SoK: Game-Theoretic Cybersecurity: Assumptions, Models, Gaps, and Bridges

The discipline of game theory was introduced in the context of economics, and has been applied to study cyber attacker and defender behaviors. While adaptions have been made to accommodate features in the cyber domain, these studies are inherently limited by the root of game theory in economic systems where players (i.e., agents) may be selfish but not malicious. In this SoK, we systematize the major cybersecurity problems that have been studied with the game-theoretic approach, the assumptions that have been made, the models and solution concepts that have been proposed. The systematization leads to a characterization of the technical gaps that must be addressed in order to make game-theoretic cybersecurity models truly useful. We explore bridges to address them.