Security Risk Evaluation of Information Systems Based on Game Theory

To ensure the security of information systems, security risk have to be accurately evaluate first. Because security risk is influenced by attackers and defenders, it is necessary to consider the costs and benefits of both sides. However, the current evaluation methods mostly focus on one side. To solve the problem, in this paper we propose a security risk evaluation model Based on complete information static game (SRE-CSG). The SRE-CSG model represents the interaction and mutual influence of both sides´ strategies in the confrontation. On the basis of the SRE-CSG model, we present an improved payoff calculation method. The method takes into account the cost parameters and benefit parameters, and therefore be able to more accurately calculate the payoff. By analyzing Nash equilibrium strategy of information security game, an algorithm is designed to evaluate security risk value. The risk value derived from the algorithm is Based on equilibrium strategy of attackers and defenders, so it is more comprehensive and accurate. The SRE-CSG model and the algorithm can provide theoretical support for the efficient information systems security protection. The example analysis proves the effectiveness of the model and algorithm.