Collaboration or separation maximizing the partnership between a “Gray hat” hacker and an organization in a two-stage cybersecurity game

Abstract

Vulnerability disclosure is a key topic in cybersecurity. It is a practice ensuring that organizations address and fix vulnerabilities before bad actors can find and exploit them. This study focuses on the “disclose or exploit” dilemma. It presents a two-player non-zero-sum simultaneous cyber-security game between a hacker and an organization at multiple rounds. The vulnerabilities classified as high, medium, and low are based on a Common Vulnerability Scoring System (CVSS). The hacker can decide to act separately or to collaborate with the organization. Subsequently, the organization chooses to operate individually or cooperate with the hacker. The organization also has a budget limit to patch the vulnerabilities. The paper developed an algorithm to determine the Nash equilibria of the game and conducted a numerical analysis. It found that maximum cooperation occurred at the beginning of the game when both the organization and the hacker decided to cooperate.