read Part 1 for more information about the three phases of an insider attack.
Simple Game Theory Model
Before we continue to examine two-player games and provide a bit more insight on the game theory principles of collusion, cooperation and defection, let’s briefly return to the simple game theory model used in economics.
Cooperation agreements alter the simple game theory model slightly:
- Party A will cooperate with party B to target the same division, branch, office, directorate or building within the environment.
- Party A will cooperate with party B but target a different division, branch, office, directorate or building within the environment.
- Party A will cooperate with party B to share knowledge and information uncovered while infiltrating the environment.
- Party A will collude with party B, but party A will put his or her own interests ahead of party B at some point.
- Party B will collude with party A, but party B will put his or her own interests ahead of party A at some point.
- Either party A or party B will institute punishment measures to assure the other remains cooperative and does not defect under any circumstance.
- Either Party A or B will defect one or more times.
The terms party, player and insider threat represent any employee, contingent worker, contractor, subcontractor, union, manager, executive, shareholder, venture capitalist, investment backer, investment firm or external cybercriminal.
Three Phases of Two-Player Games
Phase One: Cooperation
The cooperative model applies when two insider threats agree to work together in pursuit of a common objective. This kind of cooperation does not necessarily imply a literal agreement that both parties sign. Rather, it is simply an understanding between the two parties that they share a common goal — control of one or more parts of the industrial environment they are targeting.
Cooperation between insider threats can have far-reaching consequences, including:
- Compromise of research and development efforts within the environment;
- Slow and continuous theft of intellectually property without any discernible, immediately identifiable source;
- Habitual implementation of the buddy system during corporate reorganizations, allowing workers to remain aligned with specific senior-level executives;
- Consistent manipulation of pricing schedules and hourly rates for consulting firms to siphon additional profit from the target environment;
- Leak of sensitive or classified information;
- Substantial interinstitution lending at unusually low or abnormally discounted rates;
- Frequently malformed, maligned and ill-conceived trade negotiations, trade pacts or industry cooperatives; and
- Frequent formation of special interest groups and special interest lobbyists.
When either party begins to put his or her own interests ahead of the other’s, the second phase of game theory begins.
Phase Two: Collusion
When two insider threats collude to target an environment, the parties usually start out cooperating but begin to conspire against each other over time as each party develops individual goals.
Colluding insider threats can result in a slew of problems, including:
- Attempts to manipulate executive decision-making or influence boards of directors through continuous stock purchases by minority shareholders;
- Continuous failure of high-visibility, high-impact projects due to project leaders being restructured into areas or divisions in which they have limited experience or understanding;
- Hiding of major design flaws or failures in quality controls from both inspectors and consumers;
- Price gouging of consumers, especially on consumer products considered lifesaving or necessary for survival;
- Price dumping of cheap products or low-quality goods into poorer countries;
- Consistent failure of both public and private institutions due to fiscal mismanagement, poor management or no management;
- Collective bargaining by unions with the goal of bankrupting the target environment;
- Price wars at the local, regional or global level; and
- Hacktivism that has little structure and no tangible goal or apparent purpose — in other words, hacking for the sake of gratifying the player’s ego.
The third phase of game theory kicks in when either party A or party B decides he or she will no longer collude with the other.
Phase Three: Defection
Understanding defection is not quite so simple. How often the players of the game defect is determined by the type of game. For example, if the game is linear or continuous, such as long-term industrial sabotage, the parties can defect as many times as necessary to reach their goal of controlling the environment. If it’s a single game, a party can defect only once. In industrial environments, a single game would have an ultimate goal of destroying the environment to the extent that recovery is impossible.
Insider threats that defect during a continuous game of industrial sabotage can trigger a variety of issues, including:
- Whistle-blowing at the public, private or regulatory level;
- The sale of highly classified information to lone-wolf terrorists, terrorist groups or terrorist sympathizers;
- Theft of highly sensitive or classified materials to be used in a persistent threat; and
- Theft of industrial information, controls or facilities to be held hostage by ransomware, malware or hacktivists seeking financial gain or elevated social status.
Insider threats that defect during a single game of industrial sabotage introduce a different set of problems:
- Complete destruction of private or public property;
- Complete destruction of internal controls, especially industrial controls that manage critical infrastructure;
- Complete sabotage of highly advanced military and defense research projects;
- Terrorist attacks that aim for deadly results; and
- Dissolution of a single company or a company and all subsidiaries.
In continuous games, defection is not the final phase of the game — the insider threat will simply start the game over by cooperating or colluding once again. In a single-instance game, defection is the end state, since one or both insider threats aim for complete destruction of the target environment.
Detecting and Thwarting Insider Threats
Unfortunately, game theory is extremely difficult to detect in any form, even for the most rigorously secured industrial environments. Security tools that employ behavioral analysis, pattern recognition, predictive analytics and cognitive capabilities enable industrial organizations to bolster their defensive capabilities.
For offensive capability, the industrial environment should establish a red team whose members understand the basic principles of game theory. Industrial environments that do not have the in-house expertise can purchase red team services from a handful of security services firms that offer them.
Management and Strategy Consultant, IBM