Keep Spending: Beyond Optimal Cyber-Security Investment

We introduce an efficient solution for Stackelberg games in the context of a class of Security games and bounded rational attackers. These games model a threat scenario where an attacker can launch multi-stage attacks against a defender who can deploy defensive controls subject to some budget constraints. Because the optimal solution in these games may leave some unspent budget, the question of what to do in this situation arises. In this work, we suggest investing it iteratively in the closest sub-optimal solutions until possible. Here we develop the needed theory and framework, starting from defining sub-optimality and solving the corresponding optimisations. By using total unimodularity and precise linear programming (LP) relaxation, we provide an efficient computational solution to these games. The security improvement of the proposed approach is illustrated with an AI threat scenario.