A Comprehensive Insight into Game Theory in relevance to Cyber Security

ABSTRACT


INTRODUCTION
Modern-day communication technology, as well as information, are progressing rapidly in terms of diversity and its sophistication level. The growing connectivity, pervasiveness and complexity in the current information systems pose novel challenges to security, with the cyberspace becoming a playground for people with varying skill levels and intentionspositive or negative. Thus, the protection of assets, identities and information is gaining more and more importance since constant connectivity has become an essential part of the daily life of people [1]. Besides, the social well-being and the economic progress of a nation are increasingly becoming reliant on cyberspace. The increasing interconnectivity, as well as the rise in the computational resource availability for attackers, offers them provision for sophisticated, unpredictable and distributed attacks [2]. Attackers can, therefore, cause disruptions to critical infrastructures, including financial networks, telecommunications, energy pipelines, electrical power, refineries, etc. [3]. Recent events reveal the damage cyber-attacks can cause to private enterprises, governments and the public in general, in terms of reputation, data confidentiality and money [4]. For more than twenty years, the research community has been paying attention to the field of cyberspace security. Nevertheless, the cybersecurity issue has still not been solved completely. In this paper, the applicability of game-theoretic methods in solving cybersecurity issues has been explored.
Contineours advancements have been accomplished by traditional security methods in the protection of well-defined goals viz. confidentiality, integrity and availability (CIA). Cryptography is one such strong theoretic security foundation that depends on the cryptographic key secrecy. But as in social engineering attacks or Advanced Persistent Threats (APTs) where attackers steal the whole cryptographic keys, the assumption of confidentiality of keys gets violated and thus leading to the penetration of the systems [1]. A novel theoretical foundation and an innovative perspective are required for capturing the scenarios where attackers can compromise systems thoroughly, and defenders can secure the systems without the fundamental key secrecy assumption.
The limitation of conventional security solutions is the non-existence of a quantitative decision framework. As such, many research groups have begun encouraging the employment of game-theoretic methods. Since game theory handles the problems where several players with opposing goals compete with one another, it can offer a mathematical framework for the modelling and analysis of network security issues.
The models based on game theory are natural frameworks for capturing the defensive as well as adversarial interaction among players [5,6]. Game theory can offer a quantitative measure of the security quality provided using the Nash equilibrium concept where defender, as well as attacker, look for optimal strategies and none has the incentive for unilateral deviation from their equilibrium strategy regardless of their opposing security goals. This equilibrium concept further, quantitatively, predicts the security outcome of the scenario being captured by the game model. Game theory, thus, provides manageable security with its quantitative security measure, unlike the qualitative measure assured by cryptographic security. Furthermore, the game-theoretic approach can be extended to mechanism designing, allowing the system designers to shift the equilibrium as well as the predicted outcome in favour of the defender utilizing an intricate game design.
The interest in the field of game and decision theory has grown for more than a decade, and it has become a well-proven, systematic, strong theoretical foundation of the present-day security research. Game theory espouses a distinct and economic perspective of security, not the same as the standard definition, i.e., security is not the nonexistence of threats, but the stage where attacking a system is more expensive than not attacking. Therefore, beginning from the game-theoretic base attains the most sophisticated self-enforcing protection by evaluating and generating incentives for encouraging honest behaviour instead of thwarting maliciousness. Simultaneously, the economic approach to security is essential as well since it is analogous to the progression of attackers in the present day. Cybercrime has developed into a fully-featured economy with the maintenance of supply chains, black marketing and mostly resembles an illicit counterpart of the legal software market [1]. Although conventional security forms a significant base for dealing with the problem from below, game theory provides a top-down approach by the adoption of strategic and economic perspectives of the attackers as well and thus complements technological security methods. The ideal stage is attained when the two routes taken up converge towards the middle, and this is the goal of game theory.
The rest of the paper is organised into various sections with Section 2 discussing the cybersecurity in detail, followed by the discussion on game theory aspects in Section 3. The relation between game theory and cybersecurity has been presented in Section 4, and the various categories of games have been elucidated in Section 5. Section 6 comprises of the illustration of varied game models that are applied in cybersecurity and Section 7 discusses the bridging of game theory and cryptography. Finally, the future research directions and concluding remarks have been given in Section 8 and 9, respectively.

CYBER SECURITY
Before defining cybersecurity, cyberspace needs to be determined. As per National Security Presidential Directive 54, "Cyberspace is the interdependent network of information technology infrastructures including the Internet, embedded processors, computer systems, controllers in critical industries and telecommunication networks" [52]. The social well-being and economic development of a nation are now becoming reliant on cyberspace.
Furthermore, the term 'cyber' is also linked with various other genres such as cybergoth is associated with music; cyberpunk is a kind of novel based on fiction; cybercrime involves crimes done using computers, and cyberbullying is bullying anyone on social media or internet [53].
Cybersecurity has been defined in the Oxford English Dictionary [54] as, "The state of being protected against the criminal or unauthorized use of electronic data, or the measures taken to achieve this". Practically, it implies that any criminal-based or unauthorized use of electronic devices or data is regarded as a cyber threat. Manipulation of physical assets is also considered as threat to cybersecurity. Nevertheless, the connecting line between information security and cybersecurity is very thin since the issues in cybersecurity can be transformed into those of information security and vice versa in several instances. Some public sources even consider both as synonymous terms. However, cybersecurity involves human factors like people as cyber-attack targets, unlike information security [55].
European Union Agency for Network and Information Security (ENISA) considers cybersecurity as a collective term of various realms that include communication security, operation security, information security, military security and physical security [56]. The relation between the domains is shown in Figure 1.

Cyber Security
Communication Security

Operation Security
Information Security

Military Security
Physical Security The function of each of these domains is the security in respective areas. Table 1 discusses the various domains, along with their objectives in a detailed manner. Security against a threat that attempts to affect the technical setup and influence specific values in a way not anticipated by the designer or owner Operation Security Securing against the threat that attempts to influence workflows or processes into undesirable outcomes Information Security Securing data saved in cyber systems against risks of deletion, manipulation or theft Physical Security Security against illicit use and securing physical assets of cyber systems like network components, storages or servers Military Security Protection against threats against physical assets but have flavours of strategic, military or political aspects As is evident from Table 1 and Figure 1, each security domain focusses on its forte; nevertheless, in the end, all of them are linked to cybersecurity. From this perspective, cybersecurity can be understood as the umbrella term for all the security domains.
The definition of cybersecurity given in Table 1 depicts the relationship between various components. Notably, cybersecurity is not limited to technical security of the environment, but it also includes potential threat sources, assets and the fundamental elements associated with organizations such as the CIA.
Confidentiality, Integrity and Availability or CIA is a significant definition associated with cybersecurity. While defining cybersecurity policies and information security on an organizational level, the CIA is considered as a fundamental element [53].  Figure 2. Interdependence of cyber network and physical systems Figure 2 shows how cyber networks are interconnected with physical systems that comprise of crucial infrastructures like the communication network, subway and power grid. The physical system components such as subway stations can function properly only if the cross-layer nodes (like surveillance cameras and power substations) and other subway stations work correctly. This interdependent nature of the cyber-physical infrastructure paves the way for coordinated attack exploitation leveraging the susceptibilities in cyber networks and physical systems and increasing the attack probability as well as infrastructure failure rate [57]. For instance, cyberattacks can be used by a terrorist for compromising surveillance cameras of a government building, public place or an airport and planting a bomb stealthily without being sensed physically. The physical loss inflicted on the infrastructure systems may also aid the attackers in intruding into the cyber systems like control rooms and data centres. Therefore, both physical as well as cyberinfrastructure failures might lead to detrimental outcomes. Furthermore, the physical, logical and cyber connectivity of the setups leads to interdependencies and dependencies between components and nodes within and across the infrastructures. Consequently, the failure of an element might cause cascading failures in several arrangements. For mitigating these cyber-physical threats, designing effective design mechanisms is essential for hardening the physical and cybersecurity at the infrastructure nodes to secure them from failures.
Together with the development in cyberinfrastructure, cyber risks are growing at a rapid pace. The conventional cybersecurity technologies are focussed on common threats but are not meant for the infrastructures with heavy traffic. Game theory provides a better approach for dealing with cybersecurity issues than traditional security solutions.

ASPECTS OF GAME THEORY
Nowadays, the research community is making all the efforts possible to bring effective network security solutions to organizations; and one such resolution is the utilization of theories suitable for real-life situations for developing mitigation methods. The game theory falls in the category of one such approach that is being explored by the researchers. Over the years, researchers have been investigating the applicability of game-theoretic methods for dealing with cybersecurity; and many of those methods have been successful. Game theory helps in understanding scenarios where there is an interaction among the decision-makers in some way. In the regular sense, a game can be considered as a competitive activity in which the players compete with one another based on a distinct rule-set or the moves that have already been laid down [58].
With growing distributed and infrastructure-less systems, game theory has also found applicability in the security of decentralized communication systems viz. wireless sensor networks (WSN) [59]. Such a security scenario, involving the interaction of attacker and defender, can be precisely mapped to a game among the players where every player tries their best to increase their profit. Most importantly, game theory is perfectly suitable for such a security model since the action taken by the attacker or defender relies on the behaviour of the opposite party [60][61][62].
Lately, the extensive application of game theory in the field of security is categorized into security games. Besides cybersecurity, game theory has applications in many other spheres such as politics, sciences, economics, auction, finance, etc. This paper reviews the game theory applications in cybersecurity.

Definition of a game
Applying mathematical analysis of cooperative and/or individual behaviours among players selecting a specific action/strategy to fulfil their self-interests can be understood as game theory [63].
The definitions of the basic parameters of a game have been given below: 1. A game is defined as the strategic interaction among cooperating or opposing interests taking into account the payoffs for the actions taken by the players and constraints without revealing anything about the actual steps carried out [58]. A player is the fundamental game entity involved in a game with a finite player set (depicted by ) that take logical actions (illustrated by ), for every player . A player can be a machine, a group of people or an individual in the game. 3. The payoff/utility is the negative or positive reward given to players for their actions in the game. It is signified as : → ℝ, that measures the result for the player based on the actions of other players =× ∈ , where ℝ is the set of real numbers, and × indicates Cartesian product. 4. A strategy implies the plan of action that can be adopted by a player in the game that can be represented in the strategic/extensive form as Game = 〈 , ( ), ( )〉 (1) Game theory is a description of a multi-person decision scenario as a game where every player selects an action that leads to the best reward for their ownselves while expecting logical actions from the rest of the players. A typical game, when applied to game theory, is characterized by four fundamental features, which are: a) Two or more players b) Competing nature c) Rules governing each game d) Payoffs for every player

Nash equilibrium
An important game-theoretic concept is the Nash Equilibrium that is defined as the intersection point of best responses, i.e., every player plays their best response against the actions of the rest of the players [58]. In general, Nash equilibrium is an intelligent solution to social problems that have become a favourable concept for wireless sensor network security [64,65].
Nash equilibrium is a solution concept describing the steady-state game condition; no player would desire to modify its strategy since it may decrease their payoffs provided the rest of the players are following the stipulated policy.
However, this solution concept indicates the steady-state in the game without specifying how to reach such a state. Although various other solution concepts are utilized occasionally, Nash equilibrium is the most prominent. This information shall be employed for defining games having relevant characteristics to represent network security issues [58].
Let us assume the strategy profile for an player game is 1 , 2 , 3 , … … … * (2) Where * denotes Nash equilibrium, if every player has a payoff value , then ( * , − * ) ≥ ( , − * ) (3) Must be valid for every player with * denoting the action profile of player and − * indicating the equilibrium action of the rest of the players.
For each game, two significant concepts hold, viz. common knowledge and rationality. Common knowledge comprises of the earliest comprehension of results as well as the mutual knowledge of every player about the results. Rationality, on the other hand, specifies the consistency in decisions without taking into account the likes/dislikes of the players within the game [66].
Take into consideration a simple game -Prisoner's dilemma that involves only two players. The matrix representation of the game is given in Figure 3. The police have arrested two people who have been accused of the possession of guns. They are suspected of having committed a crime; they both shall be put behind bars for a 6-year term if neither of them admits. But if only one of them confesses, he/she shall be freed, and the other one shall be imprisoned for nine years. Now, if both of them admit to the crime, each of them shall be jailed for a year. In such a game, the Nash  Figure 3 as (-6, -6).

GAME THEORY AND CYBER SECURITY
The recent proliferation in cyber-attacks, as well as identity thefts, have turned the Internet into a daunting place. Cyber-attacks have generated a global threat, in securing global as well as local networks [4]. They are also threatening society since communication, and economic infrastructures primarily rely on information technology and computer networks [63].
Therefore, more effective defence strategies are a must for countering the threats caused by the rising cybersecurity concerns. In cybersecurity, game theory can help in knowing the response of the defender to the attacker and vice versa. A two-player game can be used to capture the strategic interaction between the attacker and defender in which both players try to maximize their interests. The strategy of the attacker is determined by the actions of the defender and vice versa. Therefore, a defence mechanism can be said to be valid on the basis of the strategic behaviours of the attacker and the defender. A tactical analysis can be performed by employing game theory for investigating the attacks from multiple nodes or a single node. As a result, game theory is essential for studying the strategic decision-making scenarios of defenders and analysing the attackers' incentives.
There are several aspects in which game-theoretic methods are better than the traditional approaches to cybersecurity and privacy, which have been discussed below [63]: (1) Well-timed action: Owing to the absence of incentives for the participants, traditional security solutions are adopted rather slowly. However, game-theoretic methods back the defenders by the employment of fundamental incentive mechanisms for allocating restricted resources to even out the risks perceived.
(2) Proven mathematics: Majority of the traditional security approaches that are implemented in reactive devices like anti-virus programs or preventive tools like firewalls are dependent only on heuristics. Nonetheless, game-theoretic approaches analyse the security decisions methodically with proven mathematics.

(3) Distributed solution:
The decision-making in conventional security solutions is centralized and not distributed (or individualized) in nature. Because of the absence of coordinators in autonomous systems, the centralized decision-making process is almost impossible in network security games. Thus, security solutions can be realized in a distributed way by making use of game theory.
(4) Reliable defence: The researchers can design defence strategies for robust and dependable cybersecurity systems against attacks (or selfish behaviours) based on the analytical results provided from game theory.
All the reasons as mentioned above, make game theory a suitable solution for cybersecurity problems. Nevertheless, the following issues need to be kept in mind while using game-theoretical methods for implementation in cyber systems: (1) Multi-layer protection: In the previous works reviewed, it is observed that the defender targets a particular defence mechanism and attempts to maximize its utility by adjusting suitable parameters. Nevertheless, the presence of multiple layers of defenders providing security against the attack, that is frequently realized in the current cyber systems, is overlooked. Thus, a fitting game-theoretic approach is needed to resolve how multiple-layer defenders can offer security against attacks while implementing the defending layers simultaneously and how the other layers can be enhanced.
(2) Rationality: Most of the game-theoretic methods utilized in cybersecurity emphasize on equilibrium strategies in the action profiles of the attackers and defenders. But it is not easy for the attacker or the defender to provide the best-response actions owing to constrained rationality (in terms of restricted resources or information) in real cyber systems [67]. Thus, suitable models like Quantal Response Equilibrium and Prospect Theory are essential for predicting the behaviour of the players [68,69]. Moreover, in the scenarios with multiple equilibria, it is not clear what the players shall select or if at all they agree to choose one.
(3) Implementation: When the defenders and attackers make decisions in real cyber systems, they take into account several factors that are real but uncertain like signal-to-noise ratio, the traffic produced in a typical network and/or the node power in wireless networks. Nevertheless, the defenders may not perceive the entire information accurately in realistic situations. Consequently, they should be able to study the environment and understand it. Besides, there are several game-theoretic methods that model security games as two-player games with multiple defenders or attackers being taken as a single entity. Two-player games are realistic models if multiple defenders or attackers have the same payoffs and strategies but might not be reasonable in a real system owing to the variety in the payoffs and strategies of defenders and attackers.

195
The game theory thus plays an integral part in acquiring an equilibrium strategy for surviving from unpredicted interruptions and attacks because of the interaction among users in cyber communication. Furthermore, in connection with cyber privacy, the game theory also finds applications in information sharing, anonymity, confidentiality and cryptography.

CLASSIFICATION OF GAMES WITH THEIR APPICATIONS IN NETWORK SECURITY
On the basis of perspectives, games can be categorized into several classes. The varied types of games have been discussed in this section below: Figure 4 represents the classification of various game models plus the security issues each class of games handles [70].  Co-operative games: In a cooperative game, every player enforces cooperative behaviour. Such games are between the coalitions of players rather than between two players only. Cooperative games thus accentuate group efficiency, equity and rationality [71].
Non Co-operative games: In non-cooperative games, every player exhibits selfish behaviour without taking into consideration the opponents. The chief goal of every player is gain in payoffs. Non-cooperative games accentuate individual optimal decisions and individual rationality. This game type is the research goal of contemporary game theory; notably, several cybersecurity issues are non-cooperative games [71]. Extensive/Dynamic Games: In dynamic games, every player has some knowledge about the behaviours of the rest of the players, unlike static games; besides, these are multi-stage games. The players in this game make decisions on the basis of the opponent's behaviour. Such games are sequential structures of the decision-making problems that the players of static games come across. The game sequences can be finite or infinite [58].

Complete Information Games:
The games in which every player within the game has comprehensive knowledge about the opponents' behaviour are said to be complete information games. Every player is completely aware of all the opponents' strategies.

Incomplete Information Games:
The game in which any one of the players has zero information about the opponent players. As a result, the players may not be able to make perfect strategies for winning the game.

Perfect Information Games:
In this type of game, every player has the perfect knowledge of all the previous actions of the opponent player before making a move. Chess, go, and tic-tac-toe are examples of perfect information games [58].

Imperfect Information Games:
In such games, there is at least one player who does not know about the past actions of the opponent player, thus making it tough for the player to make a move. Cybersecurity falls in this type of game category.
Bayesian Game: It is well-known that every outcome is valuable to every player in recreational games since the game rules quantify this. On the contrary, when real-world strategic scenarios are modelled, every player might be uncertain about the value of various outcomes to the rest of the players. Such uncertainty can be modelled naturally using Bayesian games. In Bayesian games, every player selects one 'type' from distribution Moreover, Bayesian games may be transformed into standard form, but there shall be an exponential growth in size [72]. This type of game is referred to as Bayesian, owing to the employment of Bayesian analysis in anticipating the outcome [73].
Stochastic Game: These games are multi-player generalizations of Markov decision processes. In every state, an action is chosen by all the players and the profile of actions chosen govern the instant reward to all of them together with their probabilistic transitions [72]. Thus, such games progress as a series of states beginning from a start state. Then, the players acquire a payoff after selecting their actions based on the present game state. This is followed by the transition of the game into a different state with a probability determined by the current state and actions of the players [74]. Stochastic games having just one state are referred to as repeated games in which the same normal-form game is played by the players repeatedly.
Repeated Game: As defined already, repeated games are an interaction of two players that play the game repeatedly [64]. Also known as iterative games, this game comprises of many repetitive stages, and at every step, the present action determines the next action of the players. Repeated games can be either finitely repeated or infinitely repeated. There is a fixed and known time-period in infinitely repeated games. However, it has a limitation that makes the player behave selfishly, and Nash Equilibrium is used to equal minmax payoff. The most popular type is the infinitely repeated game in which the game continues for an infinite period [59].

Zero-sum Game:
It is a kind of non-cooperative game played between two players. One of the players is the maximizer since it attempts to raise its gain to the maximum and the other player is the minimizer since it tries to keep its losses to the minimum. As a result, the zero-sum game can be assumed to be a one-side win game or two-side conflict game in which the overall payoff/utility of the players stays constant throughout the game, being the strategy profile [59].
Non-zero-sum Game: This type of game can be played by multiple players, and the sum of the payoff values of the players does not remain constant during the game [59]. So, all the game players are either maximizers or minimizers without having any constraints on the overall payoff value as is the case with zero-sum games. Thus, all the players in the game can lose or gain together [64].
Evolutionary Game: Evolutionary games are basically applied to biological networks in which pure and mixed strategies might be merged by the players with logical behaviour for enhancing the population characteristics [64]. Notably, evolutionary games have been utilized in the past to model various wireless sensor network applications [59].
Stackelberg Game: Stackelberg games are used for modelling two competing players where one of the players is the initiator (or leader) of the game who opts an action from a specific set 1 , and the other player follows the action of the leader to choose later a move from a different set 2 [59]. Such a situation is prevalent for protecting various wireless sensor networks where the attacker acts as the follower, and the defender plays the role of the leader [75,76].
A distinctive category of games called security games analyse the interaction between defenders and malicious attackers. These games, along with their solutions, form the base of algorithm development and formal decision-making besides the prediction of the behaviour of the attackers. Moreover, security games find vast applications to security issues like intrusion detection and privacy in computer, wireless and vehicular networks [77].

GAME-THEORETICAL METHODS FOR CYBER SECURITY APPLICATIONS
From the perspective of game-theoretic applications in cybersecurity, there are six categories of security applications:

Physical layer security
It is an evolving area of security. Eavesdropping and jamming attacks are commonplace on the communication channel of networks [70]. Notably, these attacks are more alarming for wireless networks in comparison to wired networks.
In this regard, a game-theoretic model was introduced by authors in [78] for examining the communication between the source transmitting valuable data and some available jammers who aid the source in puzzling the eavesdroppers. Those jammers charge some cost from the source for their service and then there is a price trade-off. Stackelberg game has been put forward by the authors plus a distributed algorithm for investigating the result of the game to display the effectiveness of the price trade-off and the friendly jamming service. IJEEI ISSN: 2089-3272 

Self-organized network security
A specific application of game theory is the design of security protocols for self-organized networks like mobile adhoc networks (MANETs), wireless sensor networks or vehicular networks. Due to the relatively static configuration and homogenous architecture of self-organized networks, the behaviour of the network tends to be like that of a reasonable decision-maker or a logical economic man, therefore making it consistent with the game theory requirements.
Several previous works take into account only two players in their game models when applying game theory to security. But it might not be practical in case of MANETs that have no centralized administration. In the scenarios with multiple players, a robust mathematical tool is mean-field game theory. In [79], authors have employed the contemporary developments in mean-field game theory for proposing a new game theory-based distributed approach for MANET security with multiple players. Such an approach allows a distinct MANET node to make decisions of strategic defence, and every node needs the knowledge of its state together with the cumulative effect of the rest of the nodes in the MANET.

Intrusion detection and prevention
Intrusion detection is considered to be one of the most broadly applied security research areas in terms of game theory owing to its attack and defence characteristic [70]. With the study of game models, it is possible to optimize the distributed design as well as security configuration of intrusion detection systems. In this regard, defence strategies based on puzzles have been put forth against flooding attacks An automated intrusion response engine has been introduced by authors in [80] that is referred to as Response and Recovery Engine (RRE). This engine makes use of game-theory based response strategies to ward off intruders that are displayed as opponents in a two-player stochastic Stackelberg game with RRE and the attacker attempting to raise their benefits to the maximum by considering the response actions and the optimal opponent respectively. There are many research-works that utilize game theory for intrusion detection as well as prevention. For instance, a collaborative incentive-based game-theoretic method has been designed for intrusion detection in [81], another game theory model has been proposed in [82] for the detection of cooperative intrusion over multiple packets, a protracted Dirichlet based collaborative IDS based on game theory has been given in [83], and authors in [84] present a game-theoretic approach to configure large scale intrusion detection signature dynamically.

Privacy preservation and anonymity
From the perspective of game theory, privacy can be evaluated by the users, and various strategies can be inspected for their desired privacy level setting. Game theory can prove beneficial in analysing the privacy preservation economically and in finding the best compromise between performance and privacy. Several effective location-based services bring convenience to the users but at the cost of the privacy of users. Authors in [85] have been the first to put forward an optimal mechanism that finds the location besides preserving user privacy in location-based service. The Stackelberg Bayesian games are used for modelling the mutual optimization of localization accuracy vs location privacy, and it has been proven that this methodology showed better results in comparison to a direct obfuscation mechanism. Furthermore, the interaction among data collectors, data users and data providers have been modelled in [86] using a game and a general methodology for finding Nash equilibrium.

Economics of cyber security
Since the game theory was set up initially in the theoretical framework of economics, it can be applied chiefly to cybersecurity economics. Various standard economic models and theories find applications to the economic perspective of security like security policy making, security incentive and security investment. Securing the network infrastructure against attacks is a must because the attacks on high-speed data links could cause a delay or loss of large-scale data.
In the works [87,88], authors have studied the incentive mechanism in network security by investigating the network externality that is produced by the price of anarchy (POA) and selfish investment behaviour. They have proved that network security can be improved dramatically by enhancing incentive mechanisms of cybersecurity investment rather than by the enhancement in security preservation methods.

Cloud computing security
Cloud computing is a thriving industry and a well-known concept of information processing. Still, its security problem is complicated due to the use of varied infrastructure elements in every service model [70]. The conventional security mechanisms are not apt for cloud computing because novel cloud concepts like Different public cloud users share a common platform such as the hypervisor. This universal platform intensifies the well-known problem of cybersecurity interdependency, and a user who does not invest in cybersecurity imposes a negative externality on others. This is one of the reasons that many large organizations with sensitive information have been reluctant to join a public cloud.
A framework has been put forward by authors in [10] known as FlipIt game for cloud security that provides details about when devices should trust the cloud hypervisor's commands. This communication is modelled as a game with the device, attacker and the defender as the players. A game theoretic-security risk assessment model has been proposed in [89] for cloud computing that is scalable such that it is assessed if the system risks should be fixed by tenant or cloud provider. Authors in [90] have modelled the problem of cloud security transparency as a non-cooperative dynamic game in which the client and provider are modelled as the game players. Consequently, authors have presented a theoretical examination for the client or provider to compute the best strategy for reaching the Nash equilibrium.

BLENDING GAME THEORY AND CRYPTOGRAPHY
Both game theory and cryptographic protocols deal with the analysis of interactions among mutually suspecting parties. Historically, both the fields have evolved independently of each other within diverse research communities and thus are likely to have different flavours. Nevertheless, there has been growing interest in merging the approaches and techniques of these fields that were inspired by the desire for developing more pragmatic protocols and models of such an interaction. The present research at the relation of cryptography and game theory can be divided into two categories: applying game-theoretic models to cryptographic protocol design and applying cryptographic protocols to the problems based on game theory.
Conventionally, the protocols in cryptography are devised, assuming that a few participants are authentic and follow the protocols faithfully while other participants are malicious and act haphazardly. However, the game-theoretic perception is that every participant is rational and acts according to its best interest. Such a perspective is different from the cryptographic one, according to which the protocol need not avert to irrational behaviour although no one can be trusted to follow the protocol unless it acts in the participant's best interests.
In general, cryptography focusses on guaranteeing that the parties continue to use the authorized service and game-theoretic approach has the same goal. Game-theoretic methods are used for devising incentive mechanisms that aim to avert diversion. An important motive to apply the game-theoretic method in cryptography is the modelling of malicious behaviour of the user. The rationale behind this is that malicious actions are not only more challenging to control than rational actions, but it is also more common and practical for some parties to follow the cryptographic protocol dishonestly. For enhancing the security and efficiency of cryptographic protocols, many new terminologies and approaches have been proposed by researchers. For instance, socio-rational secret sharing, employment of Perfect Bayesian Equilibrium (PBE) or utilization of point-to-point channels rather than trusted mediators. Also, game-theoretic methods have been used in steganography and have proved to be ideal in allowing researchers to assess several design choices like distribution of payload in batch steganography or distortion functions in adaptive steganography. All these approaches exhibit the huge benefit that blending of cryptography and game theory brings in designing defence mechanisms.

FUTURE RESEARCH DIRECTIONS
Possible future research directions of game-theoretic approaches for cybersecurity and privacy may consist of several emerging areas as follows:

Social media
In recent times, social media sites, for instance, Twitter and Facebook, have been emerging as excellent ways of communication. These sites can be used by attackers as novel media for conducting insidious attacks. Owing to the massive centralized user data, increased attention should be paid to privacy protection. The application of game theory to social media can help us identify the objectives of social media users and how they work to achieve them. Based on formalized utilities of security policies and security rules, the choice of security policies in content access is described as a game between the content provider and the content requester.

Cloud computing
Debatably, cloud computing is assumed to be one of the essential technological shifts in recent times. Nevertheless, while shifting data to clouds, various challenges to security and privacy are posed. Game theory is a potential mathematical framework for analyzing the effects and causes of privacy and integrity issues for  [89]. Authors in [91] have put forward methods for reacting automatically to the opponent's behaviour for securing the system through Q-Learning. The researchers, after comparing Q-Learning with the conventional stochastic game, presented simulation results that affirm Naive Q-Learning as a potential approach on confrontation with limited information about adversaries.

Bitcoin
Bitcoin is an electronic decentralized fiat currency that is implemented through peer-to-peer technology and cryptography. The designing of secure and effective mining methods is one of the challenges faced by bitcoins. Minigas, a game, can be modelled among all users through game theory.

Embedded security
At a single point, attacks of malware can occur in the hardware. It's the most beneficial entity which provides the ability for manipulating a computing system. The attackers secretly and deliberately bring modification to electronic devices like integrity circuits for creating hardware Trojans. Game theory is the mathematical treatment of conflict, thus could be utilised for strategically guiding microcircuit testing to balance the risk posed by hardware Trojans.

Cyber-insurance
Techniques of risk management for improving cybersecurity are promising solutions with economic benefits for security software vendors, users and policymakers. The game-theoretic approaches have been employed in various cyber insurance research works for modelling the interactions among the players of cyber market insurance where the retail of cyber-insurance is taken as a defence mechanism. Though game theory may assist in designing mechanisms incentivizing the insurers, more methods are required for answering the questions that cyber insurance poses for improving cybersecurity and privacy.

Internet-of-Things (IoT)
IoT provides connection among numerous smart devices integrated in networks seamlessly for offering services in every aspect of human life. Being susceptible to varied attacks, the research community needs to emphasize on the privacy as well as the security of IoT applications. Due to the speedy development in technology making up the IoT, several new crucial problems and significant security issues in IoT shall be the potential topics for game-theoretic methods.

Device-to-Device communications
Device-to-Device (D2D) is emerging as a new trend in industrial as well as academic communities due to the economic energy consumption and high throughput. It is expected to be a key feature supported by next-generation cellular networks. D2D can extend the cellular coverage allowing users to communicate when telecommunications infrastructure is highly congested or absent. Various potential topics in relevance to D2D communication such as secure transmission, enhanced quality-of-service and energy efficiency can be considered utilizing the utility function maximization game frameworks.

CONCLUSION
Game theory has been found to play a vital role in numerous security situations and has been extensively applied in cybersecurity. The latest research works conducted reveal the effective use of game theory in web security, network security, etc. Game theory allows the defender to assess the security quantitatively and predict the security outcome in addition to offering a mechanism design tool for enabling security-by-design and reversing the advantage of the attacker. Games can be analysed and designed; players' optimal moves can be utilized for determining how effectively security can be approached in the cyber world. However, an essential game-theoretic issue is the ability to find a feasible mathematical solution to the game problem. More systematic solutions that solve the problem of cybersecurity utilizing game theory are recommended which involve practical mathematical solutions. One such approach that is presently being studied by the research community is the employment of linear programming. Furthermore, integer programming can be delved into for offering a more pragmatic solution to distributed denial of service attacks in the cyber world.