Cybersecurity in Cyber Warfare: The Application of Demon Game Models

  Kam Fung Cheung
Institute of Transport and Logistics Studies
The University of Sydney, Australia

Air, cyberspace, electromagnetic spectrum, land, maritime, and space are the six domains supporting human activity. Of the six domains, only cyberspace is entirely artificial and consists of digital networks, including the Internet, information systems and other communication networks (Bank of England, 2016). Although cyberspace is invisible, it creates massive opportunities for businesses, speeds up information exchange, and continues to transform human interactions.

In response to the threat of the potentially deadly coronavirus COVID-19, companies, governments, and schools around the world have encouraged people to work from home (WFH) to minimize the risk of infections. Workers and students use videoconferencing services, collaboration platforms, and other digital tools to conduct business and schoolwork. Shifting of physical meetings into the digital realm puts unprecedented pressure on network security and opens multiple vectors for cyberattacks, such as unsecured data transmission without using virtual private network (VPN) software (Boehm, Kaplan & Sportsman, 2020). Zoom’s videoconferencing service has become a popular communication platform since COVID-19 pushed meetings, classes, and lectures online. However, several major security vulnerabilities in Zoom’s software have been uncovered, including a security flaw that allows cybercriminals to take over a Zoom user’s Mac machine (Singer & Perlroth, 2020). This cyber vulnerability raises a new concern about protecting assets against malicious attacks from cyberspace.

Demon game models, including attacker-defender models, defender-attacker models and defender-attacker-defender models, are widely used in defending infrastructure such as transportation networks and electric power grids (Alderson, Brown & Carlyle, 2014; Bell 2000; Bell et al., 2008; Brown et al., 2006; Ouyang, 2017; Yuan, Zhao & Zeng, 2014). The attacker, who can be an individual or a gang of cybercriminals funded by an organization or a state, aims to maximize the defender’s loss. In contrast, the defender, who can be the network administrator or a group of security officers from a national security department, selects an optimal defensive plan to minimize the loss. The demon game reaches an equilibrium in which there would be no further enhancement regarding the other player’s strategy. That is, both the attacker and the defender obtain their best strategies. The attacker’s strategy reveals the most vulnerable assets in an underlying network, while the defender’s strategy indicates the best defensive plan to minimize the loss based on the attacker’s strategy.

Most of these models (Alderson, Brown & Carlyle, 2014; Ouyang, 2017; Yuan, Zhao & Zeng, 2014) generally assume that an attacker is perfectly rational and would always choose a strategy to maximize his/her expected utility or maximize the defender’s loss. However, in reality, attackers have incomplete information that affect their decision-making processes. McKelvey and Palfrey (1995) introduced the concept of quantal response (QR) to model the apparent lack of rationality of the attacker. The attacker would choose worst-case strategies most frequently but not always, leading to stochastic choice probabilities. In this way, the concept of quantal response allows for biases when defining attack strategies. Cheung and Bell (2019) developed a demon game model that applies the concept of quantal response to cybersecurity in logistics management and addresses the issue of asset dependency in a digital logistics network. The solution to the model is a strategy for allocating limited resources for defending critical assets.

Regardless of a player’s rationality, these demon games are one-shot games, in which the players (i.e., the attacker and the defender) play the game once and output their optimal strategies. In practice, the arms race between the attacker and the defender in cyber warfare is an interactive sequential game. Borrero, Prokopyev, and Sauré (2019) presented a framework that applies online optimization to model an interactive sequential game between two players, where one player can learn by observing his/her fully rational opponent’s strategy to improve his/her strategy from time to time. In practice, both the attacker and the defender acquire information from time to time. As an interesting research direction, we can apply the concept of quantal response to model both the attacker’s and the defender’s rationalities by observing each other’s strategies in an interactive sequential game so that the defender can rightly allocate resources to protect critical assets in a timely manner reflecting the attacker’s information. The solution could provide insights to companies on how best to allocate their limited resources for enhancing cybersecurity.



Alderson, D. L., Brown, G. G., & Carlyle, W. M. (2014). Assessing and improving operational resilience of critical infrastructures and other systems. In INFORMS TutORials in Operations Research, 180-215.

Bank of England. (2016). CBEST Intelligence-Led Testing: Understanding Cyber Threat Intelligence Operations. Retrieved from [accessed 9 May 2020].

Bell, M. G. H. (2000). A game theory approach to measuring the performance reliability of transport networks. Transportation Research Part B: Methodological, 34(6), 533-545.

Bell, M. G. H., Kanturska, U., Schmöcker, J. D., & Fonzone, A. (2008). Attacker-defender models and road network vulnerability. Philosophical Transactions of the Royal Society A: Mathematical, Physical and Engineering Sciences, 366(1872), 1893-1906.

Boehm, J., Kaplan, J., & Sportsman, N. (March 2020). Cybersecurity's dual mission during the coronavirus crisis. Retrieved from McKinsey & Company website: [accessed 9 May 2020].

Borrero, J. S., Prokopyev, O. A., & Sauré, D. (2019). Sequential interdiction with incomplete information and learning. Operations Research, 67(1), 72-89.

Brown, G., Carlyle, M., Salmerón, J., & Wood, K. (2006). Defending critical infrastructure. INFORMS Journal on Applied Analytics, 36(6), 530-544.

Cheung, K. F., & Bell, M. G. H. (2019). Attacker-defender model against quantal response adversaries for cyber security in logistics management: An introductory study. European Journal of Operational Research.

McKelvey, R. D., & Palfrey, T. R. (1995). Quantal response equilibria for normal form games. Games and Economic Behavior, 10(1), 6-38.

Ouyang, M. (2017). A mathematical framework to optimize resilience of interdependent critical infrastructure systems under spatially localized attacks. European Journal of Operational Research, 262(3), 1072-1084.

Singer, N., & Perlroth, N. (20 April 2020). Zoom’s Security Woes Were No Secret to Business Partners Like Dropbox. The New York Times. Retrieved from [accessed 9 May 2020].

Yuan, W., Zhao, L., & Zeng, B. (2014). Optimal power grid protection through a defender-attacker-defender model. Reliability Engineering & System Safety, 121, 83-89.