The winner of the 6th Annual Best Scientific Cybersecurity Paper Competition is How Shall We Play a Game? A Game-theoretical Model for Cyber-warfare Games by Tiffany Bao, Yan Shoshitaishvili, Ruoyu Wang, Christopher Kruegel, Giovanni Vigna, and David Brumley. These researchers are from Carnegie Mellon University and the University of California, Santa Barbara. This paper was originally accepted at 30th IEEE Computer Security Foundations Symposium (CSF '17).

The researchers endeavor to "identify the best strategy for the use of an identified zero-day vulnerability in a 'cyber-warfare' scenario where any action may reveal information to adversaries." They develop a game-theoretic model and the ability to quickly find optimal solutions to it. These strategies aid humans and computers in making decisions when dealing with previously unknown vulnerabilities in computer systems. This model accounts for both attack and defensive actions and imperfect information about the current status. Actions that can be taken include attacking by using this vulnerability, patching one's own systems, stockpiling for later, or taking no action. The model also develops steps for one to follow over time, such as patching one's own computers for a period and then later attacking.

The paper was selected because it exemplifies outstanding scientific research, is technically sound, and is well written. The authors develop a cyber-warfare strategy based on strong scientific methods and this new approach performs better than what was previously known. The reviewers particularly liked that the game theoretic model was reflective of the physical world with a realistic set of assumption and attributes, which is refreshing to see in game theory papers. The paper is noteworthy in the validation effort to test the effectiveness of the game theory strategy. They applied their game theory strategy to the to the 3rd place team at the DARPA Cyber Grand Challenge. Validation of research with real world situations is important in science and helps build confidence in that results apply to real-life situtations. The attributes of this paper make it well deserving of winning the 6th Annual Best Scientific Cybersecurity Paper Competition.

The winning authors attended a special recognition ceremony at NSA in November.

The winning paper was selected from 28 nominations for papers published in 2017. The competition included two papers that addressed the philosophical question of 'what is a science of security?' The reviewers in the competition appreciate their work in helping to shape and mature the security discipline. As such, the authors are invited to further discuss their perspectives at the Hot Topics in Science of Security (HoTSoS) meeting in April 2019.

The first paper, SoK: Science, Security and the Elusive Goal of Security as a Scientific Pursuit by Cormac Herley and Paul van Oorschot, examines what has been done in Science of Security and puts it in context with historical science to offer observations and insights. They propose 11 constructive suggestions on how the discipline can improve and learn from the development of other disciplines. This paper was originally published in 2017 IEEE Symposium on Security and Privacy.

The second paper is Practicing a Science of Security: A Philosophy of Science Perspective by Jonathan Spring, Tyler Moore and David Pym; published at the 2017 New Security Paradigms Workshop. They examined purported serious obstacles to the practice of a science of security and found that they are either misguided or can be overcome.