News

Pasquale Malacaria and Yunxiao Zhang have a paper published in a top security journal, IEEE Transactions on Information Forensics and Security (TIFS), on Strategic Decision-Making in Uncertain Turn-Based Security Games.

The paper studies the problem of cybersecurity decision making. It extends previous Leader-Follower game-theoretical models where the leader is the defender and the follower is the attacker (these are called Stackelberg games (ssee point 1 below) ). There are two types of uncertainties here.

a) the state of the attacker; at each turn of the game the attacker may be in several possible states.

b) the values of the security parameters (see point 2 below).

In this work we model both uncertainties in terms of possible worlds, i.e. each admissible instantiation of the uncertainties generates a game in a possible world; hence the model can be described as a Leader-multiple-Followers games where the defender has to choose a strategy "optimal" in all possible worlds. We introduce a solution concept for this type of games as a minimization of the geometric mean across all possible worlds.
We show fundamental mathematical properties of this game solution:

(a) it is Pareto optimal,

(b) it is equivalent to a standard leader-follower game over the sequence of possible worlds, and

(c) it is robust.

The solution is inspired by information theoretical optimal strategies in financial investment, in particular the Kelly criterion (see point 3 below).

We validate our approach through experiments, where it is shown our solutions outperform classic robust optimization solutions like minmax regret.

Point 1) The attacker is the follower because he can observe the defender strategy (the leader) before attacking, hence the rational leader has to think of his defence against all possible follow-up strategies of the attacker; it is a min-max problem (bi-level optimization)

Point 2) Dealing with this type of uncertainty is the big problem for these mathematical models, e.g. what is the effectiveness of a firewall? 60%? 80% we can't run real world experiments to get reliable statistics, so these numbers are mostly experts' educated guesses

Point 3) Kelly proved that the optimal betting strategy (over repeated betting where all capital is reinvested each time) is a strategy maximising the geometric mean not the arithmetic mean. This accounts for the fact that gains and losses are compounding (or multiplying) over time. When money compounds, a big loss hurts you much more than an equally sized gain helps you. For example, losing 50%of your portfolio requires a 100% gain to get back to even. In our case we want to minimise the risk across all possible worlds and the above intuition applies to our problem setting.

Reference

P. Malacaria and Y. Zhang (2026) "Strategic Decision-Making in Uncertain Turn-Based Security Games," in IEEE Transactions on Information Forensics and Security, DOI: 10.1109/TIFS.2026.3698586