Cyber security: Influence of patching vulnerabilities on the decision-making of hackers and analysts

Patching of vulnerabilities on computer systems by analysts enables us to protect these systems from cyber-attacks. However, even after patching, the computer systems may still be vulnerable to cyber-attacks as the patching process may not be foolproof. Currently, little is known about how hacker’s attack actions would be influenced by the varying effectiveness of the patching process. The primary objective of this study was to investigate the influence of the patching process on the attack-and-defend decisions of hackers and analysts. In this study, we used a 2-player zero-sum stochastic Markov security game in a lab-based experiment involving participants performing as hackers and analysts. In the experiment, participants were randomly assigned to two between-subjects patching conditions: effective (N = 50) and less-effective (N = 50). In effective patching, the probability of the network to be in a non-vulnerable state was 90% after patching by the analyst; whereas, in less-effective patching, the probability of the network to be in the non-vulnerable state was 50% after patching by the analyst. Results revealed that the proportion of attack and defend actions were similar between effective and less-effective conditions. Furthermore, although the proportion of defend actions were similar between vulnerable and non-vulnerable states, the proportion of attack actions were smaller in the non-vulnerable state compared to the vulnerable state. A majority of time, both players deviated significantly from their Nash equilibria in different conditions and states. We highlight the implications of our results for patching and attack actions in computer networks.