This paper presents a novel approach using game theory to assess the risk likelihood in manufacturing systems quantifiably. Cybersecurity is a pressing issue in the manufacturing sector. Nevertheless, managing the risk in cybersecurity has become a critical challenge for modern manufacturing enterprises. In risk management thinking, the first step is to identify the risk, then validate it, and lastly, consider responses to the risk. If the risk is below the security risk appetite of the manufacturing system, it could be accepted. However, if it is above the risk appetite, the system should appropriately respond by either avoiding, transferring, or mitigating the risk. The validation of the risk in terms of severity and likelihood of the threat, however, is challenging because the later component is hard to quantify. In this paper, Failure Modes and Effects Analysis (FMEA) method is modified by employing game theory to quantitatively assess the likelihood of cyber-physical security risks. This method utilizes the game theory approach by modeling the rivalry between the attacker and the system as a game and then try to analyze it to find the likelihood of the attacker’s action. We first define players of the game, action sets, and the utility function. Major concerns of cyber security issues in the manufacturing area are carefully considered in defining the cost function composed of defense policy, loss in production, and recovery. A linear optimization model is utilized to find a mixed-strategy Nash Equilibrium, which is the probability of choosing any action by the attacker also known as the likelihood of an attack. Numerical experiments are presented to further illustrate the method. Forecasting the attacker’s behavior enables us to assess the cybersecurity risk in a manufacturing system and thereby be more prepared with plans of proper responses.
A review of game theory approach to cyber security risk management