1. Introduction

The utilization of robotics, the adoption of various communication technologies, and the integration of building information modeling (BIM) processes into construction tasks are accelerating the digital transformation of the architecture, engineering, and construction (AEC) industry [1]. This transformation has resulted in an increased amount of data stored in digital formats, including sensitive information (e.g., design files, intellectual property, bid documents) that are prone to cyberattacks [1]. Despite the increasing reliance on digital tools, the importance of robust security measures to protect construction projects has been overlooked, leaving the industry exposed to various cyber threats [2]. The complex nature of construction projects’ supply chains and the involvement of many stakeholders (e.g., owner, contractors, engineers, suppliers) from different disciplines (e.g., structural, architectural, mechanical) further increase the challenge of providing secure and efficient data exchange.

The risks associated with these vulnerabilities are evident in recent cyber incidents targeting construction companies. These include data breaches (i.e., theft, modification, and exposure of sensitive data), fraudulent wire transfers, and property damages [1]. For example, hackers stole the design files of the Australian Intelligence Service’s headquarters during its construction in 2013 [2]. This proves that design documents can also be valuable for malicious actors when a constructed building is of strategic importance to the government. A white paper prepared by the security software company FinalCode also presented the risks of insider threats targeting CAD files in design-centric businesses [3]. In addition, employees’ and other stakeholders’ personal information can be a target of attackers. For instance, Turner Construction was targeted by a phishing attack in 2016, exposing the tax information and social security numbers of its employees [4]. Similar attacks also damage the reputation of the targeted companies and can cause disruptions to business operations.

Common data environments (CDEs), introduced as centralized data repositories (see Figure 1) to enhance collaboration among stakeholders in BIM-enabled projects, aim to improve data security and management [1]. However, the reliance on centralized CDEs has introduced a single point of failure, as highlighted by several studies proposing decentralized alternatives utilizing blockchain and the interplanetary file system (IPFS) [5,6]. Protection against data theft becomes a significant challenge as the information exchange reaches its peak with the increasing use of BIM/CDE tools, particularly in design–build and integrated project delivery (IPD) projects [7].

Several document types can be sensitive depending on the project type. For example, the cost and profitability calculations and financial forecast files of large-scale projects are considered confidential. Such documents typically include the unit cost of constructing different elements of the structure, procurement and subcontract details for different materials and services, and the project’s cash flow. Therefore, a potential leakage of such documents would give a competitive advantage to the rivals of the construction company, resulting in financial loss. Another sensitive document would be design files, especially considering the construction of buildings such as embassies, prisons, military bases, and critical government buildings.

Even though the provided examples of cyberattacks were conducted by external actors, the motivation and consequences would be similar in case of insider threat. Turk et al. [8] and Mantha et al. [1] pointed out that various stakeholders involved in construction projects might be motivated to act as malicious insiders for various reasons, including financial gain and espionage. These motivations are aligned with the previous examples of external cyberattacks targeting construction companies. Supporting these claims, a recent survey on cybersecurity in the construction industry reported that 20% of the respondents considered malicious insider threats the highest-level concern [9]. Moreover, considering that the insiders might have legitimate access to the CDE and the mentioned sensitive documents, detection can be more complicated and the outcomes can be more devastating.

Addressing insider threats within CDEs is paramount for safeguarding sensitive construction project data, which constitutes the primary motivation of this study. Mitigating these risks requires proactive strategies beyond traditional cybersecurity measures to encompass insider threat detection and response. To this end, we propose game-theoretic models to analyze and predict malicious insider behavior and devise optimal strategies for protecting sensitive data within CDEs. This paper contributes to the ongoing efforts to enhance cybersecurity in the AEC industry by (1) developing simultaneous and sequential game-theoretic models to understand insider threat dynamics, (2) verifying the proposed models through simulations and hypothetical scenarios, and (3) validating the applicability of the models using real project data.

The remainder of this paper is structured as follows. Section 2 outlines the related work, identifies drawbacks in the existing literature, and discusses the motivations behind this research. Section 3 presents the methodology, introduces the proposed simultaneous and sequential move game models, and provides their solutions. Section 4 verifies the proposed models through simulations, hypothetical scenarios, and real project data. Section 5 discusses the results and limitations and Section 6 concludes this paper.

2. Related Work

Research has been conducted to deal with cybersecurity issues in critical infrastructures [10]. Various approaches have also been used to mitigate insider threats [11]. Hu et al. [12] addressed the joint threat from an advanced persistent threat (APT) attacker and insiders targeting a resource defender employing a differential game approach. The scenario in [12] considered a malicious insider who collaborates with the APT attacker by exchanging sensitive information, such as passwords, to help them achieve their malicious goals. Meanwhile, the defender employs countermeasures to regain control of the compromised resources. In the attack process, however, the defender does not consider any prior beliefs about an insider as to whether he/she would act as a regular or malicious one, which is necessary to respond to the possible threats caused by the insider. In addition, how the data/information is obtained by the malicious insider is not specified [12]. Ni et al. [13] discussed malicious insider attacks in a nuclear power plant based on an evolutionary game model. In this model, a malicious insider has two options, i.e., to perform or not perform the adversarial attacks. At the same time, the plant’s defender can implement either a severe punishment scheme or a less strict penalty for malicious insiders. Their proposed game solutions show how insiders would behave concerning their emotions. Kim et al. [14,15] also proposed a Stackelberg game model of defender–adversary interactions along with the possibility of various insiders being involved in a nuclear facility attack. Their analyses identified which insider threat was more critical concerning the facility’s security. In the models proposed by Ni et al. [13] and Kim et al. [15], the defender/security department has no preconceived idea about how its employees will behave towards sensitive resources. Furthermore, the authors in [13,15] did not specify how the malicious goal is achieved; in other words, whether authentication or cyberattack is to be launched against the resources to obtain access/steal the resources or sabotage the facilities. Liu et al. [16] presented a model to detect malicious insider threats using a zero-sum stochastic game assuming partially observable states. Kantzavelou et al. [17] also proposed a repeated game model in which insiders interact with the system defender, an intrusion detection system (IDS). Their model predicts future interactions between insiders and the system defender. In addition, Elmrabit et al. [18] developed a model based on a Bayesian network to predict insider threats prior to a data breach, taking into account various aspects such as technological, organizational, and human factors. The model draws on various components to predict the probability of insider threat risk. However, in these works [16,17,18], no penalty for malicious insiders is imposed, which is a crucial demotivating factor as to whether or not an insider would commit malicious acts to optimize his/her gain or benefits. Laszka et al. [19] introduced a secure team selection framework where the team manager has a secret to share with her team, whereas an insider attacker wants to learn the secret by bribing one of the potential team members. The scenario is analyzed using a stochastic game. Feng et al. [20] and Cansever [21] discussed a game model in which an insider can take part in the game between an attacker and the system defender. The insider can help achieve the attacker’s goal while sharing the revenue. In addition, an incentive-based model was introduced by Liu et al. [22] to mitigate malicious insider threats.

The concept of synergy has been explored in game theory to understand how collaboration among players can enhance outcomes through mutual assistance and interdependence. Cooperative game theory introduces measures like the Shapley value to assess individual contributions within coalitions and identify scenarios where synergetic effects yield greater collective benefits than independent actions [23]. These insights are particularly relevant for designing strategies that align the interests of diverse stakeholders in cybersecurity contexts, including insider threat scenarios.

An adversarial risk analysis approach was adopted by Joshi et al. [24] to analyze malicious insider threats and tackle the traceability issue of adversarial insider attacks. A traceability system with respect to insider attackers was proposed by Hu et al. [25] using blockchain. Moreover, machine learning techniques were used to detect malicious insider threats [26,27,28,29,30,31], where most of the work focused on reactive measures failing to counter proactive challenges. It can be observed that the existing literature does not consider several aspects (see Table 1) that are necessary for predicting malicious insider behaviors and deriving the best defense strategies against such attacks. It is clear that modeling malicious insider threats without considering all of these aspects has drawbacks in capturing the realistic situation. Notably, previous studies on the behavior of malicious insiders assume complete information about the game structure. However, this assumption is unrealistic since insiders’ intentions, such as being malicious or honest, are not entirely known to the data defender. Moreover, to the best of the authors’ knowledge, no study has discussed insider threat modeling considering the construction industry. Therefore, in this paper, we propose novel incomplete information game models in the context of the construction industry incorporating the following aspects:

• Aspect 1 (A1): The value of information/data/resources to an insider.

• Aspect 2 (A2): Penalty to a malicious insider when his/her activity and identity are exposed.

• Aspect 3 (A3): How the sensitive information/data are compromised (e.g., through authentication or cyberattack).

• Aspect 4 (A4): The probability of discovering the malicious activities and the insider’s identity.

• Aspect 5 (A5): The prior belief/information that the data defender has about an insider.

The main contributions of this paper are highlighted below:

i. The existing literature predominantly examines malicious attacks executed via cyberattacks, often neglecting the potential for insider threats initiated through legitimate authentication processes. This oversight is particularly relevant for the AEC industry, where stakeholders have legitimate access to data within CDEs but may misuse this access for malicious purposes. Our research fills this gap by modeling insider threats that can arise through cyberattacks and authorized access, presenting a more comprehensive view of vulnerabilities in CDEs.

ii. The existing literature often assumes complete information regarding insider behavior types, overlooking the ambiguity of legitimate versus malicious intentions within the AEC environment. Our research introduces a Bayesian game model that incorporates incomplete information, accurately reflecting the real-world complexity of insider motivations. By considering both types of insiders, our model offers a novel approach to predicting insider behavior under conditions of uncertainty, enhancing the development of targeted defense strategies against insider threats in CDEs.

iii. The rise of digitalization, BIM, and CDEs in the AEC sector has introduced unique cybersecurity challenges that current generalized insider threat models do not sufficiently address. To our knowledge, our research is the first to address insider threats to CDEs in the AEC industry.

iv. We validate our models using real project data and simulations, which demonstrate the models’ practical applicability in real-world AEC projects. This validation not only supports the theoretical framework but also provides actionable insights that can directly inform threat mitigation strategies within the industry. By bridging theoretical development with empirical testing, our research offers an applied contribution to the field, enhancing the reliability of the proposed defense mechanisms for practical cybersecurity applications.

Game theory is a mathematical study of strategic interactions of agents or players. Every player has a set of possible actions, and payoffs (i.e., cost/penalty or gain/reward) are assigned to each player based on the collective action. A common assumption is that players are rational and, thus, would want to optimize their payoffs. The solution of a game provides each player with the best strategies for making decisions or actions and no one can be better off by deviating from the strategies obtained in the solution (or equilibrium point). A game is considered a complete information model if all the components of the game, such as actions, payoffs, and types, are common knowledge among the players. In contrast, an incomplete information game is where some players do not know the payoff of the other players [32]. Game theory has been employed successfully to address various issues related to cybersecurity [33]. In this study, we also developed incomplete information games to study malicious insider behavior and obtain the best strategies to respond to insider threats.

3. Methodology

3.1. Defining the Data Defender

Two parties are involved in the proposed game-theoretic models: the malicious insider and the data defender. While the former is self-explanatory and has similar meanings in different contexts, the latter should be defined considering its roles before going into the details of the model. In the context of this paper, the defender has two primary roles: (1) access control and (2) intrusion detection. The defender is assumed to perform both roles even though they are handled by different mechanisms in a construction network. Both roles are detailed in the following subsections, together with construction-related examples and the assumptions made.

The malicious insider aims to access sensitive information, which is granted by the access control mechanism explained below in detail. The insider can then use this access to leak sensitive information, make changes, or render it unavailable. However, the malicious insider should stay as stealthy as possible while performing these actions since the IDS is also a part of the data defender, affecting the decisions of the access control system. As elaborated upon in the following sections, the IDS provides feedback to the access control system based on the activities of the insider. This collaboration of the IDS and access control system, which forms the data defender, is crucial to combat insider threats since the malicious actor authorizes access to sensitive data. Therefore, different from external threats, utilizing typical systems such as firewalls, antivirus software, and the IDS as data defenders is insufficient. Including the access control system as a part of the defender is necessary to make the decision of granting or rejecting authorized users’ requests. However, the suggested data defender can still be inadequate to combat insider threats if the malicious insider can perform its actions stealthily enough. In this case, the feedback from the IDS would be misleading.

3.1.1. Access Control

The defender’s first role is to manage data access by accepting or rejecting data access requests. Since this paper considers construction projects that utilize CDEs, access control is implemented on the data stored in a CDE. As mentioned earlier, CDEs are widely used for storing, viewing, and exchanging data due to the increasing use of BIM technologies in construction projects. The CDE utilized by the project may either be cloud-based or hosted on the in-house servers of a project. Companies from different sectors increasingly rely on cloud computing technologies for storage due to their advantages, such as no upfront cost, location flexibility for employees, and pay-as-you-go pricing models [34]. This transition also applies to the construction sector, with the increasing number of off-the-shelf cloud platforms that make cloud implementation more effortless. Some examples of cloud platforms offered by leading construction software development companies are Autodesk Construction Cloud, Graphisoft BIMcloud, and Trimble Connect.

This paper assumes the use of one of the cloud-based platforms (e.g., Autodesk Construction Cloud) offered by a construction software development company, considering their widespread use in the industry, especially by small and medium-sized enterprises (SMEs), which constitute more than 95% of construction supply chains [35]. The CDE platform selection in construction projects depends on the software packages used for various tasks, such as design authoring, clash detection, structural analysis, energy analysis, and reality capture. The platform developed by the software company commonly used in the project is prioritized for improved interoperability. This paper assumes a generic cloud platform without selecting a specific one.

The access control mechanism of the cloud platform that handles accepting and rejecting data access requests is considered a part of the data defender in this paper. There are three major access control models widely used in computer systems: role-based access control (RBAC) (i.e., non-discretionary access control), mandatory access control (MAC), and discretionary access control (DAC) [36]. In this paper, RBAC is assumed to be implemented in the cloud platform with the least privilege design principle in mind, similar to Autodesk Construction Cloud [37]. Therefore, individual users and user groups are given privileges based on their roles in the project. The BIM manager of the project is assumed to function as the administrator of the cloud platform, responsible for assigning roles and defining privileges for each role. It should be noted that assigning roles is not a one-time task but rather an ongoing process in a typical construction project due to the changing roles and new employees joining the project.

3.1.2. Intrusion Detection

The second role of the data defender is to detect potential intrusions and cyberattacks. Consequently, the IDS is also considered a part of the defender in this paper. The role of the IDS is crucial for the game-theoretic model presented in this study, as the data defender is assumed to make data access decisions while experiencing cyberattacks in specific instances. Therefore, the first role of the defender is contingent on the intrusion detection role. This paper does not make any assumptions regarding the type of IDS, such as signature-based (knowledge-based) or anomaly-based (behavior-based), as the technical aspects of the IDS fall beyond the scope of this paper.

As mentioned earlier, an external cloud platform is assumed to be utilized as the CDE. However, the IDS can only be implemented on the internal network of the project. Hence, it is assumed that the cloud platform used as the CDE accepts input from the IDS, allowing the IDS to dictate the decisions of the access control mechanism. This interaction between the access control mechanism and the IDS is presented in detail in the following sections of this paper. Lastly, it is assumed that being connected to the project network is necessary to access the CDE to effectively achieve IDS–access control collaboration. The stakeholders within the project perimeter can connect to the network through a wireless access point (WAP) or wired connection. On the other hand, a virtual private network (VPN) is mandatory to connect to the project network for stakeholders outside the project area.

3.2. Simultaneous Move Game Model

Insider threats are difficult to deal with in comparison to external threats due to the privilege that insiders have. An insider is motivated to compromise data for different purposes (e.g., financial gain, espionage). A malicious insider can achieve this activity by using his/her privilege through authentication to gain access to the data. This is termed as the misuse of access [38]. In this case, however, there is a probability that the malicious act and his/her identity are discovered because all the detailed information of the insider who has accessed the data is revealed to the data defender during the authentication process. As a result, the malicious insider can face a heavy penalty (cost) if his/her activity and identity are revealed. Thus, to prevent his/her identity and malicious activity from being known, the insider can make use of a cyberattack technique such as defense bypass [38] (e.g., SQL injection attack [39]) to access the data. We assume that the probability of exposing the malicious activity and insider’s identity under authentication (misuse of data) is greater than that of malicious action/identity being discovered under cyberattack. However, launching a cyberattack to obtain the data is costly compared to a misuse of access attack through an authentication process.

Therefore, there are two schemes for a malicious insider to implement this activity: gain access to the data through authentication or a cyberattack. An insider can exploit his/her privilege to obtain important information, such as vulnerabilities of the computing facilities (e.g., cloud computing used to host the CDE), by scanning, reconnaissance, or infiltration. The data defender believes that there is a malicious insider in the project team with a positive probability. This shows that releasing data to authorized insiders whenever a data access request is made can cause data compromise (e.g., tampering, theft, leakage).

Therefore, when an insider (whose type can be legitimate or malicious) sends a data access request, the data defender is faced with a situation as to whether to accept the request and release the data or reject the request and not release the data. As a result, the following two cases arise:

• If the data are released to an insider who happens to be malicious, the data will be misused (e.g., trading them for financial purposes, sending them to the enemy) by the malicious insider.

• On the other hand, if the data request is rejected, there is a probability of rejecting a legitimate insider request. Though the data are protected in this situation, the project team would be unable to achieve the expected outcome/goal in the project work due to the information (data) necessary for the project being withheld. That is, the workflow will be interrupted, for example, during the design phase.

Thus, considering the above scenario, the questions that need to be addressed are as follows: What will be the best strategies for the defender to protect the data in the scenario of incomplete information about an insider who can act as legitimate or malicious? How likely is it that an attack is being carried out by an insider of the project team or, equivalently, how secure are the data stored in the database of the CDE/BIM? To address this problem, we formulated an incomplete information game model to capture the interactions between an insider (legitimate or malicious) and the defender. The analysis of the proposed model will give us insights into how an insider in the project would behave as the game solutions predict the behavior of an insider and the best decisions for the defender.

Now, we consider the interactions between insiders (stakeholders) of a construction project and the data defender who defends data stored in a CDE. In this model, an insider sends a data access request to the defender. The defender is not certain about whether the request comes from a legitimate or malicious insider. To capture the interactions, we propose a simultaneous move incomplete information game model in this section and solve the game model to perceive the behavior of the insiders and know how to respond to malicious insider threats. For this, we define the notations and terminologies that are used in the proposed game model (which is denoted as $\mathsf{\Gamma }$) as follows: $R_{\mathrm{aut} }$ (request data access through authentication), $R_{cyb}$ (request data access through cyberattack), $D_{\mathrm{accept} }$ (accept data access request and release data), $D_{\mathrm{reject} }$ (reject data access request and do not release data), and $C_{cyb}\in$ $\left(\mathrm{0,1}\right)$ (cost of cyberattack). The action sets of an insider and the defender can be written as ${\mathcal{A}}_I=\left\{R_{\mathrm{aut} },R_{\mathrm{cyb} }\right\},{\mathcal{A}}_d=\left\{D_{\mathrm{accept} },D_{\mathrm{reject} }\right\}$. Also, the type set of insiders $\mathsf{\Omega }=\{$ malicious $\left(\mathrm{M}\right)$, legitimate $\left(\mathrm{L}\right)\}$. The pure strategy set of an insider is given by $S_I=\left\{R_{aut}^M{R}_{aut}^L,R_{cyb}^M{R}_{aut}^L\right\}$, where $R_{cyb}^M{R}_{aut}^L$ is the strategy with which the insider would launch a cyberattack if he/she is malicious (M). On the other hand, if he/she is legitimate (L), he/she would take the authentication process to access the data. Similarly, the other strategy, $R_{\mathrm{aut} }^M{R}_{\mathrm{aut} }^L$, can be defined. In addition, the pure strategy set of the defender is given by $S_D=\left\{D_{\mathrm{accept} },D_{\mathrm{reject} }\right\}$. That is, the defender can respond to the data access request by either accepting or rejecting it.

Nature’s probability distribution on insider’s type space is given by $\mathsf{\Phi }:\mathsf{\Omega }\mapsto \left[\mathrm{0,1}\right]$, such that $\mathsf{\Phi }\left(M\right)=\delta$ and $\mathsf{\Phi }\left(L\right)=1-\delta$. That is, the probability that an insider is malicious is $\delta$, whereas the insider is legitimate with a probability of $1-\delta$. This is common knowledge among the two players—the insider and the defender. Let $\beta \in$ $\left(\mathrm{0,1}\right)$ denote the payoff assigned to a malicious insider and $\omega \in \left(\mathrm{0,1}\right)$ denote the payoff to the defender due to the discovery of a malicious insider identity or the protection of data (and $-\omega$ reflects the loss as a result of data compromise or not detecting a malicious insider identity). In the case of identity detection, for example, the defender can improve the data security by removing the malicious insider from the project team. Furthermore, $p_1$ is used to denote the probability that the identity of the malicious insider and his/her activity are discovered in the case of proper authentication. Let $V_i(a,b\mid \theta ),i=\mathrm{1,2}$, denote the payoffs of player $i\in \mathcal{N}=\{1$ (insider), 2 (defender) $\}$ corresponding to an action profile $(a,b)\in \mathcal{A}={\mathcal{A}}_I\times {\mathcal{A}}_d$ and an insider of type $\theta \in \mathsf{\Omega }$, i.e., $V_i:\mathcal{A}\times \mathsf{\Omega }\mapsto \mathbb{R}$.

The extensive form of the game model is shown in Figure 2. In the payoffs of Figure 2, the subscript $a$ is used to represent authentication or accept as the case may be and $r$ is used to represent reject. $i_0,i_1,\dots ,i_5$ are used to denote different nodes of the game tree. The dotted oval denotes the information set of the defender. Furthermore, notations and their meanings used in the proposed models are given in Table A1 in Appendix D.

3.2.1. Payoff Functions

Now, we describe the payoff functions of the game model. Consider a strategy profile $\left(R_{\mathrm{aut} },D_{\mathrm{accept} }\right)$ for $i\in \mathcal{N}$ given an insider is of legitimate type $L$. In this case, a legitimate insider sends a data access request and the defender accepts it. As a result, both the insider and the defender receive a certain payoff whose value is normalized to 1, i.e., $V_i\left(R_{\mathrm{aut} },D_{\mathrm{accept} }\mid L\right)=1$, whereas a legitimate insider and the defender receive payoff zero if the access request is rejected, i.e., $V_i\left(R_{\mathrm{aut} },D_{\mathrm{reject} }\mid L\right)=0$, $i\in \mathcal{N}$. In the case of a malicious insider, if the data access request is accepted, the insider receives payoff $\beta$ with probability $\left(1-p_1\right)$, and this is represented as $V_1\left(R_{\mathrm{aut} },D_{\mathrm{accept} }\mid M\right)=\left(1-p_1\right)\beta$. On the other hand, the defender receives payoff $-\omega$ with probability $\left(1-p_1\right)$ and, therefore, $V_2\left(R_{\mathrm{aut} },D_{\mathrm{accept} }\mid M\right)=\left(1-p_1\right)(-\omega )$. In addition, if a malicious insider sends a data request and the request is rejected, both the insider and the defender receive payoff 0, i.e., $V_1\left(R_{\mathrm{aut} },D_{\mathrm{reject} }\mid M\right)=0$ and $V_2\left(R_{\mathrm{aut} },D_{\mathrm{reject} }\mid M\right)=0$. However, if a malicious insider launches a cyberattack to access the data and the data are released, the insider receives payoff $\beta$ at the cost of the cyberattack $C_{cyb}\in \left(\mathrm{0,1}\right)$, i.e., $V_1\left(R_{cyb},D_{\mathrm{accept} }\mid M\right)=\beta -C_{cyb}$, whereas the defender receives $-\omega$, i.e., $V_2\left(R_{\mathrm{cyb} },D_{\mathrm{accept} }\mid M\right)=-\omega$. Furthermore, a malicious insider who sends a data access request through a cyberattack receives $-C_{cyb}$ if the request is rejected and the defender also receives payoff zero, i.e., $V_1\left(R_{cyb},D_{\mathrm{reject} }\mid M\right)=-C_{cyb}$ and $V_2\left(R_{cyb},D_{\mathrm{reject} }\mid M\right)=0$.

Thus, we can express the expected payoff function of $i\in \mathcal{N}$, which is given by $U_i:S_I\times$ $S_D\mapsto \mathbb{R}$, where $U_1\left(R_{\mathrm{aut} }^M{R}_{\mathrm{aut} }^L,D_{\mathrm{accept} }\right)=\delta V_1\left(R_{\mathrm{aut} },D_{\mathrm{accept} }\mid M\right)+(1-\delta )V_1\left(R_{\mathrm{aut} },D_{\mathrm{accept} }\mid L\right)=$ $\delta \left[\left(1-p_1\right)\beta \right]+(1-\delta )$. In addition, $U_2\left(R_{\mathrm{aut} }^M{R}_{\mathrm{aut} }^L,D_{\mathrm{accept} }\right)=\delta V_2\left(R_{\mathrm{aut} },D_{\mathrm{accept} }\mid M\right)+(1-$ $\delta )V_2\left(R_{\mathrm{aut} },D_{\mathrm{accept} }\mid L\right)=\delta \left[\left(1-p_1\right)(-\omega )\right]+(1-\delta )$.

Similarly, the other expected payoffs corresponding to different strategy profiles can be expressed as $U_1\left(R_{\mathrm{aut} }^M{R}_{\mathrm{aut} }^L,D_{\mathrm{reject} }\right)=0,U_2\left(R_{\mathrm{aut} }^M{R}_{\mathrm{aut} }^L,D_{\mathrm{reject} }\right)=0,U_1\left(R_{\mathrm{cyb} }^M{R}_{\mathrm{aut} }^L,D_{\mathrm{accept} }\right)=$ $\delta \left[\beta -C_{cyb}\right]+(1-\delta ),U_2\left(R_{cyb}^M{R}_{\mathrm{aut} }^L,D_{\mathrm{accept} }\right)=\delta \left[\right(-\omega \left)\right]+(1-\delta ),U_1\left(R_{cyb}^M{R}_{\mathrm{aut} }^L,D_{\mathrm{reject} }\right)=$ $\delta \left(-C_{cyb}\right)$ and $U_2\left(R_{cyb}^M{R}_{\mathrm{aut} }^L,D_{\mathrm{reject} }\right)=0$.

3.2.2. Solution of the Game: Bayesian Nash Equilibrium (BNE)

Let $x_1={\displaystyle \frac{1}{1+\omega \left(1-p_1\right)}}$ and $y_1={\displaystyle \frac{1}{1+\omega }}$. Then, we solve the game model and present the solution in the following proposition.

Here, ${\eta }^{\mathrm{*}}$ and ${\lambda }^{\mathrm{*}}$ are given by Equation (A1) and Equation (A2), respectively, in Appendix A.

(ii) If $C_{cyb}>\beta p_1$, then

(2) $BNE(\Gamma )=\left\{\begin{array}{ll} \mathit{Unique} \mathit{pure} \mathit{strategy} \left(R_{\mathit{aut} }^M{R}_{\mathit{aut} }^L,D_{\mathit{accept} }\right)& \mathit{if} 0<\delta <x_1\\ \mathit{Unique} \mathit{pure} \mathit{strategy} \left(R_{\mathit{aut} }^M{R}_{\mathit{aut} }^L,D_{\mathit{reject} }\right)& \mathit{if} x_1<\delta <1\end{array}\right.$

The results of Proposition 1 provide insights into the optimal strategies of insiders (malicious or legitimate) and defenders based on the probability $\delta$ of an insider being malicious. The solutions are categorized based on the relationship between the cost of a cyberattack $C_{cyb}$ and the benefit of the attack $\beta p_1$.

When $C_{cyb}<\beta p_1$,

• If $0<\delta <y_1$, the unique pure strategy equilibrium suggests that malicious insiders opt for cyberattacks $\left(R_{cyb}^M\right)$, while legitimate insiders choose authentication $\left(R_{aut}^L\right)$. The defender, in response, accepts the data access request $\left(D_{\mathrm{accept} }\right)$.

• If $y_1<\delta <x_1$, a mixed strategy equilibrium emerges, with malicious insiders alternating between cyberattacks and authentication (${\lambda }^{\mathrm{*}}$ and $1-$ ${\lambda }^{\mathrm{*}}$) and legitimate insiders also using authentication with probability ${\lambda }^{\mathrm{*}}$. The defender adapts probabilistically.

• If $x_1<\delta <1$, both malicious and legitimate insiders choose authentication $\left(R_{\mathrm{aut} }^M{R}_{\mathrm{aut} }^L\right)$ but the defender rejects the access request $\left(D_{\mathrm{reject}}\right)$.

This scenario illustrates the increasing cautiousness of the defender as the probability of an insider being malicious $\left(\delta \right)$ rises. For lower values of $\delta$, the defender prefers to grant access, balancing potential risks. For intermediate values, the strategies diversify, reflecting uncertainty. For high $\delta$, a strict rejection policy dominates, protecting sensitive data.

When $C_{cyb}>\beta p_1$,

• If $0<\delta <x_1$, the unique pure strategy equilibrium involves all insiders choosing authentication ($\left.R_{aut}^M,R_{aut}^L\right)$, and the defender grants access $\left(D_{\mathrm{accept}}\right)$.

• If $x_1<\delta <1$, the strategy shifts, with all insiders continuing to authenticate, but the defender now rejects access ($D_{\mathrm{reject} }$).

Higher costs of launching a cyberattack discourage malicious insiders from pursuing such strategies. The defender’s responses align with the increasing probability of malicious intent, transitioning from acceptance to rejection as $\delta$ grows.

The results demonstrate how the interplay between attack cost, benefit, and malicious probability ($\delta$) governs the strategic behavior of both insiders and the defender.

3.2.3. Extended Simultaneous Move Game Model

In the previous game model, the probability that a malicious insider who launches a cyberattack is detected is not considered. Therefore, the game model is insufficient to capture the behavior of malicious insiders who can carry out a cyberattack to gain data access. Hence, we consider this aspect and discuss the extended model (denoted by ${\mathsf{\Gamma }}_1$) by incorporating this probability. To this end, let $p_2$ denote the probability that the identity of the malicious insider and his/her activity are discovered and assume that $p_1>p_2$. Recall that $\beta$ is the payoff (or gain) to the attacker due to the data compromised and $-\beta$ measures the intensity of penalty to the attacker if detected, i.e., the higher the value of $\beta$, the greater the severity of the penalty, and $\omega \in \left(\mathrm{0,1}\right)$ is the payoff to the defender due to the discovery of a malicious insider identity or the protection of data. Additionally, $-\omega$ measures the loss due to data compromise or failure to discover the malicious insider identity. Furthermore, corresponding to the proper/smooth functioning of the project work, payoff 1 is assigned. In contrast, penalty 0 is assigned to both the legitimate insider and the defender for rejecting a legitimate data access request. In this case, the data are withheld, causing inefficiency in the project work.

Now, suppose that an insider of the legitimate type sends a data access request to the data defender. This request is responded to by the defender using accept $\left(D_{\mathrm{accept} }\right)$. Therefore, the corresponding payoff functions can be written as $V_i\left(R_{\mathrm{aut} },D_{\mathrm{accept} }\mid L\right)=$ $1,i\in \mathcal{N}$. On the other hand, rejecting the request results in the payoff function $V_i\left(R_{\mathrm{aut} },D_{\mathrm{reject} }\mid L\right)=0,i\in \mathcal{N}$.

Consider that a malicious insider sends a data access request through authentication, and this is accepted by the defender; the payoff of the malicious insider can be written as $V_1\left(R_{\mathrm{aut} },D_{\mathrm{accept} }\mid M\right)=p_1(-\beta )+\left(1-p_1\right)\beta$. On the other hand, if the request is accepted, the payoff to the defender is given by $V_2\left(R_{\mathrm{aut} },D_{\mathrm{accept} }\mid M\right)=p_1\omega +\left(1-p_1\right)(-\omega )$. Also, consider that a malicious insider sends a data request through authentication and the request is rejected by the defender. In this case, both the malicious insider and the defender receive the payoff 0. Therefore, the insider’s payoff function is given by $V_i\left(R_{\mathrm{aut} },D_{\mathrm{reject} }\mid M\right)=0,i\in \mathcal{N}$.

Furthermore, if an insider makes a data access request through a cyberattack and the request is accepted, then the corresponding payoff functions can be written as $V_1\left(R_{cyb},D_{\mathrm{accept} }\mid M\right)=p_2(-\beta )+\left(1-p_2\right)\beta -C_{cyb}$. Moreover, as for the defender, the payoff function is $V_2\left(R_{\mathrm{cyb} },D_{\mathrm{accept} }\mid M\right)=p_2\left(\omega \right)+\left(1-p_2\right)(-\omega )$. Also, when the malicious insider request is rejected by the defender, we have $V_1\left(R_{cyb},D_{\mathrm{reject} }\mid M\right)=-C_{cyb}$ and $V_2\left(R_{\mathrm{cyb} },D_{\mathrm{reject} }\mid M\right)=0$.

Thus, we can write the expected payoff function of $i\in \mathcal{N},U_i:S_I\times S_D\mapsto \mathbb{R}$, where

$\begin{array}{l}{U}_1\left(R_{\mathit{aut} }^M{R}_{\mathit{aut} }^L,D_{\mathit{accept}}\right)=\delta V_1\left(R_{\mathit{aut} },D_{\mathit{accept} }\mid M\right)+(1-\delta )V_1\left(R_{\mathit{aut} },D_{\mathit{accept} }\mid L\right). \\ \mathit{or} U_1\left(R_{\mathit{aut} }^M{R}_{\mathit{aut} }^L,D_{\mathit{accept}}\right)=\delta \left[p_1(-\beta )+\left(1-p_1\right)\beta \right]+(1-\delta ).\end{array}$

Also, $U_2\left(R_{\mathrm{aut} }^M{R}_{\mathrm{aut} }^L,D_{\mathrm{accept}}\right)=\delta V_2\left(R_{\mathrm{aut} },D_{\mathrm{accept} }\mid M\right)+(1-\delta )V_2\left(R_{\mathrm{aut} },D_{\mathrm{accept} }\mid L\right)$ or $U_2\left(R_{\mathrm{aut} }^M{R}_{\mathrm{aut} }^L,D_{\mathrm{accept}}\right)=\delta \left[p_1\omega +\left(1-p_1\right)(-\omega )\right]+(1-\delta )$. The expected payoff functions corresponding to the other strategy profiles can be obtained similarly.

3.2.4. Solution of the Extended Simultaneous Move Game Model

Let $x^{\mathrm{*}}={\displaystyle \frac{1}{1+\omega \left(1-2p_1\right)}}$ and $y^{\mathrm{*}}={\displaystyle \frac{1}{1+\omega \left(1-2p_2\right)}}$. We have the following proposition:

The mixed strategies ${\eta }_1^{\mathrm{*}}$ and ${\lambda }_1^{\mathrm{*}}$ are given by Equation (A13) and Equation (A16), respectively, in Appendix B.

(ii) If $C_{cyb}>2\beta \left(p_1-p_2\right)$, then

(4) $BNE\left({\Gamma }_1\right)=\left\{\begin{array}{ll} \mathit{Unique} \mathit{pure} \mathit{strategy} \left(R_{\mathit{aut} }^M{R}_{\mathit{aut} }^L,D_{\mathit{accept} }\right)& \mathit{if} 0<\delta <x^{\ast }\\ \mathit{Unique} \mathit{pure} \mathit{strategy} \left(R_{\mathit{aut} }^M{R}_{\mathit{aut} }^L,D_{\mathit{reject} }\right)& \mathit{if} x^{\ast }<\delta <1\end{array}\right.$

The results of Proposition 2 extend the analysis by considering two probability parameters, $p_1$ and $p_2$, representing the likelihoods of malicious behavior by insiders under different conditions. The equilibrium strategies are influenced by the relationship between the cost of a cyberattack $\left(C_{cyb}\right)$ and the threshold value $2\beta \left(p_1-p_2\right)$.

When $C_{cyb}<2\beta \left(p_1-p_2\right)$,

• If $0<\delta <y^{\mathrm{*}}$, the unique pure strategy equilibrium indicates that malicious insiders launch cyberattacks $\left(R_{cyb}^M\right)$, legitimate insiders authenticate $\left(R_{\mathrm{aut} }^L\right)$, and the defender accepts the access request $\left(D_{\mathrm{accept}}\right)$.

• If $y^{\mathrm{*}}<\delta <x^{\mathrm{*}}$, t mixed strategy equilibrium arises, with malicious insiders mixing between cyberattacks and authentication strategies $\left({\lambda }_1^{\mathrm{*}}\right.$ and $1-{\lambda }_1^{\mathrm{*}}$) and legitimate insiders also adopting a probabilistic authentication strategy $\left({\eta }_1^{\mathrm{*}}\right.$ and $\left.1-{\eta }_1^{\mathrm{*}}\right)$. The defender adjusts probabilistically.

• If $x^{\mathrm{*}}<\delta <1$, both malicious and legitimate insiders select authentication $\left(R_{aut}^M,R_{aut}^L\right)$ but the defender rejects the access request $\left(D_{\mathrm{reject}}\right)$.

For $C_{cyb}<2\beta \left(p_1-p_2\right)$, the defender’s strategies shift dynamically as $\delta$ (the probability of a malicious insider) increases:

• At low $\delta$, the defender is inclined to accept requests, reflecting a trust-oriented strategy when the malicious probability is low.

• For intermediate $\delta$, mixed strategies dominate, reflecting the defender’s uncertainty and the malicious insider’s strategic adaptation.

• At high $\delta$, rejection becomes the optimal strategy to mitigate the risk posed by potentially malicious insiders.

When $C_{cyb}>2\beta \left(p_1-p_2\right)$,

• If $0<\delta <x^{\mathrm{*}}$, the unique pure strategy equilibrium involves all insiders selecting authentication $\left(R_{aut}^M,R_{aut}^L\right)$ and the defender accepts the request $\left(D_{\mathrm{accept} }\right)$.

• If $x^{\mathrm{*}}<\delta <1$, the strategy shifts, with all insiders continuing to authenticate, but the defender rejects the access request ($D_{\mathrm{reject} }$).

Higher costs of launching a cyberattack ($C_{cyb}$) discourage malicious insiders from attacking, leading to more consistent behavior. The defender’s response aligns with the increasing probability of malicious insiders, transitioning from acceptance to rejection as $\delta$ grows.

The results illustrate how the interplay between attack cost, insider probabilities, and the likelihood parameters $p_1$ and $p_2$ governs the strategic behavior of insiders and defenders. These findings provide a theoretical foundation for designing adaptive defense mechanisms that respond to varying insider threat scenarios.

3.3. Sequential Move Game Model

In the previous section, we considered a simultaneous move game model in which each of the players takes an action simultaneously without knowing the actions taken by the other player. In this section, we consider the attack dynamics where an insider makes a data access request, which is observed by a data defender who has prior beliefs about the insider and responds to the request based on the updated beliefs of the insider type.

Let us recall that a malicious insider can request data access in two ways: (i) authentication (misuse of privilege) and (ii) cyberattack, such as defense bypass, to evade detection from the IDS [38]. When an insider makes a data request through authentication, the defender observes this activity. Although the defender perceives that the request is made using an authentication, he/she has prior beliefs that the access request comes from a malicious insider with probability $\delta$. Hence, for the defender, accepting a request that comes from authentication is not always optimal. Moreover, when an insider tries to gain access to data through a cyberattack, another challenging decision problem faced by the defender would be whether it is always optimal to reject the suspicious request. This might not always be optimal because a malicious insider’s identity cannot be discovered by rejecting the access request, thereby providing him/her with another opportunity to launch attacks in the future. In fact, accepting a suspicious request at the cost of data security can lead to the detection of malicious activity as well as the discovery of a malicious insider’s identity. As a result, the project team can get rid of the malicious insider to enhance data security. However, at the same time, accepting a suspicious request is not always optimal, as there is a probability that the malicious insider identity might not be discovered at all. Thus, we develop a sequential move Bayesian game model (which is denoted as ${\mathsf{\Gamma }}_2$) to capture this scenario and predict a malicious insider’s behavior as well as the best strategies to respond to the attack.

We assume that the defender employs an IDS to monitor access requests. When an insider (legitimate/malicious) makes a data access request through authentication, no alarm is triggered by the IDS for the request since the necessary authentication process is performed by the insider. However, when a malicious insider makes a data access request utilizing a cyberattack to gain access to data, an alarm is triggered by the IDS. The extensive form of the game model is shown in Figure 3. Note that in the sequential game model, the defender has two information sets denoted by a dotted oval. In contrast, in the simultaneous move game model, the defender has only one information set (see Figure 2).

Now, the strategy sets of an insider and defender can be written as

$\begin{array}{l}{S}_I^{\prime }=\left\{R_{\mathit{aut} }^M{R}_{\mathit{aut} }^L,R_{\mathit{cyb} }^M{R}_{\mathit{aut} }^L\right\}.\\ S_D^{\prime }=\left\{D_{\mathit{accept} }^{\mathit{aut} }{D}_{\mathit{accept} }^{\mathit{cyb} },D_{\mathit{accept} }^{\mathit{aut} }{D}_{\mathit{reject} }^{cyb},D_{\mathit{reject} }^{\mathit{aut} }{D}_{\mathit{accept} }^{cyb},D_{\mathit{reject} }^{\mathit{aut} }{D}_{\mathit{reject} }^{cyb}\right\}.\end{array}$

The meaning of elements in $S_I^{\mathrm{\prime }}$ can be interpreted as in the case of the elements of $S_1$ of the simultaneous move game model. The elements of $S_D^{\mathrm{\prime }}$, however, have different interpretations. That is, $D_{\mathrm{accept} }^{\mathrm{aut} }{D}_{\mathrm{reject} }^{cyb}$ denotes the defender’s strategy, in which the defender accepts the data request if he/she observes that it comes from an authentication process, whereas he/she rejects the access request if it comes through a cyberattack. The other strategies can be interpreted similarly.

Thus, the payoff matrix of the game model can be written as

$R_{\mathit{aut} }^M{R}_{\mathit{aut} }^L{R}_{\mathit{cyb} }^M{R}_{\mathit{aut} }^L\left[\begin{array}{cccc}{D}_{\mathit{accept} }^{\mathit{aut} }{D}_{\mathit{accept} }^{cyb}& D_{\mathit{accept} }^{\mathit{aut} }{D}_{\mathit{reject} }^{cyb}& D_{\mathit{reject} }^{\mathit{aut} }{D}_{\mathit{accept} }^{cyb}& D_{\mathit{reject} }^{\mathit{aut} }{D}_{\mathit{reject} }^{cyb}\\ \left(x_{11},y_{11}\right)& \left(x_{12},y_{12}\right)& \left(x_{13},y_{13}\right)& \left(x_{14},y_{14}\right)\\ \left(x_{21},y_{21}\right)& \left(x_{22},y_{22}\right)& \left(x_{23},y_{23}\right)& \left(x_{24},y_{24}\right)\end{array}\right]$

Here, $x_{11}=U_1^{\mathrm{\prime }}\left(R_{\mathrm{aut} }^M{R}_{\mathrm{aut} }^L,D_{\mathrm{accept} }^{\mathrm{aut} }{D}_{\mathrm{accept} }^{cyb}\right)$ and $y_{11}=U_2^{\mathrm{\prime }}\left(R_{\mathrm{aut} }^M{R}_{\mathrm{aut} }^L,D_{\mathrm{accept} }^{\mathrm{aut} }{D}_{\mathrm{accept} }^{cyb}\right)$. Similarly, the other $x_{ij}$ and $y_{ij} \mathrm{s}$ have their corresponding values. The $x_{ij}$ and $y_{ij} \mathrm{s}$ can be expressed as

$\begin{array}{c}{x}_{11}=U_1^{\prime }\left(R_{\mathit{aut} }^M{R}_{\mathit{aut} }^L,D_{\mathit{accept} }^{\mathit{aut} }{D}_{\mathit{accept} }^{cyb}\right)=\delta V_1\left(R_{\mathit{aut} },D_{\mathit{accept} }\mid M\right)+(1-\delta )V_1\left(R_{\mathit{aut} },D_{\mathit{accept} }\mid L\right).\\ y_{11}=U_2^{\prime }\left(R_{\mathit{aut} }^M{R}_{\mathit{aut} }^L,D_{\mathit{accept} }^{\mathit{aut} }{D}_{\mathit{accept} }^{cyb}\right)=\delta V_2\left(R_{\mathit{aut} },D_{\mathit{accept} }\mid M\right)+(1-\delta )V_2\left(R_{\mathit{aut} },D_{\mathit{accept} }\mid L\right).\end{array}$

Similarly, we can write the expressions for the other payoffs.

3.3.1. Solution of the Sequential Move Game Model

Let $x^{\mathrm{*}}={\displaystyle \frac{1}{1+\omega \left(1-2p_1\right)}}$. Then, we have the following proposition:

(i) If $\delta <x^{\mathrm{*}}$

(5) $BNE\left({\Gamma }_2\right)=\left\{\begin{array}{ll}\left(R_{\mathit{aut} }^M{R}_{\mathit{aut} }^L,D_{\mathit{accept} }^{\mathit{aut} }{D}_{\mathit{reject} }^{cyb}\right)& \mathit{if} C_{cyb}>\beta \left(2p_1-1\right)\\ \left(R_{\mathit{cyb} }^M{R}_{\mathit{aut} }^L,D_{\mathit{accept} }^{\mathit{aut} }{D}_{\mathit{reject} }^{cyb}\right)& \mathit{if} C_{cyb}<\beta \left(2p_1-1\right)\end{array}\right.$

(ii) If $\delta >x^{\mathrm{*}}$,

(6) $BNE\left({\Gamma }_2\right)=\left\{\begin{array}{ll} \mathit{No} \mathit{equilibria} & \mathit{if} C_{cyb}<\beta \left(2p_1-1\right)\\ \left(R_{\mathit{aut} }^M{R}_{\mathit{aut} }^L,D_{\mathit{reject} }^{\mathit{aut} }{D}_{\mathit{reject} }^{cyb}\right)& \mathit{if} C_{cyb}>\beta \left(2p_1-1\right)\end{array}\right.$

(i) If $\delta <x^{\mathrm{*}}$, then

(7) $BNE\left({\Gamma }_2\right)=\left\{\begin{array}{ll}\left(R_{\mathit{cyb} }^M{R}_{\mathit{aut} }^L,D_{\mathit{accept} }^{aut}{D}_{\mathit{accept} }^{cyb}\right)& \mathit{if} C_{cyb}<2\beta \left(p_1-p_2\right)\\ \left(R_{\mathit{aut} }^M{R}_{\mathit{aut} }^L,D_{\mathit{accept} }^{\mathit{aut} }{D}_{\mathit{accept} }^{cyb}\right)& \mathit{if} C_{cyb}>2\beta \left(p_1-p_2\right)\end{array}\right.$

(ii) If $\delta >x^{\mathrm{*}}$, then

(8) $BNE\left({\Gamma }_2\right)=\left\{ \mathit{No} \mathit{equilibria} \mathit{for} C_{cyb}\in \left(\mathrm{0,1}\right)\right.$

BNE of the sequential move game can be represented by a flowchart based on Propositions 3 and 4, as shown in Figure 4.

Propositions 3 and 4 provide insights into optimal strategies under different conditions for $p_1$, $p_2,\delta$, and $C_{cyb}$. Here, $p_1$ represents the probability that a malicious insider launching authentication $\left(R_{aut}^M\right)$ to commit malicious acts is detected, while $p_2$ represents the probability that a malicious insider launching a cyberattack $\left(R_{cyb}^M\right)$ is detected. When the probability that a malicious insider using a cyberattack is detected is smaller than ${\displaystyle \frac{1}{2}}$, i.e., $p_2<{\displaystyle \frac{1}{2}}$, two cases arise:

Case (i): $\delta <x^{\mathrm{*}}$ (i.e., the probability that an insider is malicious is less than the value $x^{\mathrm{*}}$).

If $C_{cyb}>\beta \left(2p_1-1\right)$,

• Insider Strategy: Both malicious and legitimate insiders choose authentication $\left(R_{aut}^M{R}_{aut}^L\right)$.

• Defender Strategy: The defender accepts authentication requests ($D_{\mathrm{accept} }^{aut}$) but rejects cyberattacks $\left(D_{\mathrm{reject} }^{cyb}\right)$.

If $C_{cyb}<\beta \left(2p_1-1\right)$,

• Insider Strategy: Malicious insiders choose cyberattack and legitimate insiders choose authentication $\left(R_{cyb}^M{R}_{aut}^L\right)$.

• Defender Strategy: The defender accepts authentication requests $\left(D_{\mathrm{accept} }^{\mathrm{aut} }\right)$ but rejects cyberattacks $\left(D_{\mathrm{reject} }^{cyb}\right)$.

Case (ii): $\delta >x^{\mathrm{*}}$ (i.e., the probability that an insider is malicious is greater than $x^{\mathrm{*}}$).

If $C_{cyb}<\beta \left(2p_1-1\right)$,

• Outcome: No equilibrium exists because the defender cannot effectively balance the cost of rejecting requests and the risk of allowing malicious activity.

If $C_{cyb}>\beta \left(2p_1-1\right)$,

• Insider Strategy: Both malicious and legitimate insiders choose authentication ($R_{\mathrm{aut} }^M{R}_{\mathrm{aut} }^L$).

• Defender Strategy: The defender rejects both authentication requests and cyberattacks $\left(D_{\mathrm{reject} }^{aut}{D}_{\mathrm{reject} }^{cyb}\right)$.

For $p_2<{\displaystyle \frac{1}{2}}$, the defender’s strategy depends on the cost of the cyberattack $\left(C_{cyb}\right)$ and the probability of discovering a malicious insider. At lower values of $\delta$, when the probability of malicious insiders is low, the defender is more likely to accept authentication requests while rejecting cyberattacks. At higher $\delta$, the defender increasingly rejects all requests to safeguard sensitive data.

In addition, when the probability that a malicious insider using a cyberattack is detected is greater than ${\displaystyle \frac{1}{2}}, i.e.,$ $p_2>{\displaystyle \frac{1}{2}}$, two cases arise:

Case (i): $\delta <x^{\mathrm{*}}$ (i.e., the probability that an insider is malicious is less than $x^{\mathrm{*}}$).

If $C_{cyb}<2\beta \left(p_1-p_2\right)$,

• Insider Strategy: Malicious insiders choose cyberattack and legitimate insiders choose authentication $\left(R_{cyb}^M{R}_{aut}^L\right)$.

• Defender Strategy: The defender accepts all requests $\left(D_{\mathrm{accept} }^{aut}{D}_{\mathrm{accept} }^{cyb}\right)$.

If $C_{cyb}>2\beta \left(p_1-p_2\right)$,

• Insider Strategy: Both malicious and legitimate insiders choose authentication ($R_{aut}^M{R}_{\mathrm{aut} }^L$).

• Defender Strategy: The defender accepts all requests $\left(D_{\mathrm{accept} }^{aut}{D}_{\mathrm{accept} }^{cyb}\right)$.

Case (ii): $\delta >x^{\mathrm{*}}$ (i.e., the probability that an insider is malicious is greater than $x^{\mathrm{*}}$).

For $C_{cyb}\in \left(\mathrm{0,1}\right)$,

• Outcome: No equilibrium exists because the defender cannot formulate a consistent response strategy for high $\delta$.

For $p_2>{\displaystyle \frac{1}{2}} ,$ the defender’s acceptance of cyberattacks increases because the high likelihood of detecting malicious insiders diminishes the risks associated with granting access. However, when $\delta$ is high, the absence of equilibria underscores the challenges of managing insider threats under uncertain conditions.

These findings provide actionable insights for dynamically adjusting defense strategies based on observed actions and varying probabilities of insider behavior. The results demonstrate that sequential-move games introduce strategic complexity, where the defender must adapt to observed insider actions. The balance between the acceptance and rejection of requests is influenced by factors such as the cost of cyberattacks, the likelihood of detecting malicious insiders, and the probability of malicious behavior.

3.3.2. Perfect Bayesian Nash Equilibrium (PBE)

Sometimes, players are not sequentially rational in their behavior in the BNE strategies. Therefore, we explore the players’ behavior in the game model to determine whether their behavior predicted by the equilibrium solutions is consistent. If it is consistent, the strategy is called perfect Bayesian Nash equilibrium (PBE).

(i) Now, we verify that the BNEs given by Equation (5) are the PBEs.

Let $\mu \left(i_3\mid R_{\mathrm{aut} }\right)$ and $\mu \left(i_4\mid R_{\mathrm{aut} }\right)$ denote the posterior beliefs that an insider is legitimate (L) and malicious (M), respectively, given that the insider takes action $R_{\mathrm{aut} }$. In addition, let $\mu \left(i_5\mid R_{cyb}\right)$ denote the posterior belief that an insider is malicious (M), conditional on the insider choosing action $R_{cyb}$.

The posterior belief is updated based on the Bayes’ rule:

$\begin{array}{l}\mu \left(i_3\mid R_{\mathrm{aut} }\right)={\displaystyle \frac{P\left( \mathrm{Insider} \mathrm{is} \mathrm{legitimate} \mathrm{and} \mathrm{chooses} R_{\mathrm{aut} }\right)}{P\left( \mathrm{Insider} \mathrm{is} \mathrm{legitimate} \mathrm{and} \mathrm{chooses} R_{\mathrm{aut} }\right)+P\left( \mathrm{Insider} \mathrm{is} \mathrm{malicious} \mathrm{and} \mathrm{chooses} R_{\mathrm{aut} }\right)}}\\ \mathrm{or} \mu \left(i_3\mid R_{\mathrm{aut} }\right)={\displaystyle \frac{(1-\delta ){\varphi }_L}{(1-\delta ){\varphi }_L+\delta {\varphi }_M}},\\ \mathrm{where} {\varphi }_L=P\left( \mathrm{Insider} \mathrm{chooses} R_{\mathrm{aut} }\mid \mathrm{Insider} \mathrm{is} \mathrm{legitimate} \left(\mathrm{L}\right)\right) \mathrm{and} \\ {\varphi }_M=P\left( \mathrm{Insider} \mathrm{chooses} R_{\mathrm{aut} }\mid \mathrm{Insider} \mathrm{is} \mathrm{malicious} \left(\mathrm{M}\right)\right). \mathrm{Note} \mathrm{that} {\varphi }_L=1. \end{array}$

Thus, we can write the other posterior beliefs as below:

$\begin{array}{l}\mu \left(i_4\mid R_{aut}\right)={\displaystyle \frac{\delta {\varphi }_M}{\left.\delta {\varphi }_M+(1-\delta ){\varphi }_L\right)}}\\ \mu \left(i_5\mid R_{cyb}\right)={\displaystyle \frac{\delta \left(1-{\varphi }_M\right)}{\delta \left(1-{\varphi }_M\right)+(1-\delta )\left(1-{\varphi }_L\right)}},\\ \mathrm{or} \mu \left(i_5\mid R_{cyb}\right)=1 \mathrm{since} {\varphi }_L=1.\end{array}$

From Figure 3, we have two information sets of the defender: $H_1=\left\{i_3,i_4\right\}$ and $H_2=$ $\left\{i_5\right\}$.

To see that $\left(R_{\mathrm{aut} }^M{R}_{\mathrm{aut} }^L,D_{\mathrm{accept} }^{\mathrm{aut} }{D}_{\mathrm{reject} }^{cyb}\right)$ is a PBE of the game ${\mathsf{\Gamma }}_2$, we consider the posterior beliefs $\mu \equiv \left[\mu \left(i_3\mid R_{\mathrm{aut} }\right),\mu \left(i_4\mid R_{\mathrm{aut} }\right),\mu \left(i_5\mid R_{\mathrm{cyb} }\right)\right]$.

The strategy $R_{\mathrm{aut} }^M{R}_{\mathrm{aut} }^L$ corresponds to ${\varphi }_M=1$ and ${\varphi }_L=1$ so that the posterior beliefs in $H_1$ become $\mu \left(i_3\mid R_{\mathrm{aut} }\right)=1-\delta ,\mu \left(i_4\mid R_{\mathrm{aut} }\right)=\delta$. Therefore, the information set $H_1$ is reached with positive probability. However, $H_2$ is reached with zero probability for this strategy so that we can assign any posterior belief $\mu \left(i_5\mid R_{cyb}\right)\in \left[\mathrm{0,1}\right]$ [32]. Now, let us consider the expected payoffs to the defender due to the action $D_{\mathrm{accept} }$ in $H_1$, denoted by $\psi$,

$\begin{array}{l}\psi =V_2\left(R_{\mathrm{aut} },D_{\mathrm{accept} }\mid L\right)\mu \left(i_3\mid R_{\mathrm{aut} }\right)+V_2\left(R_{\mathrm{aut} },D_{\mathrm{accept} }\mid M\right)\mu \left(i_4\mid R_{\mathrm{aut} }\right)\\ \mathrm{or} \psi =V_2\left(R_{\mathrm{aut} },D_{\mathrm{accept} }\mid L\right)(1-\delta )+V_2\left(R_{\mathrm{aut} },D_{\mathrm{accept} }\mid M\right)\delta .\end{array}$

Now, the expected payoff to the defender due to the action $D_{\mathrm{reject} }$ denoted by ${\psi }^{\mathrm{\prime }}$ in $H_1$ is given by

$\begin{array}{l}{\psi }^{\mathrm{\prime }}=V_2\left(R_{\mathrm{aut} },D_{\mathrm{reject} }\mid L\right)\mu \left(i_3\mid R_{\mathrm{aut} }\right)+V_2\left(R_{\mathrm{aut} },D_{\mathrm{reject} }\mid M\right)\mu \left(i_4\mid R_{\mathrm{aut} }\right)\\ \mathrm{or} {\psi }^{\mathrm{\prime }}=V_2\left(R_{\mathrm{aut} },D_{\mathrm{reject} }\mid L\right)(1-\delta )+V_2\left(R_{\mathrm{aut} },D_{\mathrm{reject} }\mid M\right)\delta .\end{array}$

It can be noticed that $\psi =y_{12}$ and ${\psi }^{\mathrm{\prime }}=y_{14}$. Moreover, if $\delta \in {\mathsf{\Delta }}_3$, we know that $y_{12}>y_{14}$, i.e., $\psi >{\psi }^{\mathrm{\prime }}$. This implies that $D_{\mathrm{accept} }$ is the best response to $R_{\mathrm{aut} }$ in $H_1$. Furthermore, we need to show that $D_{\mathrm{reject} }$ is also the best response to $R_{cyb}$ in $H_2$. Let $\zeta$ and ${\zeta }^{\mathrm{\prime }}$ denote the expected payoffs due to the actions $D_{\mathrm{accept} }$ and $D_{\mathrm{reject} }$, respectively, in $H_2$. Therefore, we can write

$\begin{array}{l}\zeta =V_2\left(R_{\mathrm{cyb} },D_{\mathrm{accept} }\mid M\right)\mu \left(i_5\mid R_{\mathrm{cyb} }\right) \mathrm{and} \\ {\zeta }^{\mathrm{\prime }}=V_2\left(R_{\mathrm{cyb} },D_{\mathrm{reject} }\mid M\right)\mu \left(i_5\mid R_{\mathrm{cyb} }\right), \mathrm{where} \mu \left(i_5\mid R_{\mathrm{cyb} }\right)\in \left[\mathrm{0,1}\right].\end{array}$

It can be seen that ${\zeta }^{\mathrm{\prime }}>\zeta$ when $p_2<{\displaystyle \frac{1}{2}}$. Thus, we know that the defender plays the best response in each of the information sets $H_1$ and $H_2$. Hence, the strategy profile $\left(R_{\mathrm{aut} }^M{R}_{\mathrm{aut} }^L,D_{\mathrm{accept} }^{\mathrm{aut} }{D}_{\mathrm{reject} }^{cyb}\right)$ is a $\mathrm{P}\mathrm{B}\mathrm{E}$ of ${\mathsf{\Gamma }}_2$.

Also, consider the pure-strategy BNE $\left(R_{cyb}^M{R}_{\mathrm{aut} }^L,D_{\mathrm{accept} }^{\mathrm{aut} }{D}_{\mathrm{reject} }^{cyb}\right)$ given by Equation (5). This strategy corresponds to ${\varphi }_M=0$ and ${\varphi }_L=1$. This leads to the posterior beliefs $\mu \left(i_3\mid R_{\mathrm{aut} }\right)=1,\mu \left(i_4\mid R_{\mathrm{aut} }\right)=0$ and $\mu \left(i_5\mid R_{\mathrm{cyb} }\right)=1$. It can be seen that with this strategy, the two information sets $H_1$ and $H_2$ are reached with positive probabilities. Furthermore, the defender plays the best response $D_{\mathrm{accept} }$ in $H_1$ with the updated posterior beliefs as the expected payoffs $\left.\psi =V_2\left(R_{\mathrm{aut} },D_{\mathrm{accept} }\right)\mid L\right)$ and ${\psi }^{\mathrm{\prime }}=$ $V_2\left(R_{\mathrm{aut} },D_{\mathrm{reject} }\mid L\right)$ are such that $\psi >{\psi }^{\mathrm{\prime }}$. Also, the defender plays the best response $D_{\mathrm{reject} }$ in $H_2$, i.e., $\zeta <{\zeta }^{\mathrm{\prime }}$, where $\zeta =V_2\left(R_{\mathrm{cyb} },D_{\mathrm{accept} }\mid M\right)$ and ${\zeta }^{\mathrm{\prime }}=V_2\left(R_{\mathrm{cyb} },D_{\mathrm{reject} }\mid M\right)$ and Equation (5) is derived subject to the constraint $p_2<{\displaystyle \frac{1}{2}}$. Therefore, the defender plays the best response in both the information sets $H_1$ and $H_2$ and, hence, the strategy $\left(R_{cyb}^M{R}_{\mathrm{aut} }^L,D_{\mathrm{accept} }^{\mathrm{aut} }{D}_{\mathrm{reject} }^{cyb}\right)$ is a PBE.