Mitigating Malicious Insider Threats to Common Data Environments in the Architecture, Engineering, and Construction Industry: An Incomplete Information Game Approach

Abstract

Common data environments (CDEs) are centralized repositories in the architecture, engineering, and construction (AEC) industry designed to improve collaboration and project efficiency. However, CDEs hosted on cloud platforms face significant risks from insider threats, as stakeholders with legitimate access may act maliciously. To address these vulnerabilities, we developed a game-theoretic framework using Bayesian games that account for incomplete information, modeling both simultaneous and sequential interactions between insiders and data defenders. In the simultaneous move game, insiders and defenders act without prior knowledge of each other’s decisions, while the sequential game allows the defender to respond after observing insider actions. Our analysis used Bayesian Nash Equilibrium to predict malicious insider behavior and identify optimal defense strategies for safeguarding CDE data. Through simulation experiments and validation with real project data, we illustrate how various parameters affect insider–defender dynamics. Our results provide insights into effective cybersecurity strategies tailored to the AEC sector, bridging theoretical models with practical applications and supporting data security within the increasingly digitalized construction industry.

1. Introduction

The utilization of robotics, the adoption of various communication technologies, and the integration of building information modeling (BIM) processes into construction tasks are accelerating the digital transformation of the architecture, engineering, and construction (AEC) industry [1]. This transformation has resulted in an increased amount of data stored in digital formats, including sensitive information (e.g., design files, intellectual property, bid documents) that are prone to cyberattacks [1]. Despite the increasing reliance on digital tools, the importance of robust security measures to protect construction projects has been overlooked, leaving the industry exposed to various cyber threats [2]. The complex nature of construction projects’ supply chains and the involvement of many stakeholders (e.g., owner, contractors, engineers, suppliers) from different disciplines (e.g., structural, architectural, mechanical) further increase the challenge of providing secure and efficient data exchange.

The risks associated with these vulnerabilities are evident in recent cyber incidents targeting construction companies. These include data breaches (i.e., theft, modification, and exposure of sensitive data), fraudulent wire transfers, and property damages [1]. For example, hackers stole the design files of the Australian Intelligence Service’s headquarters during its construction in 2013 [2]. This proves that design documents can also be valuable for malicious actors when a constructed building is of strategic importance to the government. A white paper prepared by the security software company FinalCode also presented the risks of insider threats targeting CAD files in design-centric businesses [3]. In addition, employees’ and other stakeholders’ personal information can be a target of attackers. For instance, Turner Construction was targeted by a phishing attack in 2016, exposing the tax information and social security numbers of its employees [4]. Similar attacks also damage the reputation of the targeted companies and can cause disruptions to business operations.

Common data environments (CDEs), introduced as centralized data repositories (see Figure 1) to enhance collaboration among stakeholders in BIM-enabled projects, aim to improve data security and management [1]. However, the reliance on centralized CDEs has introduced a single point of failure, as highlighted by several studies proposing decentralized alternatives utilizing blockchain and the interplanetary file system (IPFS) [5,6]. Protection against data theft becomes a significant challenge as the information exchange reaches its peak with the increasing use of BIM/CDE tools, particularly in design–build and integrated project delivery (IPD) projects [7].

Several document types can be sensitive depending on the project type. For example, the cost and profitability calculations and financial forecast files of large-scale projects are considered confidential. Such documents typically include the unit cost of constructing different elements of the structure, procurement and subcontract details for different materials and services, and the project’s cash flow. Therefore, a potential leakage of such documents would give a competitive advantage to the rivals of the construction company, resulting in financial loss. Another sensitive document would be design files, especially considering the construction of buildings such as embassies, prisons, military bases, and critical government buildings.

Even though the provided examples of cyberattacks were conducted by external actors, the motivation and consequences would be similar in case of insider threat. Turk et al. [8] and Mantha et al. [1] pointed out that various stakeholders involved in construction projects might be motivated to act as malicious insiders for various reasons, including financial gain and espionage. These motivations are aligned with the previous examples of external cyberattacks targeting construction companies. Supporting these claims, a recent survey on cybersecurity in the construction industry reported that 20% of the respondents considered malicious insider threats the highest-level concern [9]. Moreover, considering that the insiders might have legitimate access to the CDE and the mentioned sensitive documents, detection can be more complicated and the outcomes can be more devastating.

Addressing insider threats within CDEs is paramount for safeguarding sensitive construction project data, which constitutes the primary motivation of this study. Mitigating these risks requires proactive strategies beyond traditional cybersecurity measures to encompass insider threat detection and response. To this end, we propose game-theoretic models to analyze and predict malicious insider behavior and devise optimal strategies for protecting sensitive data within CDEs. This paper contributes to the ongoing efforts to enhance cybersecurity in the AEC industry by (1) developing simultaneous and sequential game-theoretic models to understand insider threat dynamics, (2) verifying the proposed models through simulations and hypothetical scenarios, and (3) validating the applicability of the models using real project data.

The remainder of this paper is structured as follows. Section 2 outlines the related work, identifies drawbacks in the existing literature, and discusses the motivations behind this research. Section 3 presents the methodology, introduces the proposed simultaneous and sequential move game models, and provides their solutions. Section 4 verifies the proposed models through simulations, hypothetical scenarios, and real project data. Section 5 discusses the results and limitations and Section 6 concludes this paper.

2. Related Work

Research has been conducted to deal with cybersecurity issues in critical infrastructures [10]. Various approaches have also been used to mitigate insider threats [11]. Hu et al. [12] addressed the joint threat from an advanced persistent threat (APT) attacker and insiders targeting a resource defender employing a differential game approach. The scenario in [12] considered a malicious insider who collaborates with the APT attacker by exchanging sensitive information, such as passwords, to help them achieve their malicious goals. Meanwhile, the defender employs countermeasures to regain control of the compromised resources. In the attack process, however, the defender does not consider any prior beliefs about an insider as to whether he/she would act as a regular or malicious one, which is necessary to respond to the possible threats caused by the insider. In addition, how the data/information is obtained by the malicious insider is not specified [12]. Ni et al. [13] discussed malicious insider attacks in a nuclear power plant based on an evolutionary game model. In this model, a malicious insider has two options, i.e., to perform or not perform the adversarial attacks. At the same time, the plant’s defender can implement either a severe punishment scheme or a less strict penalty for malicious insiders. Their proposed game solutions show how insiders would behave concerning their emotions. Kim et al. [14,15] also proposed a Stackelberg game model of defender–adversary interactions along with the possibility of various insiders being involved in a nuclear facility attack. Their analyses identified which insider threat was more critical concerning the facility’s security. In the models proposed by Ni et al. [13] and Kim et al. [15], the defender/security department has no preconceived idea about how its employees will behave towards sensitive resources. Furthermore, the authors in [13,15] did not specify how the malicious goal is achieved; in other words, whether authentication or cyberattack is to be launched against the resources to obtain access/steal the resources or sabotage the facilities. Liu et al. [16] presented a model to detect malicious insider threats using a zero-sum stochastic game assuming partially observable states. Kantzavelou et al. [17] also proposed a repeated game model in which insiders interact with the system defender, an intrusion detection system (IDS). Their model predicts future interactions between insiders and the system defender. In addition, Elmrabit et al. [18] developed a model based on a Bayesian network to predict insider threats prior to a data breach, taking into account various aspects such as technological, organizational, and human factors. The model draws on various components to predict the probability of insider threat risk. However, in these works [16,17,18], no penalty for malicious insiders is imposed, which is a crucial demotivating factor as to whether or not an insider would commit malicious acts to optimize his/her gain or benefits. Laszka et al. [19] introduced a secure team selection framework where the team manager has a secret to share with her team, whereas an insider attacker wants to learn the secret by bribing one of the potential team members. The scenario is analyzed using a stochastic game. Feng et al. [20] and Cansever [21] discussed a game model in which an insider can take part in the game between an attacker and the system defender. The insider can help achieve the attacker’s goal while sharing the revenue. In addition, an incentive-based model was introduced by Liu et al. [22] to mitigate malicious insider threats.

The concept of synergy has been explored in game theory to understand how collaboration among players can enhance outcomes through mutual assistance and interdependence. Cooperative game theory introduces measures like the Shapley value to assess individual contributions within coalitions and identify scenarios where synergetic effects yield greater collective benefits than independent actions [23]. These insights are particularly relevant for designing strategies that align the interests of diverse stakeholders in cybersecurity contexts, including insider threat scenarios.

An adversarial risk analysis approach was adopted by Joshi et al. [24] to analyze malicious insider threats and tackle the traceability issue of adversarial insider attacks. A traceability system with respect to insider attackers was proposed by Hu et al. [25] using blockchain. Moreover, machine learning techniques were used to detect malicious insider threats [26,27,28,29,30,31], where most of the work focused on reactive measures failing to counter proactive challenges. It can be observed that the existing literature does not consider several aspects (see

Table 1. Different aspects considered (yes) or not considered (no) in the literature.

Authors	Approach	Aspects Considered
		A1	A2	A3	A4	A5
Liu et al. [16]	Stochastic game	yes	no	yes	yes	no
Laszka et al. [19]	Stochastic game	yes	no	yes	no	no
Liu et al. [22]	Static game	yes	yes	no	no	no
Hu et al. [12]	Differential game	yes	yes	no	yes	no
Feng et al. [20]	Sequential game	yes	yes	no	yes	no
Cansever et al. [21]	Stackelberg game	yes	yes	no	yes	no
Kim et al. [14]	Stackelberg game	yes	no	yes	yes	no
Kantzavelou et al. [17]	Repeated game	yes	no	yes	yes	no
Ni et al. [13]	Evolutionary game	yes	yes	no	yes	no
Hu et al. [25]	Blockchain	yes	no	yes	yes	no
Elmrabit et al. [18]	Bayesian network	yes	no	no	yes	yes
Joshi et al. [24]	Adversarial risk analysis	yes	no	no	yes	yes
Azaria et al. [29]	Machine learning	yes	no	yes	yes	no
Hall et al. [27]	Machine learning	yes	no	yes	yes	no
Kim et al. [26]	Machine learning	yes	no	yes	yes	no
Al-Shehari et al. [28]	Machine learning	yes	no	yes	yes	no
Brdiczka et al. [31]	Graph learning	yes	no	yes	yes	no
Chattopadhyay et al. [30]	Time-series classification	yes	no	yes	yes	no

) that are necessary for predicting malicious insider behaviors and deriving the best defense strategies against such attacks. It is clear that modeling malicious insider threats without considering all of these aspects has drawbacks in capturing the realistic situation. Notably, previous studies on the behavior of malicious insiders assume complete information about the game structure. However, this assumption is unrealistic since insiders’ intentions, such as being malicious or honest, are not entirely known to the data defender. Moreover, to the best of the authors’ knowledge, no study has discussed insider threat modeling considering the construction industry. Therefore, in this paper, we propose novel incomplete information game models in the context of the construction industry incorporating the following aspects:

• Aspect 1 (A1): The value of information/data/resources to an insider.
• Aspect 2 (A2): Penalty to a malicious insider when his/her activity and identity are exposed.
• Aspect 3 (A3): How the sensitive information/data are compromised (e.g., through authentication or cyberattack).
• Aspect 4 (A4): The probability of discovering the malicious activities and the insider’s identity.
• Aspect 5 (A5): The prior belief/information that the data defender has about an insider.

The main contributions of this paper are highlighted below:

i. The existing literature predominantly examines malicious attacks executed via cyberattacks, often neglecting the potential for insider threats initiated through legitimate authentication processes. This oversight is particularly relevant for the AEC industry, where stakeholders have legitimate access to data within CDEs but may misuse this access for malicious purposes. Our research fills this gap by modeling insider threats that can arise through cyberattacks and authorized access, presenting a more comprehensive view of vulnerabilities in CDEs.

ii. The existing literature often assumes complete information regarding insider behavior types, overlooking the ambiguity of legitimate versus malicious intentions within the AEC environment. Our research introduces a Bayesian game model that incorporates incomplete information, accurately reflecting the real-world complexity of insider motivations. By considering both types of insiders, our model offers a novel approach to predicting insider behavior under conditions of uncertainty, enhancing the development of targeted defense strategies against insider threats in CDEs.

iii. The rise of digitalization, BIM, and CDEs in the AEC sector has introduced unique cybersecurity challenges that current generalized insider threat models do not sufficiently address. To our knowledge, our research is the first to address insider threats to CDEs in the AEC industry.

iv. We validate our models using real project data and simulations, which demonstrate the models’ practical applicability in real-world AEC projects. This validation not only supports the theoretical framework but also provides actionable insights that can directly inform threat mitigation strategies within the industry. By bridging theoretical development with empirical testing, our research offers an applied contribution to the field, enhancing the reliability of the proposed defense mechanisms for practical cybersecurity applications.

Game theory is a mathematical study of strategic interactions of agents or players. Every player has a set of possible actions, and payoffs (i.e., cost/penalty or gain/reward) are assigned to each player based on the collective action. A common assumption is that players are rational and, thus, would want to optimize their payoffs. The solution of a game provides each player with the best strategies for making decisions or actions and no one can be better off by deviating from the strategies obtained in the solution (or equilibrium point). A game is considered a complete information model if all the components of the game, such as actions, payoffs, and types, are common knowledge among the players. In contrast, an incomplete information game is where some players do not know the payoff of the other players [32]. Game theory has been employed successfully to address various issues related to cybersecurity [33]. In this study, we also developed incomplete information games to study malicious insider behavior and obtain the best strategies to respond to insider threats.

3. Methodology

3.1. Defining the Data Defender

Two parties are involved in the proposed game-theoretic models: the malicious insider and the data defender. While the former is self-explanatory and has similar meanings in different contexts, the latter should be defined considering its roles before going into the details of the model. In the context of this paper, the defender has two primary roles: (1) access control and (2) intrusion detection. The defender is assumed to perform both roles even though they are handled by different mechanisms in a construction network. Both roles are detailed in the following subsections, together with construction-related examples and the assumptions made.

The malicious insider aims to access sensitive information, which is granted by the access control mechanism explained below in detail. The insider can then use this access to leak sensitive information, make changes, or render it unavailable. However, the malicious insider should stay as stealthy as possible while performing these actions since the IDS is also a part of the data defender, affecting the decisions of the access control system. As elaborated upon in the following sections, the IDS provides feedback to the access control system based on the activities of the insider. This collaboration of the IDS and access control system, which forms the data defender, is crucial to combat insider threats since the malicious actor authorizes access to sensitive data. Therefore, different from external threats, utilizing typical systems such as firewalls, antivirus software, and the IDS as data defenders is insufficient. Including the access control system as a part of the defender is necessary to make the decision of granting or rejecting authorized users’ requests. However, the suggested data defender can still be inadequate to combat insider threats if the malicious insider can perform its actions stealthily enough. In this case, the feedback from the IDS would be misleading.

3.1.1. Access Control

The defender’s first role is to manage data access by accepting or rejecting data access requests. Since this paper considers construction projects that utilize CDEs, access control is implemented on the data stored in a CDE. As mentioned earlier, CDEs are widely used for storing, viewing, and exchanging data due to the increasing use of BIM technologies in construction projects. The CDE utilized by the project may either be cloud-based or hosted on the in-house servers of a project. Companies from different sectors increasingly rely on cloud computing technologies for storage due to their advantages, such as no upfront cost, location flexibility for employees, and pay-as-you-go pricing models [34]. This transition also applies to the construction sector, with the increasing number of off-the-shelf cloud platforms that make cloud implementation more effortless. Some examples of cloud platforms offered by leading construction software development companies are Autodesk Construction Cloud, Graphisoft BIMcloud, and Trimble Connect.

This paper assumes the use of one of the cloud-based platforms (e.g., Autodesk Construction Cloud) offered by a construction software development company, considering their widespread use in the industry, especially by small and medium-sized enterprises (SMEs), which constitute more than 95% of construction supply chains [35]. The CDE platform selection in construction projects depends on the software packages used for various tasks, such as design authoring, clash detection, structural analysis, energy analysis, and reality capture. The platform developed by the software company commonly used in the project is prioritized for improved interoperability. This paper assumes a generic cloud platform without selecting a specific one.

The access control mechanism of the cloud platform that handles accepting and rejecting data access requests is considered a part of the data defender in this paper. There are three major access control models widely used in computer systems: role-based access control (RBAC) (i.e., non-discretionary access control), mandatory access control (MAC), and discretionary access control (DAC) [36]. In this paper, RBAC is assumed to be implemented in the cloud platform with the least privilege design principle in mind, similar to Autodesk Construction Cloud [37]. Therefore, individual users and user groups are given privileges based on their roles in the project. The BIM manager of the project is assumed to function as the administrator of the cloud platform, responsible for assigning roles and defining privileges for each role. It should be noted that assigning roles is not a one-time task but rather an ongoing process in a typical construction project due to the changing roles and new employees joining the project.

3.1.2. Intrusion Detection

The second role of the data defender is to detect potential intrusions and cyberattacks. Consequently, the IDS is also considered a part of the defender in this paper. The role of the IDS is crucial for the game-theoretic model presented in this study, as the data defender is assumed to make data access decisions while experiencing cyberattacks in specific instances. Therefore, the first role of the defender is contingent on the intrusion detection role. This paper does not make any assumptions regarding the type of IDS, such as signature-based (knowledge-based) or anomaly-based (behavior-based), as the technical aspects of the IDS fall beyond the scope of this paper.

As mentioned earlier, an external cloud platform is assumed to be utilized as the CDE. However, the IDS can only be implemented on the internal network of the project. Hence, it is assumed that the cloud platform used as the CDE accepts input from the IDS, allowing the IDS to dictate the decisions of the access control mechanism. This interaction between the access control mechanism and the IDS is presented in detail in the following sections of this paper. Lastly, it is assumed that being connected to the project network is necessary to access the CDE to effectively achieve IDS–access control collaboration. The stakeholders within the project perimeter can connect to the network through a wireless access point (WAP) or wired connection. On the other hand, a virtual private network (VPN) is mandatory to connect to the project network for stakeholders outside the project area.

3.2. Simultaneous Move Game Model

Insider threats are difficult to deal with in comparison to external threats due to the privilege that insiders have. An insider is motivated to compromise data for different purposes (e.g., financial gain, espionage). A malicious insider can achieve this activity by using his/her privilege through authentication to gain access to the data. This is termed as the misuse of access [38]. In this case, however, there is a probability that the malicious act and his/her identity are discovered because all the detailed information of the insider who has accessed the data is revealed to the data defender during the authentication process. As a result, the malicious insider can face a heavy penalty (cost) if his/her activity and identity are revealed. Thus, to prevent his/her identity and malicious activity from being known, the insider can make use of a cyberattack technique such as defense bypass [38] (e.g., SQL injection attack [39]) to access the data. We assume that the probability of exposing the malicious activity and insider’s identity under authentication (misuse of data) is greater than that of malicious action/identity being discovered under cyberattack. However, launching a cyberattack to obtain the data is costly compared to a misuse of access attack through an authentication process.

Therefore, there are two schemes for a malicious insider to implement this activity: gain access to the data through authentication or a cyberattack. An insider can exploit his/her privilege to obtain important information, such as vulnerabilities of the computing facilities (e.g., cloud computing used to host the CDE), by scanning, reconnaissance, or infiltration. The data defender believes that there is a malicious insider in the project team with a positive probability. This shows that releasing data to authorized insiders whenever a data access request is made can cause data compromise (e.g., tampering, theft, leakage).

Therefore, when an insider (whose type can be legitimate or malicious) sends a data access request, the data defender is faced with a situation as to whether to accept the request and release the data or reject the request and not release the data. As a result, the following two cases arise:

• If the data are released to an insider who happens to be malicious, the data will be misused (e.g., trading them for financial purposes, sending them to the enemy) by the malicious insider.
• On the other hand, if the data request is rejected, there is a probability of rejecting a legitimate insider request. Though the data are protected in this situation, the project team would be unable to achieve the expected outcome/goal in the project work due to the information (data) necessary for the project being withheld. That is, the workflow will be interrupted, for example, during the design phase.

Thus, considering the above scenario, the questions that need to be addressed are as follows: What will be the best strategies for the defender to protect the data in the scenario of incomplete information about an insider who can act as legitimate or malicious? How likely is it that an attack is being carried out by an insider of the project team or, equivalently, how secure are the data stored in the database of the CDE/BIM? To address this problem, we formulated an incomplete information game model to capture the interactions between an insider (legitimate or malicious) and the defender. The analysis of the proposed model will give us insights into how an insider in the project would behave as the game solutions predict the behavior of an insider and the best decisions for the defender.

Now, we consider the interactions between insiders (stakeholders) of a construction project and the data defender who defends data stored in a CDE. In this model, an insider sends a data access request to the defender. The defender is not certain about whether the request comes from a legitimate or malicious insider. To capture the interactions, we propose a simultaneous move incomplete information game model in this section and solve the game model to perceive the behavior of the insiders and know how to respond to malicious insider threats. For this, we define the notations and terminologies that are used in the proposed game model (which is denoted as $\mathsf{\Gamma }$) as follows: $R_{\mathrm{aut} }$ (request data access through authentication), $R_{cyb}$ (request data access through cyberattack), $D_{\mathrm{accept} }$ (accept data access request and release data), $D_{\mathrm{reject} }$ (reject data access request and do not release data), and $C_{cyb}\in$ $\left(\mathrm{0,1}\right)$ (cost of cyberattack). The action sets of an insider and the defender can be written as ${\mathcal{A}}_I=\left\{R_{\mathrm{aut} },R_{\mathrm{cyb} }\right\},{\mathcal{A}}_d=\left\{D_{\mathrm{accept} },D_{\mathrm{reject} }\right\}$. Also, the type set of insiders $\mathsf{\Omega }=\{$ malicious $\left(\mathrm{M}\right)$, legitimate $\left(\mathrm{L}\right)\}$. The pure strategy set of an insider is given by $S_I=\left\{R_{aut}^M{R}_{aut}^L,R_{cyb}^M{R}_{aut}^L\right\}$, where $R_{cyb}^M{R}_{aut}^L$ is the strategy with which the insider would launch a cyberattack if he/she is malicious (M). On the other hand, if he/she is legitimate (L), he/she would take the authentication process to access the data. Similarly, the other strategy, $R_{\mathrm{aut} }^M{R}_{\mathrm{aut} }^L$, can be defined. In addition, the pure strategy set of the defender is given by $S_D=\left\{D_{\mathrm{accept} },D_{\mathrm{reject} }\right\}$. That is, the defender can respond to the data access request by either accepting or rejecting it.

Nature’s probability distribution on insider’s type space is given by $\mathsf{\Phi }:\mathsf{\Omega }\mapsto \left[\mathrm{0,1}\right]$, such that $\mathsf{\Phi }\left(M\right)=\delta$ and $\mathsf{\Phi }\left(L\right)=1-\delta$. That is, the probability that an insider is malicious is $\delta$, whereas the insider is legitimate with a probability of $1-\delta$. This is common knowledge among the two players—the insider and the defender. Let $\beta \in$ $\left(\mathrm{0,1}\right)$ denote the payoff assigned to a malicious insider and $\omega \in \left(\mathrm{0,1}\right)$ denote the payoff to the defender due to the discovery of a malicious insider identity or the protection of data (and $-\omega$ reflects the loss as a result of data compromise or not detecting a malicious insider identity). In the case of identity detection, for example, the defender can improve the data security by removing the malicious insider from the project team. Furthermore, $p_1$ is used to denote the probability that the identity of the malicious insider and his/her activity are discovered in the case of proper authentication. Let $V_i(a,b\mid \theta ),i=\mathrm{1,2}$, denote the payoffs of player $i\in \mathcal{N}=\{1$ (insider), 2 (defender) $\}$ corresponding to an action profile $(a,b)\in \mathcal{A}={\mathcal{A}}_I\times {\mathcal{A}}_d$ and an insider of type $\theta \in \mathsf{\Omega }$, i.e., $V_i:\mathcal{A}\times \mathsf{\Omega }\mapsto \mathbb{R}$.

The extensive form of the game model is shown in Figure 2. In the payoffs of Figure 2, the subscript $a$ is used to represent authentication or accept as the case may be and $r$ is used to represent reject. $i_0,i_1,\dots ,i_5$ are used to denote different nodes of the game tree. The dotted oval denotes the information set of the defender. Furthermore, notations and their meanings used in the proposed models are given in

Table A1. Notations and their meanings.

Notation	Meaning
$R_{\mathrm{aut} }$	Request through authentication
$R_{cyb}$	Request through cyberattack
$D_{\mathrm{accept} }$	Accept data access request and release data
$D_{\mathrm{reject} }$	Reject data access request and do not release data
$C_{cyb}$	Cost of cyberattack
${\mathcal{H}}_1$	Action set of an insider
${\mathcal{H}}_d$	Action set of the defender
$\mathsf{\Omega }$	Type set of an insider
$S_1$	Pure strategy set of an insider in the simultaneous move gamemodel
$S_D$	Pure strategy set of the defender in the simultaneous move gamemodel
$S_1^{\mathrm{\prime }}$	Pure strategy set of an insider in the sequential move game model
$\omega$	Payoff due to discovery of malicious insider identity or dataprotection
$\beta$	Payoff corresponding to compromising data
${\mathrm{P}}_1$	Probability that malicious insider who uses authentication isdiscovered
${\mathrm{P}}_2$	Probability that malicious insider who launches a cyberattack isdiscovered
$V_i(a,b\mid \theta )$	Player i’s payoff corresponding to profile (a, b) and insider type θ
$\mathcal{N}$	Set of players in the game
$\mathcal{H}$	Strategy space
$\mathbb{R}$	Set of real numbers
${\mathbb{R}}_{++}$	Set of positive real numbers
$\mathrm{N}$	Nature that can be considered as a non-strategic player
$\mathrm{M}$	Malicious type
L	Legitimate type
$\delta$	Probability that an insider is malicious
$1-\delta$	Probability that an insider is legitimate
$U_i\left(R_{cyb}^M{R}_{\mathrm{aut} }^L,D_{\mathrm{accept} }\right)$	Player i’ s expected payoff corresponding to strategy profile $\left(R_{cyb}^M{R}_{\mathrm{aut} }^L,D_{\mathrm{accept} }\right)$ in the simultaneous move game
$U_i^{\mathrm{\prime }}\left(R_{\mathrm{cyb} }^M{R}_{\mathrm{aut} }^L,D_{\mathrm{accept} }^{\mathrm{aut} }{D}_{\mathrm{reject} }^{\mathrm{cyb} }\right)$	Player i’ s expected payoff corresponding to strategy profile $\left(R_{cyb}^M{R}_{\mathrm{aut} }^L,D_{\mathrm{accept} }^{\mathrm{aut} }{D}_{\mathrm{reject} }^{\mathrm{cyb} }\right)$ in the sequential move game
$S_i^{\mathrm{\prime }}$	$\mathrm{Strategy} \mathrm{space} \mathrm{of} \mathrm{player} \mathrm{i}$ in the sequential move game model
$\mathsf{\Gamma }$	Proposed simultaneous move game model
${\mathsf{\Gamma }}_1$	Extended simultaneous move game model
${\mathsf{\Gamma }}_2$	Proposed sequential move game model
BNE	Bayesian Nash Equilibrium
PBE	Perfect Bayesian Nash Equilibrium

in Appendix D.

3.2.1. Payoff Functions

Now, we describe the payoff functions of the game model. Consider a strategy profile $\left(R_{\mathrm{aut} },D_{\mathrm{accept} }\right)$ for $i\in \mathcal{N}$ given an insider is of legitimate type $L$. In this case, a legitimate insider sends a data access request and the defender accepts it. As a result, both the insider and the defender receive a certain payoff whose value is normalized to 1, i.e., $V_i\left(R_{\mathrm{aut} },D_{\mathrm{accept} }\mid L\right)=1$, whereas a legitimate insider and the defender receive payoff zero if the access request is rejected, i.e., $V_i\left(R_{\mathrm{aut} },D_{\mathrm{reject} }\mid L\right)=0$, $i\in \mathcal{N}$. In the case of a malicious insider, if the data access request is accepted, the insider receives payoff $\beta$ with probability $\left(1-p_1\right)$, and this is represented as $V_1\left(R_{\mathrm{aut} },D_{\mathrm{accept} }\mid M\right)=\left(1-p_1\right)\beta$. On the other hand, the defender receives payoff $-\omega$ with probability $\left(1-p_1\right)$ and, therefore, $V_2\left(R_{\mathrm{aut} },D_{\mathrm{accept} }\mid M\right)=\left(1-p_1\right)(-\omega )$. In addition, if a malicious insider sends a data request and the request is rejected, both the insider and the defender receive payoff 0, i.e., $V_1\left(R_{\mathrm{aut} },D_{\mathrm{reject} }\mid M\right)=0$ and $V_2\left(R_{\mathrm{aut} },D_{\mathrm{reject} }\mid M\right)=0$. However, if a malicious insider launches a cyberattack to access the data and the data are released, the insider receives payoff $\beta$ at the cost of the cyberattack $C_{cyb}\in \left(\mathrm{0,1}\right)$, i.e., $V_1\left(R_{cyb},D_{\mathrm{accept} }\mid M\right)=\beta -C_{cyb}$, whereas the defender receives $-\omega$, i.e., $V_2\left(R_{\mathrm{cyb} },D_{\mathrm{accept} }\mid M\right)=-\omega$. Furthermore, a malicious insider who sends a data access request through a cyberattack receives $-C_{cyb}$ if the request is rejected and the defender also receives payoff zero, i.e., $V_1\left(R_{cyb},D_{\mathrm{reject} }\mid M\right)=-C_{cyb}$ and $V_2\left(R_{cyb},D_{\mathrm{reject} }\mid M\right)=0$.

Thus, we can express the expected payoff function of $i\in \mathcal{N}$, which is given by $U_i:S_I\times$ $S_D\mapsto \mathbb{R}$, where $U_1\left(R_{\mathrm{aut} }^M{R}_{\mathrm{aut} }^L,D_{\mathrm{accept} }\right)=\delta V_1\left(R_{\mathrm{aut} },D_{\mathrm{accept} }\mid M\right)+(1-\delta )V_1\left(R_{\mathrm{aut} },D_{\mathrm{accept} }\mid L\right)=$ $\delta \left[\left(1-p_1\right)\beta \right]+(1-\delta )$. In addition, $U_2\left(R_{\mathrm{aut} }^M{R}_{\mathrm{aut} }^L,D_{\mathrm{accept} }\right)=\delta V_2\left(R_{\mathrm{aut} },D_{\mathrm{accept} }\mid M\right)+(1-$ $\delta )V_2\left(R_{\mathrm{aut} },D_{\mathrm{accept} }\mid L\right)=\delta \left[\left(1-p_1\right)(-\omega )\right]+(1-\delta )$.

Similarly, the other expected payoffs corresponding to different strategy profiles can be expressed as $U_1\left(R_{\mathrm{aut} }^M{R}_{\mathrm{aut} }^L,D_{\mathrm{reject} }\right)=0,U_2\left(R_{\mathrm{aut} }^M{R}_{\mathrm{aut} }^L,D_{\mathrm{reject} }\right)=0,U_1\left(R_{\mathrm{cyb} }^M{R}_{\mathrm{aut} }^L,D_{\mathrm{accept} }\right)=$ $\delta \left[\beta -C_{cyb}\right]+(1-\delta ),U_2\left(R_{cyb}^M{R}_{\mathrm{aut} }^L,D_{\mathrm{accept} }\right)=\delta \left[\right(-\omega \left)\right]+(1-\delta ),U_1\left(R_{cyb}^M{R}_{\mathrm{aut} }^L,D_{\mathrm{reject} }\right)=$ $\delta \left(-C_{cyb}\right)$ and $U_2\left(R_{cyb}^M{R}_{\mathrm{aut} }^L,D_{\mathrm{reject} }\right)=0$.

3.2.2. Solution of the Game: Bayesian Nash Equilibrium (BNE)

Let $x_1={\displaystyle \frac{1}{1+\omega \left(1-p_1\right)}}$ and $y_1={\displaystyle \frac{1}{1+\omega }}$. Then, we solve the game model and present the solution in the following proposition.

Proposition 1.

(i) If $C_{cyb}<\beta p_1$, then

$$BNE(\Gamma )=\left\{\begin{array}{ll} \mathit{Unique} \mathit{pure} \mathit{strategy} \left(R_{cyb}^M{R}_{\mathit{aut} }^L,D_{\mathit{accept} }\right)& \mathit{if} 0<\delta <y_1\\ \mathit{Mixed} \mathit{strategy} \left({\lambda }^{\ast },1-{\lambda }^{\ast }\right) \mathit{and} \left({\eta }^{\ast },1-{\eta }^{\ast }\right)& \mathit{if} y_1<\delta <x_1\\ \mathit{Unique} \mathit{pure} \mathit{strategy} \left(R_{\mathit{aut} }^M{R}_{\mathit{aut} }^L,D_{\mathit{reject} }\right)& \mathit{if} x_1<\delta <1\end{array}\right.$$

(1)

Here, ${\eta }^{\mathrm{*}}$ and ${\lambda }^{\mathrm{*}}$ are given by Equation (A1) and Equation (A2), respectively, in Appendix A.

(ii) If $C_{cyb}>\beta p_1$, then

$$BNE(\Gamma )=\left\{\begin{array}{ll} \mathit{Unique} \mathit{pure} \mathit{strategy} \left(R_{\mathit{aut} }^M{R}_{\mathit{aut} }^L,D_{\mathit{accept} }\right)& \mathit{if} 0<\delta <x_1\\ \mathit{Unique} \mathit{pure} \mathit{strategy} \left(R_{\mathit{aut} }^M{R}_{\mathit{aut} }^L,D_{\mathit{reject} }\right)& \mathit{if} x_1<\delta <1\end{array}\right.$$

(2)

Proof. 

See Appendix A. □

The results of Proposition 1 provide insights into the optimal strategies of insiders (malicious or legitimate) and defenders based on the probability $\delta$ of an insider being malicious. The solutions are categorized based on the relationship between the cost of a cyberattack $C_{cyb}$ and the benefit of the attack $\beta p_1$.

When $C_{cyb}<\beta p_1$,

• If $0<\delta <y_1$, the unique pure strategy equilibrium suggests that malicious insiders opt for cyberattacks $\left(R_{cyb}^M\right)$, while legitimate insiders choose authentication $\left(R_{aut}^L\right)$. The defender, in response, accepts the data access request $\left(D_{\mathrm{accept} }\right)$.
• If $y_1<\delta <x_1$, a mixed strategy equilibrium emerges, with malicious insiders alternating between cyberattacks and authentication (${\lambda }^{\mathrm{*}}$ and $1-$ ${\lambda }^{\mathrm{*}}$) and legitimate insiders also using authentication with probability ${\lambda }^{\mathrm{*}}$. The defender adapts probabilistically.
• If $x_1<\delta <1$, both malicious and legitimate insiders choose authentication $\left(R_{\mathrm{aut} }^M{R}_{\mathrm{aut} }^L\right)$ but the defender rejects the access request $\left(D_{\mathrm{reject}}\right)$.

This scenario illustrates the increasing cautiousness of the defender as the probability of an insider being malicious $\left(\delta \right)$ rises. For lower values of $\delta$, the defender prefers to grant access, balancing potential risks. For intermediate values, the strategies diversify, reflecting uncertainty. For high $\delta$, a strict rejection policy dominates, protecting sensitive data.

When $C_{cyb}>\beta p_1$,

• If $0<\delta <x_1$, the unique pure strategy equilibrium involves all insiders choosing authentication ($\left.R_{aut}^M,R_{aut}^L\right)$, and the defender grants access $\left(D_{\mathrm{accept}}\right)$.
• If $x_1<\delta <1$, the strategy shifts, with all insiders continuing to authenticate, but the defender now rejects access ($D_{\mathrm{reject} }$).

Higher costs of launching a cyberattack discourage malicious insiders from pursuing such strategies. The defender’s responses align with the increasing probability of malicious intent, transitioning from acceptance to rejection as $\delta$ grows.

The results demonstrate how the interplay between attack cost, benefit, and malicious probability ($\delta$) governs the strategic behavior of both insiders and the defender.

3.2.3. Extended Simultaneous Move Game Model

In the previous game model, the probability that a malicious insider who launches a cyberattack is detected is not considered. Therefore, the game model is insufficient to capture the behavior of malicious insiders who can carry out a cyberattack to gain data access. Hence, we consider this aspect and discuss the extended model (denoted by ${\mathsf{\Gamma }}_1$) by incorporating this probability. To this end, let $p_2$ denote the probability that the identity of the malicious insider and his/her activity are discovered and assume that $p_1>p_2$. Recall that $\beta$ is the payoff (or gain) to the attacker due to the data compromised and $-\beta$ measures the intensity of penalty to the attacker if detected, i.e., the higher the value of $\beta$, the greater the severity of the penalty, and $\omega \in \left(\mathrm{0,1}\right)$ is the payoff to the defender due to the discovery of a malicious insider identity or the protection of data. Additionally, $-\omega$ measures the loss due to data compromise or failure to discover the malicious insider identity. Furthermore, corresponding to the proper/smooth functioning of the project work, payoff 1 is assigned. In contrast, penalty 0 is assigned to both the legitimate insider and the defender for rejecting a legitimate data access request. In this case, the data are withheld, causing inefficiency in the project work.

Now, suppose that an insider of the legitimate type sends a data access request to the data defender. This request is responded to by the defender using accept $\left(D_{\mathrm{accept} }\right)$. Therefore, the corresponding payoff functions can be written as $V_i\left(R_{\mathrm{aut} },D_{\mathrm{accept} }\mid L\right)=$ $1,i\in \mathcal{N}$. On the other hand, rejecting the request results in the payoff function $V_i\left(R_{\mathrm{aut} },D_{\mathrm{reject} }\mid L\right)=0,i\in \mathcal{N}$.

Consider that a malicious insider sends a data access request through authentication, and this is accepted by the defender; the payoff of the malicious insider can be written as $V_1\left(R_{\mathrm{aut} },D_{\mathrm{accept} }\mid M\right)=p_1(-\beta )+\left(1-p_1\right)\beta$. On the other hand, if the request is accepted, the payoff to the defender is given by $V_2\left(R_{\mathrm{aut} },D_{\mathrm{accept} }\mid M\right)=p_1\omega +\left(1-p_1\right)(-\omega )$. Also, consider that a malicious insider sends a data request through authentication and the request is rejected by the defender. In this case, both the malicious insider and the defender receive the payoff 0. Therefore, the insider’s payoff function is given by $V_i\left(R_{\mathrm{aut} },D_{\mathrm{reject} }\mid M\right)=0,i\in \mathcal{N}$.

Furthermore, if an insider makes a data access request through a cyberattack and the request is accepted, then the corresponding payoff functions can be written as $V_1\left(R_{cyb},D_{\mathrm{accept} }\mid M\right)=p_2(-\beta )+\left(1-p_2\right)\beta -C_{cyb}$. Moreover, as for the defender, the payoff function is $V_2\left(R_{\mathrm{cyb} },D_{\mathrm{accept} }\mid M\right)=p_2\left(\omega \right)+\left(1-p_2\right)(-\omega )$. Also, when the malicious insider request is rejected by the defender, we have $V_1\left(R_{cyb},D_{\mathrm{reject} }\mid M\right)=-C_{cyb}$ and $V_2\left(R_{\mathrm{cyb} },D_{\mathrm{reject} }\mid M\right)=0$.

Thus, we can write the expected payoff function of $i\in \mathcal{N},U_i:S_I\times S_D\mapsto \mathbb{R}$, where

$$\begin{array}{l}{U}_1\left(R_{\mathit{aut} }^M{R}_{\mathit{aut} }^L,D_{\mathit{accept}}\right)=\delta V_1\left(R_{\mathit{aut} },D_{\mathit{accept} }\mid M\right)+(1-\delta )V_1\left(R_{\mathit{aut} },D_{\mathit{accept} }\mid L\right). \\ \mathit{or} U_1\left(R_{\mathit{aut} }^M{R}_{\mathit{aut} }^L,D_{\mathit{accept}}\right)=\delta \left[p_1(-\beta )+\left(1-p_1\right)\beta \right]+(1-\delta ).\end{array}$$

Also, $U_2\left(R_{\mathrm{aut} }^M{R}_{\mathrm{aut} }^L,D_{\mathrm{accept}}\right)=\delta V_2\left(R_{\mathrm{aut} },D_{\mathrm{accept} }\mid M\right)+(1-\delta )V_2\left(R_{\mathrm{aut} },D_{\mathrm{accept} }\mid L\right)$ or $U_2\left(R_{\mathrm{aut} }^M{R}_{\mathrm{aut} }^L,D_{\mathrm{accept}}\right)=\delta \left[p_1\omega +\left(1-p_1\right)(-\omega )\right]+(1-\delta )$. The expected payoff functions corresponding to the other strategy profiles can be obtained similarly.

3.2.4. Solution of the Extended Simultaneous Move Game Model

Let $x^{\mathrm{*}}={\displaystyle \frac{1}{1+\omega \left(1-2p_1\right)}}$ and $y^{\mathrm{*}}={\displaystyle \frac{1}{1+\omega \left(1-2p_2\right)}}$. We have the following proposition:

Proposition 2.

(i) If $C_{cyb}<2\beta \left(p_1-p_2\right)$, then

$$BNE\left({\Gamma }_1\right)=\left\{\begin{array}{ll} \mathit{Unique} \mathit{pure} \mathit{strategy} \left(R_{cyb}^M{R}_{\mathit{aut} }^L,D_{\mathit{accept} }\right)& \mathit{if} 0<\delta <y^{\ast }\\ \mathit{Mixed} \mathit{strategy} \left({\lambda }_1^{\ast },1-{\lambda }_1^{\ast }\right) \mathit{and} \left({\eta }_1^{\ast },1-{\eta }_1^{\ast }\right)& \mathit{if} y^{\ast }<\delta <x^{\ast }\\ \mathit{Unique} \mathit{pure} \mathit{strategy} \left(R_{aut}^M{R}_{\mathit{aut} }^L,D_{\mathit{reject} }\right)& \mathrm{if} x^{\ast }<\delta <1\end{array}\right.$$

(3)

The mixed strategies ${\eta }_1^{\mathrm{*}}$ and ${\lambda }_1^{\mathrm{*}}$ are given by Equation (A13) and Equation (A16), respectively, in Appendix B.

(ii) If $C_{cyb}>2\beta \left(p_1-p_2\right)$, then

$$BNE\left({\Gamma }_1\right)=\left\{\begin{array}{ll} \mathit{Unique} \mathit{pure} \mathit{strategy} \left(R_{\mathit{aut} }^M{R}_{\mathit{aut} }^L,D_{\mathit{accept} }\right)& \mathit{if} 0<\delta <x^{\ast }\\ \mathit{Unique} \mathit{pure} \mathit{strategy} \left(R_{\mathit{aut} }^M{R}_{\mathit{aut} }^L,D_{\mathit{reject} }\right)& \mathit{if} x^{\ast }<\delta <1\end{array}\right.$$

(4)

Proof. 

See Appendix B. □

The results of Proposition 2 extend the analysis by considering two probability parameters, $p_1$ and $p_2$, representing the likelihoods of malicious behavior by insiders under different conditions. The equilibrium strategies are influenced by the relationship between the cost of a cyberattack $\left(C_{cyb}\right)$ and the threshold value $2\beta \left(p_1-p_2\right)$.

When $C_{cyb}<2\beta \left(p_1-p_2\right)$,

• If $0<\delta <y^{\mathrm{*}}$, the unique pure strategy equilibrium indicates that malicious insiders launch cyberattacks $\left(R_{cyb}^M\right)$, legitimate insiders authenticate $\left(R_{\mathrm{aut} }^L\right)$, and the defender accepts the access request $\left(D_{\mathrm{accept}}\right)$.
• If $y^{\mathrm{*}}<\delta <x^{\mathrm{*}}$, t mixed strategy equilibrium arises, with malicious insiders mixing between cyberattacks and authentication strategies $\left({\lambda }_1^{\mathrm{*}}\right.$ and $1-{\lambda }_1^{\mathrm{*}}$) and legitimate insiders also adopting a probabilistic authentication strategy $\left({\eta }_1^{\mathrm{*}}\right.$ and $\left.1-{\eta }_1^{\mathrm{*}}\right)$. The defender adjusts probabilistically.
• If $x^{\mathrm{*}}<\delta <1$, both malicious and legitimate insiders select authentication $\left(R_{aut}^M,R_{aut}^L\right)$ but the defender rejects the access request $\left(D_{\mathrm{reject}}\right)$.

For $C_{cyb}<2\beta \left(p_1-p_2\right)$, the defender’s strategies shift dynamically as $\delta$ (the probability of a malicious insider) increases:

• At low $\delta$, the defender is inclined to accept requests, reflecting a trust-oriented strategy when the malicious probability is low.
• For intermediate $\delta$, mixed strategies dominate, reflecting the defender’s uncertainty and the malicious insider’s strategic adaptation.
• At high $\delta$, rejection becomes the optimal strategy to mitigate the risk posed by potentially malicious insiders.

When $C_{cyb}>2\beta \left(p_1-p_2\right)$,

• If $0<\delta <x^{\mathrm{*}}$, the unique pure strategy equilibrium involves all insiders selecting authentication $\left(R_{aut}^M,R_{aut}^L\right)$ and the defender accepts the request $\left(D_{\mathrm{accept} }\right)$.
• If $x^{\mathrm{*}}<\delta <1$, the strategy shifts, with all insiders continuing to authenticate, but the defender rejects the access request ($D_{\mathrm{reject} }$).

Higher costs of launching a cyberattack ($C_{cyb}$) discourage malicious insiders from attacking, leading to more consistent behavior. The defender’s response aligns with the increasing probability of malicious insiders, transitioning from acceptance to rejection as $\delta$ grows.

The results illustrate how the interplay between attack cost, insider probabilities, and the likelihood parameters $p_1$ and $p_2$ governs the strategic behavior of insiders and defenders. These findings provide a theoretical foundation for designing adaptive defense mechanisms that respond to varying insider threat scenarios.

3.3. Sequential Move Game Model

In the previous section, we considered a simultaneous move game model in which each of the players takes an action simultaneously without knowing the actions taken by the other player. In this section, we consider the attack dynamics where an insider makes a data access request, which is observed by a data defender who has prior beliefs about the insider and responds to the request based on the updated beliefs of the insider type.

Let us recall that a malicious insider can request data access in two ways: (i) authentication (misuse of privilege) and (ii) cyberattack, such as defense bypass, to evade detection from the IDS [38]. When an insider makes a data request through authentication, the defender observes this activity. Although the defender perceives that the request is made using an authentication, he/she has prior beliefs that the access request comes from a malicious insider with probability $\delta$. Hence, for the defender, accepting a request that comes from authentication is not always optimal. Moreover, when an insider tries to gain access to data through a cyberattack, another challenging decision problem faced by the defender would be whether it is always optimal to reject the suspicious request. This might not always be optimal because a malicious insider’s identity cannot be discovered by rejecting the access request, thereby providing him/her with another opportunity to launch attacks in the future. In fact, accepting a suspicious request at the cost of data security can lead to the detection of malicious activity as well as the discovery of a malicious insider’s identity. As a result, the project team can get rid of the malicious insider to enhance data security. However, at the same time, accepting a suspicious request is not always optimal, as there is a probability that the malicious insider identity might not be discovered at all. Thus, we develop a sequential move Bayesian game model (which is denoted as ${\mathsf{\Gamma }}_2$) to capture this scenario and predict a malicious insider’s behavior as well as the best strategies to respond to the attack.

We assume that the defender employs an IDS to monitor access requests. When an insider (legitimate/malicious) makes a data access request through authentication, no alarm is triggered by the IDS for the request since the necessary authentication process is performed by the insider. However, when a malicious insider makes a data access request utilizing a cyberattack to gain access to data, an alarm is triggered by the IDS. The extensive form of the game model is shown in Figure 3. Note that in the sequential game model, the defender has two information sets denoted by a dotted oval. In contrast, in the simultaneous move game model, the defender has only one information set (see Figure 2).

Now, the strategy sets of an insider and defender can be written as

$$\begin{array}{l}{S}_I^{\prime }=\left\{R_{\mathit{aut} }^M{R}_{\mathit{aut} }^L,R_{\mathit{cyb} }^M{R}_{\mathit{aut} }^L\right\}.\\ S_D^{\prime }=\left\{D_{\mathit{accept} }^{\mathit{aut} }{D}_{\mathit{accept} }^{\mathit{cyb} },D_{\mathit{accept} }^{\mathit{aut} }{D}_{\mathit{reject} }^{cyb},D_{\mathit{reject} }^{\mathit{aut} }{D}_{\mathit{accept} }^{cyb},D_{\mathit{reject} }^{\mathit{aut} }{D}_{\mathit{reject} }^{cyb}\right\}.\end{array}$$

The meaning of elements in $S_I^{\mathrm{\prime }}$ can be interpreted as in the case of the elements of $S_1$ of the simultaneous move game model. The elements of $S_D^{\mathrm{\prime }}$, however, have different interpretations. That is, $D_{\mathrm{accept} }^{\mathrm{aut} }{D}_{\mathrm{reject} }^{cyb}$ denotes the defender’s strategy, in which the defender accepts the data request if he/she observes that it comes from an authentication process, whereas he/she rejects the access request if it comes through a cyberattack. The other strategies can be interpreted similarly.

Thus, the payoff matrix of the game model can be written as

$$R_{\mathit{aut} }^M{R}_{\mathit{aut} }^L{R}_{\mathit{cyb} }^M{R}_{\mathit{aut} }^L\left[\begin{array}{cccc}{D}_{\mathit{accept} }^{\mathit{aut} }{D}_{\mathit{accept} }^{cyb}& D_{\mathit{accept} }^{\mathit{aut} }{D}_{\mathit{reject} }^{cyb}& D_{\mathit{reject} }^{\mathit{aut} }{D}_{\mathit{accept} }^{cyb}& D_{\mathit{reject} }^{\mathit{aut} }{D}_{\mathit{reject} }^{cyb}\\ \left(x_{11},y_{11}\right)& \left(x_{12},y_{12}\right)& \left(x_{13},y_{13}\right)& \left(x_{14},y_{14}\right)\\ \left(x_{21},y_{21}\right)& \left(x_{22},y_{22}\right)& \left(x_{23},y_{23}\right)& \left(x_{24},y_{24}\right)\end{array}\right]$$

Here, $x_{11}=U_1^{\mathrm{\prime }}\left(R_{\mathrm{aut} }^M{R}_{\mathrm{aut} }^L,D_{\mathrm{accept} }^{\mathrm{aut} }{D}_{\mathrm{accept} }^{cyb}\right)$ and $y_{11}=U_2^{\mathrm{\prime }}\left(R_{\mathrm{aut} }^M{R}_{\mathrm{aut} }^L,D_{\mathrm{accept} }^{\mathrm{aut} }{D}_{\mathrm{accept} }^{cyb}\right)$. Similarly, the other $x_{ij}$ and $y_{ij} \mathrm{s}$ have their corresponding values. The $x_{ij}$ and $y_{ij} \mathrm{s}$ can be expressed as

$$\begin{array}{c}{x}_{11}=U_1^{\prime }\left(R_{\mathit{aut} }^M{R}_{\mathit{aut} }^L,D_{\mathit{accept} }^{\mathit{aut} }{D}_{\mathit{accept} }^{cyb}\right)=\delta V_1\left(R_{\mathit{aut} },D_{\mathit{accept} }\mid M\right)+(1-\delta )V_1\left(R_{\mathit{aut} },D_{\mathit{accept} }\mid L\right).\\ y_{11}=U_2^{\prime }\left(R_{\mathit{aut} }^M{R}_{\mathit{aut} }^L,D_{\mathit{accept} }^{\mathit{aut} }{D}_{\mathit{accept} }^{cyb}\right)=\delta V_2\left(R_{\mathit{aut} },D_{\mathit{accept} }\mid M\right)+(1-\delta )V_2\left(R_{\mathit{aut} },D_{\mathit{accept} }\mid L\right).\end{array}$$

Similarly, we can write the expressions for the other payoffs.

3.3.1. Solution of the Sequential Move Game Model

Let $x^{\mathrm{*}}={\displaystyle \frac{1}{1+\omega \left(1-2p_1\right)}}$. Then, we have the following proposition:

Proposition 3.

When $p_2<{\displaystyle \frac{1}{2}}$,

(i) If $\delta <x^{\mathrm{*}}$

$$BNE\left({\Gamma }_2\right)=\left\{\begin{array}{ll}\left(R_{\mathit{aut} }^M{R}_{\mathit{aut} }^L,D_{\mathit{accept} }^{\mathit{aut} }{D}_{\mathit{reject} }^{cyb}\right)& \mathit{if} C_{cyb}>\beta \left(2p_1-1\right)\\ \left(R_{\mathit{cyb} }^M{R}_{\mathit{aut} }^L,D_{\mathit{accept} }^{\mathit{aut} }{D}_{\mathit{reject} }^{cyb}\right)& \mathit{if} C_{cyb}<\beta \left(2p_1-1\right)\end{array}\right.$$

(5)

(ii) If $\delta >x^{\mathrm{*}}$,

$$BNE\left({\Gamma }_2\right)=\left\{\begin{array}{ll} \mathit{No} \mathit{equilibria} & \mathit{if} C_{cyb}<\beta \left(2p_1-1\right)\\ \left(R_{\mathit{aut} }^M{R}_{\mathit{aut} }^L,D_{\mathit{reject} }^{\mathit{aut} }{D}_{\mathit{reject} }^{cyb}\right)& \mathit{if} C_{cyb}>\beta \left(2p_1-1\right)\end{array}\right.$$

(6)

Proof. 

See Appendix C. □

Proposition 4.

When $p_2>{\displaystyle \frac{1}{2}}$,

(i) If $\delta <x^{\mathrm{*}}$, then

$$BNE\left({\Gamma }_2\right)=\left\{\begin{array}{ll}\left(R_{\mathit{cyb} }^M{R}_{\mathit{aut} }^L,D_{\mathit{accept} }^{aut}{D}_{\mathit{accept} }^{cyb}\right)& \mathit{if} C_{cyb}<2\beta \left(p_1-p_2\right)\\ \left(R_{\mathit{aut} }^M{R}_{\mathit{aut} }^L,D_{\mathit{accept} }^{\mathit{aut} }{D}_{\mathit{accept} }^{cyb}\right)& \mathit{if} C_{cyb}>2\beta \left(p_1-p_2\right)\end{array}\right.$$

(7)

(ii) If $\delta >x^{\mathrm{*}}$, then

$$BNE\left({\Gamma }_2\right)=\left\{ \mathit{No} \mathit{equilibria} \mathit{for} C_{cyb}\in \left(\mathrm{0,1}\right)\right.$$

(8)

Proof. 

See Appendix D. □

BNE of the sequential move game can be represented by a flowchart based on Propositions 3 and 4, as shown in Figure 4.

Propositions 3 and 4 provide insights into optimal strategies under different conditions for $p_1$, $p_2,\delta$, and $C_{cyb}$. Here, $p_1$ represents the probability that a malicious insider launching authentication $\left(R_{aut}^M\right)$ to commit malicious acts is detected, while $p_2$ represents the probability that a malicious insider launching a cyberattack $\left(R_{cyb}^M\right)$ is detected. When the probability that a malicious insider using a cyberattack is detected is smaller than ${\displaystyle \frac{1}{2}}$, i.e., $p_2<{\displaystyle \frac{1}{2}}$, two cases arise:

Case (i): $\delta <x^{\mathrm{*}}$ (i.e., the probability that an insider is malicious is less than the value $x^{\mathrm{*}}$).

If $C_{cyb}>\beta \left(2p_1-1\right)$,

• Insider Strategy: Both malicious and legitimate insiders choose authentication $\left(R_{aut}^M{R}_{aut}^L\right)$.
• Defender Strategy: The defender accepts authentication requests ($D_{\mathrm{accept} }^{aut}$) but rejects cyberattacks $\left(D_{\mathrm{reject} }^{cyb}\right)$.

If $C_{cyb}<\beta \left(2p_1-1\right)$,

• Insider Strategy: Malicious insiders choose cyberattack and legitimate insiders choose authentication $\left(R_{cyb}^M{R}_{aut}^L\right)$.
• Defender Strategy: The defender accepts authentication requests $\left(D_{\mathrm{accept} }^{\mathrm{aut} }\right)$ but rejects cyberattacks $\left(D_{\mathrm{reject} }^{cyb}\right)$.

Case (ii): $\delta >x^{\mathrm{*}}$ (i.e., the probability that an insider is malicious is greater than $x^{\mathrm{*}}$).

If $C_{cyb}<\beta \left(2p_1-1\right)$,

• Outcome: No equilibrium exists because the defender cannot effectively balance the cost of rejecting requests and the risk of allowing malicious activity.

If $C_{cyb}>\beta \left(2p_1-1\right)$,

• Insider Strategy: Both malicious and legitimate insiders choose authentication ($R_{\mathrm{aut} }^M{R}_{\mathrm{aut} }^L$).
• Defender Strategy: The defender rejects both authentication requests and cyberattacks $\left(D_{\mathrm{reject} }^{aut}{D}_{\mathrm{reject} }^{cyb}\right)$.

For $p_2<{\displaystyle \frac{1}{2}}$, the defender’s strategy depends on the cost of the cyberattack $\left(C_{cyb}\right)$ and the probability of discovering a malicious insider. At lower values of $\delta$, when the probability of malicious insiders is low, the defender is more likely to accept authentication requests while rejecting cyberattacks. At higher $\delta$, the defender increasingly rejects all requests to safeguard sensitive data.

In addition, when the probability that a malicious insider using a cyberattack is detected is greater than ${\displaystyle \frac{1}{2}}, i.e.,$ $p_2>{\displaystyle \frac{1}{2}}$, two cases arise:

Case (i): $\delta <x^{\mathrm{*}}$ (i.e., the probability that an insider is malicious is less than $x^{\mathrm{*}}$).

If $C_{cyb}<2\beta \left(p_1-p_2\right)$,

• Insider Strategy: Malicious insiders choose cyberattack and legitimate insiders choose authentication $\left(R_{cyb}^M{R}_{aut}^L\right)$.
• Defender Strategy: The defender accepts all requests $\left(D_{\mathrm{accept} }^{aut}{D}_{\mathrm{accept} }^{cyb}\right)$.

If $C_{cyb}>2\beta \left(p_1-p_2\right)$,

• Insider Strategy: Both malicious and legitimate insiders choose authentication ($R_{aut}^M{R}_{\mathrm{aut} }^L$).
• Defender Strategy: The defender accepts all requests $\left(D_{\mathrm{accept} }^{aut}{D}_{\mathrm{accept} }^{cyb}\right)$.

Case (ii): $\delta >x^{\mathrm{*}}$ (i.e., the probability that an insider is malicious is greater than $x^{\mathrm{*}}$).

For $C_{cyb}\in \left(\mathrm{0,1}\right)$,

• Outcome: No equilibrium exists because the defender cannot formulate a consistent response strategy for high $\delta$.

For $p_2>{\displaystyle \frac{1}{2}} ,$ the defender’s acceptance of cyberattacks increases because the high likelihood of detecting malicious insiders diminishes the risks associated with granting access. However, when $\delta$ is high, the absence of equilibria underscores the challenges of managing insider threats under uncertain conditions.

These findings provide actionable insights for dynamically adjusting defense strategies based on observed actions and varying probabilities of insider behavior. The results demonstrate that sequential-move games introduce strategic complexity, where the defender must adapt to observed insider actions. The balance between the acceptance and rejection of requests is influenced by factors such as the cost of cyberattacks, the likelihood of detecting malicious insiders, and the probability of malicious behavior.

3.3.2. Perfect Bayesian Nash Equilibrium (PBE)

Sometimes, players are not sequentially rational in their behavior in the BNE strategies. Therefore, we explore the players’ behavior in the game model to determine whether their behavior predicted by the equilibrium solutions is consistent. If it is consistent, the strategy is called perfect Bayesian Nash equilibrium (PBE).

(i) Now, we verify that the BNEs given by Equation (5) are the PBEs.

Let $\mu \left(i_3\mid R_{\mathrm{aut} }\right)$ and $\mu \left(i_4\mid R_{\mathrm{aut} }\right)$ denote the posterior beliefs that an insider is legitimate (L) and malicious (M), respectively, given that the insider takes action $R_{\mathrm{aut} }$. In addition, let $\mu \left(i_5\mid R_{cyb}\right)$ denote the posterior belief that an insider is malicious (M), conditional on the insider choosing action $R_{cyb}$.

The posterior belief is updated based on the Bayes’ rule:

$$\begin{array}{l}\mu \left(i_3\mid R_{\mathrm{aut} }\right)={\displaystyle \frac{P\left( \mathrm{Insider} \mathrm{is} \mathrm{legitimate} \mathrm{and} \mathrm{chooses} R_{\mathrm{aut} }\right)}{P\left( \mathrm{Insider} \mathrm{is} \mathrm{legitimate} \mathrm{and} \mathrm{chooses} R_{\mathrm{aut} }\right)+P\left( \mathrm{Insider} \mathrm{is} \mathrm{malicious} \mathrm{and} \mathrm{chooses} R_{\mathrm{aut} }\right)}}\\ \mathrm{or} \mu \left(i_3\mid R_{\mathrm{aut} }\right)={\displaystyle \frac{(1-\delta ){\varphi }_L}{(1-\delta ){\varphi }_L+\delta {\varphi }_M}},\\ \mathrm{where} {\varphi }_L=P\left( \mathrm{Insider} \mathrm{chooses} R_{\mathrm{aut} }\mid \mathrm{Insider} \mathrm{is} \mathrm{legitimate} \left(\mathrm{L}\right)\right) \mathrm{and} \\ {\varphi }_M=P\left( \mathrm{Insider} \mathrm{chooses} R_{\mathrm{aut} }\mid \mathrm{Insider} \mathrm{is} \mathrm{malicious} \left(\mathrm{M}\right)\right). \mathrm{Note} \mathrm{that} {\varphi }_L=1. \end{array}$$

Thus, we can write the other posterior beliefs as below:

$$\begin{array}{l}\mu \left(i_4\mid R_{aut}\right)={\displaystyle \frac{\delta {\varphi }_M}{\left.\delta {\varphi }_M+(1-\delta ){\varphi }_L\right)}}\\ \mu \left(i_5\mid R_{cyb}\right)={\displaystyle \frac{\delta \left(1-{\varphi }_M\right)}{\delta \left(1-{\varphi }_M\right)+(1-\delta )\left(1-{\varphi }_L\right)}},\\ \mathrm{or} \mu \left(i_5\mid R_{cyb}\right)=1 \mathrm{since} {\varphi }_L=1.\end{array}$$

From Figure 3, we have two information sets of the defender: $H_1=\left\{i_3,i_4\right\}$ and $H_2=$ $\left\{i_5\right\}$.

To see that $\left(R_{\mathrm{aut} }^M{R}_{\mathrm{aut} }^L,D_{\mathrm{accept} }^{\mathrm{aut} }{D}_{\mathrm{reject} }^{cyb}\right)$ is a PBE of the game ${\mathsf{\Gamma }}_2$, we consider the posterior beliefs $\mu \equiv \left[\mu \left(i_3\mid R_{\mathrm{aut} }\right),\mu \left(i_4\mid R_{\mathrm{aut} }\right),\mu \left(i_5\mid R_{\mathrm{cyb} }\right)\right]$.

The strategy $R_{\mathrm{aut} }^M{R}_{\mathrm{aut} }^L$ corresponds to ${\varphi }_M=1$ and ${\varphi }_L=1$ so that the posterior beliefs in $H_1$ become $\mu \left(i_3\mid R_{\mathrm{aut} }\right)=1-\delta ,\mu \left(i_4\mid R_{\mathrm{aut} }\right)=\delta$. Therefore, the information set $H_1$ is reached with positive probability. However, $H_2$ is reached with zero probability for this strategy so that we can assign any posterior belief $\mu \left(i_5\mid R_{cyb}\right)\in \left[\mathrm{0,1}\right]$ [32]. Now, let us consider the expected payoffs to the defender due to the action $D_{\mathrm{accept} }$ in $H_1$, denoted by $\psi$,

$$\begin{array}{l}\psi =V_2\left(R_{\mathrm{aut} },D_{\mathrm{accept} }\mid L\right)\mu \left(i_3\mid R_{\mathrm{aut} }\right)+V_2\left(R_{\mathrm{aut} },D_{\mathrm{accept} }\mid M\right)\mu \left(i_4\mid R_{\mathrm{aut} }\right)\\ \mathrm{or} \psi =V_2\left(R_{\mathrm{aut} },D_{\mathrm{accept} }\mid L\right)(1-\delta )+V_2\left(R_{\mathrm{aut} },D_{\mathrm{accept} }\mid M\right)\delta .\end{array}$$

Now, the expected payoff to the defender due to the action $D_{\mathrm{reject} }$ denoted by ${\psi }^{\mathrm{\prime }}$ in $H_1$ is given by

$$\begin{array}{l}{\psi }^{\mathrm{\prime }}=V_2\left(R_{\mathrm{aut} },D_{\mathrm{reject} }\mid L\right)\mu \left(i_3\mid R_{\mathrm{aut} }\right)+V_2\left(R_{\mathrm{aut} },D_{\mathrm{reject} }\mid M\right)\mu \left(i_4\mid R_{\mathrm{aut} }\right)\\ \mathrm{or} {\psi }^{\mathrm{\prime }}=V_2\left(R_{\mathrm{aut} },D_{\mathrm{reject} }\mid L\right)(1-\delta )+V_2\left(R_{\mathrm{aut} },D_{\mathrm{reject} }\mid M\right)\delta .\end{array}$$

It can be noticed that $\psi =y_{12}$ and ${\psi }^{\mathrm{\prime }}=y_{14}$. Moreover, if $\delta \in {\mathsf{\Delta }}_3$, we know that $y_{12}>y_{14}$, i.e., $\psi >{\psi }^{\mathrm{\prime }}$. This implies that $D_{\mathrm{accept} }$ is the best response to $R_{\mathrm{aut} }$ in $H_1$. Furthermore, we need to show that $D_{\mathrm{reject} }$ is also the best response to $R_{cyb}$ in $H_2$. Let $\zeta$ and ${\zeta }^{\mathrm{\prime }}$ denote the expected payoffs due to the actions $D_{\mathrm{accept} }$ and $D_{\mathrm{reject} }$, respectively, in $H_2$. Therefore, we can write

$$\begin{array}{l}\zeta =V_2\left(R_{\mathrm{cyb} },D_{\mathrm{accept} }\mid M\right)\mu \left(i_5\mid R_{\mathrm{cyb} }\right) \mathrm{and} \\ {\zeta }^{\mathrm{\prime }}=V_2\left(R_{\mathrm{cyb} },D_{\mathrm{reject} }\mid M\right)\mu \left(i_5\mid R_{\mathrm{cyb} }\right), \mathrm{where} \mu \left(i_5\mid R_{\mathrm{cyb} }\right)\in \left[\mathrm{0,1}\right].\end{array}$$

It can be seen that ${\zeta }^{\mathrm{\prime }}>\zeta$ when $p_2<{\displaystyle \frac{1}{2}}$. Thus, we know that the defender plays the best response in each of the information sets $H_1$ and $H_2$. Hence, the strategy profile $\left(R_{\mathrm{aut} }^M{R}_{\mathrm{aut} }^L,D_{\mathrm{accept} }^{\mathrm{aut} }{D}_{\mathrm{reject} }^{cyb}\right)$ is a $\mathrm{P}\mathrm{B}\mathrm{E}$ of ${\mathsf{\Gamma }}_2$.

Also, consider the pure-strategy BNE $\left(R_{cyb}^M{R}_{\mathrm{aut} }^L,D_{\mathrm{accept} }^{\mathrm{aut} }{D}_{\mathrm{reject} }^{cyb}\right)$ given by Equation (5). This strategy corresponds to ${\varphi }_M=0$ and ${\varphi }_L=1$. This leads to the posterior beliefs $\mu \left(i_3\mid R_{\mathrm{aut} }\right)=1,\mu \left(i_4\mid R_{\mathrm{aut} }\right)=0$ and $\mu \left(i_5\mid R_{\mathrm{cyb} }\right)=1$. It can be seen that with this strategy, the two information sets $H_1$ and $H_2$ are reached with positive probabilities. Furthermore, the defender plays the best response $D_{\mathrm{accept} }$ in $H_1$ with the updated posterior beliefs as the expected payoffs $\left.\psi =V_2\left(R_{\mathrm{aut} },D_{\mathrm{accept} }\right)\mid L\right)$ and ${\psi }^{\mathrm{\prime }}=$ $V_2\left(R_{\mathrm{aut} },D_{\mathrm{reject} }\mid L\right)$ are such that $\psi >{\psi }^{\mathrm{\prime }}$. Also, the defender plays the best response $D_{\mathrm{reject} }$ in $H_2$, i.e., $\zeta <{\zeta }^{\mathrm{\prime }}$, where $\zeta =V_2\left(R_{\mathrm{cyb} },D_{\mathrm{accept} }\mid M\right)$ and ${\zeta }^{\mathrm{\prime }}=V_2\left(R_{\mathrm{cyb} },D_{\mathrm{reject} }\mid M\right)$ and Equation (5) is derived subject to the constraint $p_2<{\displaystyle \frac{1}{2}}$. Therefore, the defender plays the best response in both the information sets $H_1$ and $H_2$ and, hence, the strategy $\left(R_{cyb}^M{R}_{\mathrm{aut} }^L,D_{\mathrm{accept} }^{\mathrm{aut} }{D}_{\mathrm{reject} }^{cyb}\right)$ is a PBE.

(ii) The BNE of Equation (6) is a PBE. To see this, consider the strategy $\left(R_{\mathrm{aut} }^M{R}_{\mathrm{aut} }^L,D_{\mathrm{reject} }^{\mathrm{aut} }{D}_{\mathrm{reject} }^{cyb}\right)$. For this strategy, ${\varphi }_M=1$ and ${\varphi }_L=1$. This implies that $\mu \left(i_3\mid R_{\mathrm{aut} }\right)=1-\delta$ and $\mu \left(i_4\mid R_{\mathrm{aut} }\right)=\delta$. Thus, the two information sets $H_1$ and $H_2$ are reached with positive probabilities. Moreover, the defender plays the best response $D_{\mathrm{reject} }$ in each of the information sets as ${\psi }^{\mathrm{\prime }}>\psi$ and ${\zeta }^{\mathrm{\prime }}>\zeta$ for $p<{\displaystyle \frac{1}{2}}$. Hence, the strategy $\left(R_{\mathrm{aut} }^M{R}_{\mathrm{aut} }^L,D_{\mathrm{reject} }^{\mathrm{aut} }{D}_{\mathrm{reject} }^{cyb}\right)$ is a PBE.

(iii) Similar to the above discussion, it can be shown that the BNEs given by Equation (7) are PBEs.

4. Verification and Validation

One of the methods in scientific research involves first verifying a proposed mathematical model before its application and then validating its applicability [40]. Accordingly, we use the terms ‘verification’ and ‘validation’ in this work to refer to the correctness of the proposed model and its applicability in real-world scenarios, respectively. We employ Monte Carlo simulation experiments to verify the proposed model in Section 4.1, show their implementation using hypothetical scenarios in Section 4.2, and utilize real project data to validate the applicability of the proposed model in Section 4.3. Thus, verifying the model through simulation experiments ensures that the theoretical results align with the outcomes obtained from the simulations. Conversely, validating its applicability involves assessing whether the proposed model accurately represents real-world phenomena and scenarios.

4.1. Verification of the Proposed Models

One way to verify a mathematical model is to perform empirical analysis using actual data. In this study, the actual data required to verify the model are the details of a previous cyber incident involving malicious insiders. However, organizations usually prefer not to publish insider attack incidents for various reasons, such as reputation damage, loss of trust, legal and regulatory concerns, competitive disadvantage, and contractual considerations. Therefore, the unavailability of actual data necessitated using the Monte Carlo simulation to verify our proposed model. In fact, in the absence of actual data, simulation is a valuable tool to analyze mathematical models, as demonstrated by Ni et al. [13] and Kim et al. [15]. The authors [15] used Monte Carlo simulations to analyze their game models. Ni et al. [13] also performed simulations to analyze their game model due to the challenges in obtaining actual data for input parameters. Similarly, in this research, we used the Monte Carlo simulation to verify our proposed model.

For each game model, we analyzed the basic parameters $\beta ,\omega ,C_{cyb}$ and the probabilities $p_1$, $p_2$, and $\delta$ for both the simultaneous move and sequential move game models. In this experiment, we employed a Monte Carlo simulation, generating multiple parameter combinations to identify those that satisfied the constraints for each game model, where each parameter was normalized and, hence, randomized from $\left(\mathrm{0,1}\right)$. Regarding sampling techniques, we employed random sampling to generate parameter combinations across the defined parameter space. Each parameter was sampled from a uniform distribution within theoretically justified bounds, ensuring a comprehensive exploration of the game’s strategic landscape. This approach was chosen for its simplicity and effectiveness in covering a wide range of scenarios without prior assumptions about parameter distributions.

The ranges for each parameter were determined based on theoretical considerations within the construction cybersecurity field. For instance, the parameter $\delta$, which is the probability that an insider is malicious, was varied between 0 and 1 to cover all possible weights, reflecting a wide spectrum of game dynamics; $p_1$ (the probability that the identity of the malicious insider and his/her activity is discovered in the case of proper authentication) needed to be greater than $p_2$ (the probability that the identity of the malicious insider and his/her activity is discovered in the case of a cyberattack). We conducted many simulation runs for each parameter set to ensure the robustness and reliability of our results. This large number of runs leveraged the law of large numbers, allowing us to approximate the expected outcomes of strategies with high confidence.

The decision to randomize and normalize parameters within the 0 to 1 range is grounded in both theoretical considerations and practical assumptions. Specifically, parameters such as $p_1,p_2$, and $\delta$ represent probabilities, inherently necessitating their values to fall within the 0 to 1 interval. This ensures that their interpretation remains consistent with probabilistic theory. For parameters like $C_{cyb},\omega$, and $\beta$, which are related to costs and payoffs, normalizing their values to a 0 to 1 scale is a strategic choice aimed at establishing a universal and consistent framework for comparison. In real-world scenarios, absolute values of costs and payoffs can vary significantly across different contexts, such as varying scales of projects or financial capacities of companies. Normalizing these values facilitates a more generalized and adaptable model application.

For each parameter exploration, we conducted numerous simulations, approximately 10,000, which leveraged the law of large numbers to ensure the robustness of our model. Therefore, the simulation process adhered to the law of large numbers. This approach guaranteed the robustness and generalizability of our model. This approach allowed us to systematically sample and evaluate different parameter settings, ensuring the credibility of our simulation results. Once we found a parameter combination that met the constraints, we focused on visualizing and analyzing the mixed strategy probabilities ${\lambda }^{\mathrm{*}},1-{\lambda }^{\mathrm{*}},{\eta }^{\mathrm{*}}$, and $1-{\eta }^{\mathrm{*}}$. To understand the impact of a particular parameter, we plotted the corresponding mixed strategy probabilities. We observed the resulting changes in the mixed strategy equilibrium probabilities by systematically varying the fixed parameters. Our experiments show that the simulation results are consistent with the theoretical results obtained based on the proposed models, and the simulation code is available on GitHub [41].

We plotted different graphs, such as Figure 5, Figure 6, Figure 7 and Figure 8, based on the basic simultaneous move game model for numerical illustration purposes. From Figure 5, it can be observed that the mixed strategy equilibrium probability ${\lambda }^{\mathrm{*}}$ (this corresponds to an insider using authentication if malicious) increased as the probability that an insider was malicious $\left(\delta \right)$ increased. Moreover, as the probability of detecting an insider under authentication ($p_1)$ increased, the probability that an insider used an authentication process, characterized by $\lambda$, decreased. In addition, in Figure 6, the probability that a malicious insider launched a cyberattack (i.e., $1-{\lambda }^{\mathrm{*}}$) decreased as the probability of being malicious $\delta$ increased and the probability of carrying out a cyberattack $\left(1-{\lambda }^{\mathrm{*}}\right)$ increased as the detection probability $p_1$ under authentication increased. Furthermore, Figure 7 shows that the equilibrium probability of accepting the request increased as the cost of the cyberattack increased, whereas the probability of rejecting the access request $1-{\eta }^{\mathrm{*}}$ decreased as the cost of the cyberattack increased.

4.2. Implementation of the Proposed Model in a Construction Example

This section illustrates the practical implementation of the proposed sequential game-theoretical model in the context of a construction project. Showing the implementation and presenting different scenarios are crucial for contextualizing the theory presented in Section 4 and Section 5. The proposed models involve an insider with a parameter directly related to its characteristics: the probability that an insider is malicious $\left(\delta \right)$. The other party involved in the game-theoretic models is the data defender. Considering that the data defender manages the access control using a role-based method, the role of the insider in the project mainly defines the initial $\delta$ value. Therefore, understanding different possible roles in a construction project is essential before showing the proposed models’ implementation. A high-level list of roles in a construction project using BIM is presented in

Table 2. Different categories and roles.

Categories	Sub-Categories	Sample Roles
Client	(i) Client	Client
	(ii) Client’s representative	Client project manager Client liaison officer
Advisor/Consultant	(i) Management	Project manager Construction manager Design coordinator Design manager BIM coordinator BIM manager
	(ii) Design	Architectural designer Civil and structural engineer Geotechnical engineer Mechanical and electrical engineer Fire engineer
	(iii) Financial	Cost consultant Cost planner Quantitative surveyor
Builders and con- tractors	(i) Constructor	Project manager Construction manager Construction scheduler Construction cost estimator Contract manager Site manager Site engineer Quantitative surveyor BIM manager BIM coordinator BIM specialist IT manager IT specialist Business manager Human resource manager Administrator
	(ii) Partial responsibility	Sub-contractor

. Most roles shown below were taken from Hughes and Murdoch [42], and BIM- and IT-related roles were added to the list to make it up-to-date and more relevant to this study. Moreover, a procurement method with separate design and construction responsibilities was assumed. Only the roles that were assumed to have access to the project IT network were included.

The list of roles in Table 2 can be extended or reduced depending on project characteristics. However, it is clear that not all roles have the same initial probability of being a malicious insider ${\delta }_{\mathrm{initial} }$ in a project. For example, the initial probability of a client being malicious should not be assumed to be the same as the initial probability of a sub-contractor being malicious. Therefore, while implementing the proposed model, different ${\delta }_{\mathrm{initial} }$ values should be considered for different roles. However, $\delta$ values of each user in the network should be dynamic throughout the project and change based on feedback from the IDS. In this paper, the probability of an insider being malicious at any given time is annotated as ${\delta }_{\mathrm{current} }$. For example, if a user with a low ${\delta }_{\mathrm{initial} }$ value starts having suspicious activity (e.g., unexpected traffic from its devices), its ${\delta }_{\mathrm{current} }$ value is revised and relatively increased.

The access control manages the access requests of subjects to different objects in the network. While the subjects refer to project participants with various roles, the object can be a file or device. In this paper, the object is assumed to be a digital file stored in the centralized repository (i.e., CDE). Since the sensitivity of each file in a project is different, all parameters related to data defined in the previous sections should also be different. One of these parameters is the defender’s payoff due to the discovery of a malicious insider identity or data protection $\omega \in \left(\mathrm{0,1}\right)$. It represents the importance of protecting the data to the project or defender. It can also be considered as the criticality of the data for the proper functioning of the project (i.e., avoiding project disruption and maintaining business continuity). Moreover, $-\omega$ reflects the loss to the defender as a result of not detecting a malicious insider or exposing data to a malicious insider. As the criticality of a file for the project increases, this parameter should also increase (i.e., a high $\omega$ means that it is important to the defender). Therefore, it is crucial to understand different file types in a construction project to identify their sensitivity levels for different types of projects during different phases. A high-level and non-exhaustive list of file types used in BIM projects is as follows: BIM execution plan (BEP), 3D models—architectural, 3D models—structural, 3D models—MEP, coordination models, cost estimation documents, construction schedules, cost and schedule forecasts, quantity takeoff files, specifications, clash detection reports, bills of quantities (BoQs), requests for information (RFIs), requests for change (RFCs), quality control/quality assurance documents, bidding documents, payment certificates, progress reports, risk assessment documents, autonomous or semi-autonomous machinery control system files, testing and inspection reports, contracts, and other legal documents.

The parameter $\omega$ values for different criticality levels were assigned based on inspiration from the qualitative severity rating scale in the Common Vulnerability Scoring System (CVSS) v3.1 [43]. Since the $\omega$ value was normalized within the range of $(0,1)$ and the original values from CVSS were within the range of $[0,10]$, the ratings were multiplied by 0.1 to obtain the $\omega$ values. A stacked bar chart showing different criticality levels for data and the corresponding $\omega$ values are shown in Figure 9.

Different document types might have different sensitivities based on the type and phase of the project. Therefore, assuming fixed values for each one regardless of the characteristics of the project would be inaccurate. For example, while the design documents might have high sensitivity in a critical project such as a military base construction during all the phases, they might have much lower sensitivity in a residential project regardless of the project phase. Mantha et al. [1] summarized some of the critical assets that can be targeted by attackers in construction projects. They mentioned that during the design phase, proprietary information, such as the details of the operational procedures, could be stolen and sold to other parties for financial gain.

The other parameter, the malicious insider’s payoff corresponding to the compromising of data $\left(\beta \right)$, presents the importance of the data to the attacker (i.e., the malicious insider). The value of this parameter should be considered independent of the $\omega$ value since it is determined based on the attacker’s motivation rather than the project’s priorities. Similar to $\omega ,\beta$ was also normalized between 0 and 1. As its value approached 1, the benefit of compromising data was maximized for the attacker. The same qualitative categorization for the criticality of data and the corresponding values shown in Figure 9 were used for the $\beta$ value. Therefore, the value of data to the attacker could be low, medium, high, or critical, with $\beta$ values of 0.2, 0.55, 0.8, and 0.95, respectively. The attackers could have various motivations that determined their targets in the project. In general, cyber attackers can be classified into different categories based on their motivations, such as the ones listed below [44]:

• Pranksters are the attackers who perform attacks without serious intentions, mostly for fun.
• Hacksters are the ones hacking to improve their skills and out of curiosity.
• Malicious hackers are cyber actors who desire destruction and cause damage for self-pleasure.
• Personal problem solvers commit their activities to gain personal benefit. They cannot solve their issues through legal ways and use cyberattacks for that purpose.
• Career criminals have pure financial motivations.
• Extreme advocates perform their activities due to social movements, religious reasons, or political motivations. They have also been called hacktivists.
• Malcontents, addicts, and individuals are attackers mostly with psychological problems, such as antisocial personality disorder.

The last parameter to consider for the implementation of the model was the cost of a cyberattack $\left(C_{cyb}\right)$. This parameter depends on the malicious insider’s expertise level and the targeted file’s security level. Moreover, the targeted file’s security level depends on the project security level and the targeted file’s accessibility level. For the malicious insider’s expertise level, the Dreyfus model [45] was employed. This model defines five levels of expertise: novice, advanced beginner, competent, proficient, and expert. For the project security level, five qualitative levels (very low, low, medium, high, very high) and corresponding values (0.1, 0.3, 0.5, 0.7, 0.9) were defined. The project security level is characterized by the security measures employed by the project/defender, such as the IDS, a multi-factor authentication system, firewalls, and software patch management. If all the security measures suggested by cybersecurity standards are employed, then the project security level can be considered “very high”. Finally, for the targeted file’s accessibility level, the same five qualitative levels as the project security level were used. However, the corresponding values for different levels were in the opposite order since increasing accessibility decreases the security level of a file. For example, if a file was very sensitive and accessible to a few people in the project, then the file accessibility level could be considered “very low”, with a value of 0.9.

The file security level was calculated by multiplying the project security level and the file accessibility level to incorporate the overall security measures employed in the project and the number of people who can access the file, i.e.,

$$\mathit{File} \mathit{security} \mathit{level}=(\mathit{Project} \mathit{security} \mathit{level})\ast (\mathit{File} \mathit{accessibility} \mathit{level}).$$

The qualitative values for each expertise, project security, and accessibility level are shown in

Table 3. Expertise, security, and accessibility levels and the corresponding qualitative values.

Malicious Insider Expertise Level	Project Security Level	File Accessibility Level	Rating Scale		Rating Average
Novice	Very low	Very high	0	0.2	0.1
Advanced beginner	Low	High	0.2	0.4	0.3
Competent	Medium	Medium	0.4	0.6	0.5
Proficient	High	Low	0.6	0.8	0.7
Expert	Very high	Very low	0.8	1	0.9

. The cost of cyberattack $\left(C_{cyb}\right)$, normalized within the range of (0,1), was calculated by subtracting the average value of malicious insider expertise level from the average value of file security level, i.e.,

$$\mathit{Cost} \mathit{of} \mathit{cyberattack}=max\{\mathit{File} \mathit{security} \mathit{level} - \mathit{Malicious} \mathit{insider} \mathit{expertise} \mathit{level}, 0\}.$$

If the expertise level value is higher than or equal to the file security level value, the cost of cyberattack $\left(C_{cyb}\right)$ is assumed to be zero. This means that if the attacker has the required expertise level to compromise the targeted data, he/she should not need additional resources. If not, the attacker should use extra resources that will make the cyberattack cost more than zero. The following scenario, where an insider requests access to a file, is presented to understand the mentioned parameters and their roles in determining the best strategies by the insider and defender and show the practical implementation of the proposed model.

4.2.1. Overview of the Hypothetical Scenarios

In these scenarios, a construction cost estimator from the main contractor, who is a malicious insider, requests access to two different files stored in the centralized repository (i.e., CDE) of the project during the construction phase. The project is a smart hospital building construction project, and the cost estimator typically has access to both files. Since the project is a smart building, it will be equipped with IoT devices once the construction is completed. Moreover, medical equipment will be installed at the last stage of the construction phase as it is a hospital building. The details of the IoT devices and medical equipment are stored in the CDE of the project. The two files requested by the cost estimator (i.e., insider) are the cost and schedule forecast file and the structural design file.

To demonstrate the impact of different security levels of projects on the best strategies of the insider and defender, two different scenarios assuming two different overall security levels for the same project are considered. In Scenario 1, the security level of the project was assumed to be “high” (see Table 3). As mentioned in the previous sections, two probability values were used while computing the Bayesian Nash Equilibrium (BNE): the probability that a malicious insider who launches authentication is detected $\left(p_1\right)$ and the probability that the malicious insider who launches a cyberattack is detected $\left(p_2\right)$. Since the probability that the malicious insider who launches a cyberattack is detected $\left(p_2\right)$ is dependent on the overall security level of the project, $p_2$ was chosen as the corresponding value for “high” in Table 3, which was 0.7. Moreover, since $p_1$ is assumed to be always higher than $p_2$ in the proposed game models, $p_1$ was assumed to be 0.8 for Scenario 1. In Scenario 2, the overall security level of the project was assumed to be “medium” (see Table 3). Therefore, $p_2$ was assumed to be 0.49 (nearly equal to 0.5) based on the qualitative rating corresponding to “medium” in Table 3. Similar to the first scenario, $p_1$ was assumed to be slightly higher than $p_2$, which was 0.55 in this case. A summary of both scenarios for the same smart hospital construction project is presented in

Table 4. Characteristics related to the projects for scenarios 1 and 2.

Project Type Project Phase	Smart Hospital Building Construction Phase
Scenarios	Characteristic	Value
Scenario 1	The overall security level of the project	High (0.7) (See Table 3)
	The probability that the malicious insider who launches a cyberattack is detected $\left({\mathrm{p}}_2\right)$	0.7
	The probability that the malicious insider who uses authentication is detected $\left({\mathrm{p}}_1\right)$	0.8
Scenario 2	The overall security level of the project	Medium (0.5) (See Table 3)
	The probability that the malicious insider who launches a cyberattack is detected $\left({\mathrm{p}}_2\right)$	0.49
	The probability that the malicious insider who uses authentication is detected $\left({\mathrm{p}}_1\right)$	0.55

.

At the beginning of the project, the initial probability of being a malicious insider $\left({\delta }_{\mathrm{initial} }\right)$ for the cost estimator was assumed to be 0.2 since it is a trusted role in the project. However, at the time of the data request, the probability of being a malicious insider (${\delta }_{\mathrm{current} }$) was assumed to be higher, 0.8, due to unusual traffic from the cost estimator’s computer detected by the IDS. The unusual traffic shows that high volumes of data were transferred from the project repository to an unknown IP address. In this scenario, the cost estimator who requests access to the files is a malicious insider with financial motivation. He/she is a career criminal, based on Parker’s [44] cyber attacker categories previously presented, and is assumed to have an expertise level of advanced beginner, based on the Dreyfus model [45]. These characteristics related to the malicious insider are summarized in

Table 5. Characteristics of the malicious insider.

Characteristic	Value
Type of malicious insider	Career criminal
The motivation of the malicious insider	Financial gain
Insider’s expertise level	Advanced beginner (0.3) (See Figure 3)
The initial probability of being a malicious $\mathrm{insider} \left({\delta }_{\mathrm{initial} }\right)$	0.2
The probability of being a malicious insider at $\mathrm{the} \mathrm{time} \mathrm{of} \mathrm{the} \mathrm{access} \mathrm{request} \left({\delta }_{\mathrm{current} }\right)$	0.8

.

Table 6. Parameters and BNE for scenario 1.

File Type	Criticality of the File (for the Project)		Payoff Due to Discovery of Malicious Insider Identity or Data Protection (ω)		Value of the File to the Malicious Insider	Payoff Corresponding to Compromised Data (β)	File Accessibility Level	Project Security Level	File Security Level	Malicious Insider’s Expertise Level	Cost of Cyberattack (Ccyb)	Bayesian Nash Equilibrium (BNE)
	Cybersecurity Attribute	Criticality	ω	Average ω
Cost and Schedule Forecast File	Confidentiality	Critical	0.95	0.57	Critical	0.95	Very low: 0.9	High: 0.7	(0.9 × 0.7) = 0.63	Advanced beginner: 0.3	(0.63 − 0.3) = 0.33	E
	Integrity	Medium	0.55
	Availability	Low	0.2
Structural Design File	Confidentiality	Medium	0.55	0.68	Medium	0.5	Medium: 0.5		(0.5 × 0.7) = 0.35		(0.35 − 0.3) = 0.05	D
	Integrity	Critical	0.95
	Availability	Medium	0.55

(for Scenario 1) and

Table 7. Parameters and BNE for scenario 2.

File Type	Criticality of the File (for the Project)		Payoff Due to discovery of Malicious Insider Identity or Data Protection (ω)		Value of the File to the Malicious Insider	Payoff Corresponding to Compromised Data (β)	File Accessibility Level	Project Security Level	File Security Level	Malicious Insider’s Expertise Level	Cost of Cyberattack (Ccyb)	Bayesian Nash Equilibrium (BNE)
	Cybersecurity Attribute	Criticality	ω	Average ω
Cost and Schedule Forecast File	Confidentiality	Critical	0.95	0.57	Critical	0.95	Very low: 0.9	Medium: 0.5	(0.9 × 0.5) = 0.45	Advanced beginner: 0.3	(0.45 − 0.3) = 0.15	B
	Integrity	Medium	0.55
	Availability	Low	0.2
Structural Design File	Confidentiality	Medium	0.55	0.68	Medium	0.5	Medium: 0.5		(0.5 × 0.5) = 0.25		(0.25 − 0.3) < 0	A
	Integrity	Critical	0.95
	Availability	Medium	0.55

(for Scenario 2) show the two different files requested by the malicious insider, the criticality of each file for the project considering different cybersecurity attributes, the corresponding $\omega$ values, the value of each file to the malicious insider, the corresponding $\beta$ values, the accessibility levels of each file, the project security level, file security levels, malicious insider’s expertise level, the cost of cyberattack $\left(C_{cyb}\right)$, and the Bayesian Nash Equilibrium (BNE) that shows the best strategy for the insider and the defender. The criticality levels of each file were determined based on the CIA triad [46] (i.e., confidentiality, integrity, and availability). The details of each file requested by the malicious insider and their importance from the project’s and insider’s perspectives were as follows:

• The cost and schedule forecast file shows the details of the contractor’s cost calculations for various tasks, the internal schedule for the remaining work, the profitability analysis of the contractor, and the risk register of the project. The file is “critical” in terms of confidentiality since it includes the financial details of the project, such as the cost of various tasks, the profitability of the project, and the cost of materials and services. Since this information is only available to a few people in the project, the accessibility level of the file is “very low” (Table 6). The file’s integrity has a “medium” criticality since the data alterations might mislead the project management and cause wrong decisions to be made. However, it is not as critical as the confidentiality aspect. Lastly, the availability of the file has low criticality since its unavailability does not disrupt the business functions or site operations. Since the malicious insider has a financial motivation, the file is of “critical” value. He/she can potentially sell the sensitive content of the file to competitors or ask for a ransom in exchange for not leaking the data. Therefore, the insider primarily targets this file.
• The structural design file includes all the details regarding the structural elements, such as the reinforcement details, concrete and other structural material characteristics, and the connection details of each element. Since it is a building information model, all details, including the exact locations of the structural elements, are included in the file. The file has a “medium” criticality in terms of confidentiality since it includes intellectual property. The most critical aspect of the file is its integrity since a stealthy attacker could tamper with the structural design details and mislead the site teams about the execution. This could potentially cause a reduction in the strength of the structural elements, which might cause a catastrophic failure of the building during the operational phase. Considering that the building is a hospital, the criticality of properly implementing the correct structural design further increases. Finally, the availability of the file has “medium” importance since the unavailability might cause disruptions to site activities, which might indirectly lead to financial loss. The accessibility of the file is “medium” as there are a considerable number of project participants, such as the structural design team, quantity surveyor, and cost estimator, who need this information to perform their tasks. From the malicious insider’s perspective, the file is not as valuable as the cost and schedule forecast file. However, he/she can attack the file with ransomware and threaten the project by permanently destroying it or leaking its content. Considering that the file has medium-level sensitivity in terms of confidentiality and availability, it is also of medium importance to the malicious insider.

The $\omega$ values for each cybersecurity attribute of each file were assigned based on Figure 9 and the average $\omega$ was the arithmetic mean of the three different $\omega$ values. The cost of cyberattack $\left(C_{cyb}\right)$ was calculated using the method presented previously. For the cost and schedule forecast file in Scenario 1, the file security level was calculated by multiplying the project security level, 0.7, by the file accessibility level, 0.9, which resulted in 0.63. Since the malicious insider had an expertise level of “Advanced beginner”, which corresponded to a value of 0.3 (see Table 3), subtracting this from the file security level, 0.63, gave us the value for the cost of the cyberattack $\left(C_{cyb}\right)$, 0.33. This means that the malicious insider will need additional resources to compromise the cost and schedule forecast file in Scenario 1. The values for the structural design file in Scenario 1 are given in Table 6 and the values for both files in Scenario 2 are presented in Table 7. The BNE corresponding to these scenarios were computed based on the flowchart of BNE (see Figure 4) and are also presented in Table 6 and Table 7.

4.2.2. Discussion of the BNE for Hypothetical Scenarios

In scenario 1 (Table 6), where the project security level is high, we observe that the BNE with respect to the cost and schedule forecast file is $\mathrm{E}$ when the cost of cyberattack $C_{cyb}$ is 0.33. The equilibrium $\mathrm{E}=\left(R_{\mathrm{aut} }^M{R}_{\mathrm{aut} }^L,D_{\mathrm{accept} }^{\mathrm{aut} }{D}_{\mathrm{accept} }^{cyb}\right)$ (see Figure 4) states that when the cost of the cyberattack is 0.33, a malicious insider whose level is advanced beginner would prefer using authentication to a cyberattack to request the file, and the legitimate insider would also use authentication. The defender observes this, and, in response to that, decides that the best strategy is to accept the access request with the probability $p_1=0.8$ of the malicious insider being detected. On the other hand, for the structural design file, the BNE is $\mathrm{D}$, where $\mathrm{D}=\left(R_{\mathrm{cyb} }^M{R}_{\mathrm{aut} }^L,D_{\mathrm{accept} }^{\mathrm{aut} }{D}_{\mathrm{accept} }^{cyb}\right)$. This states that when the cost of the cyberattack $C_{cyb}$ is 0.05, a malicious insider would prefer launching a cyberattack to using authentication to request the file. This action is observed by the defender, and the best defense strategy is to accept the request and catch the malicious insider with the probability $p_2=0.7$.

In scenario 2 (Table 7), where the project security is medium, we see that the BNE corresponding to the cost and schedule forecast file is $\mathrm{B}=\left(R_{\mathrm{aut} }^M{R}_{\mathrm{aut} }^L,D_{\mathrm{accept} }^{\mathrm{aut} }{D}_{\mathrm{reject} }^{\mathrm{cyb} }\right)$. This states that when the cost of the cyberattack is 0.15 and if the insider is a malicious one whose expertise level is advanced beginner, he/she would prefer using authentication to a cyberattack at this cost to request the file. In this case, the best strategy for the defender is to accept the request with the probability $p_1=0.55$ of the malicious insider being discovered. In addition, it can be seen from this equilibrium that if the insider is legitimate, he/she would request the data through authentication, and this request would be accepted by the defender. On the other hand, in the case of the structural design file, the BNE is $\mathrm{A}=\left(R_{cyb}^M{R}_{\mathrm{aut} }^L,D_{\mathrm{accept} }^{\mathrm{aut} }{D}_{\mathrm{reject} }^{cyb}\right)$, with the cost of the cyberattack set to $C_{cyb}=0$. This shows that if the insider is a malicious advanced beginner, he/she would launch a cyberattack at the cost of zero (i.e., $C_{cyb}=0$) rather than using authentication. To counter this act, the best strategy for the defender is to reject the request, given that the probability of the malicious insider being detected is $p_2=0.49$, whereas if the insider is legitimate, he/she would request the file through authentication, and this request would be accepted by the defender.

4.3. Validation of the Applicability of the Proposed Model Using Real Project Data

4.3.1. Interviews with Construction Experts

A model in research can undergo validation through the utilization of an expert panel. This process entails engaging a group of experts to scrutinize the model’s elements and assess its efficacy [47]. The usefulness, verifiability, and structure of the model are assessed by the experts to determine if the model meets its objectives [48]. The validation phase enhances practitioners’ comprehension and utilization of the model within the field [48]. The assessment conducted by the experts can pinpoint any required adjustments to enhance the model’s performance. In line with this, interviews were conducted with two experts working for a large-scale construction company to receive feedback about the usefulness of this study and show the applicability of the proposed model when real project data are used. Their company has been delivering significant landmark projects in the Middle East region, mainly in the United Arab Emirates (UAE), since it was founded in 1999. The interviewees included an IT expert and a construction innovation expert with more than ten years of experience. The interview had two sessions: (1) the authors presented the proposed game-theoretic model and its implementation for the hypothetical scenario provided in the previous subsections and (2) the experts were asked to give feedback on different elements of the presented model and provide information about two types of files in two of their projects. The experts’ responses were collected through a structured, roundtable discussion during the second interview session. The discussion was guided by the prepared questions regarding the experts’ opinions on the model and the characteristics of the file types and projects they preferred to share. This information was then used to show the proposed model’s implementation using real project data, discussed in the following subsections. The implementation still had a hypothetical component, which was related to the malicious insider, since the interviewees could not provide information regarding this aspect. Therefore, the malicious insider scenario, including the insider’s characteristics (see Table 5), job title, and suspicious activities, was kept the same. On the other hand, the characteristics of the files requested by the malicious insider and the construction projects were changed based on the experts’ input. The experts shared the required level of information regarding their projects without disclosing the project names for confidentiality purposes.

4.3.2. Evaluation of the Proposed Models

The experts were asked to evaluate the proposed models during the second interview session. Two questions were directed to the interviewees to receive their feedback, and their answers were requested using the Likert scale (1–5), along with any comments they had. The questions and provided answers were as follows:

Question 1) Do you think the parameters below (see

Table 8. Parameters used in the proposed model and the experts’ feedback.

No.	Parameters	Experts’ Rankings (1–5)
1.	δ (The initial probability of being a malicious insider)	5
2.	p1 and p2 (The probability that the malicious insider is detected)	4
3.	ω (Payoff/reward to the data defender due to detection of the malicious insider)	5
4.	β (Payoff/reward to malicious insider due to stolen data/compromised data)	5
5.	Ccyb (Cost of cyberattack)	5

) were included in the model in a reasonable way? Please rank from 1 to 5 (5 being the most reasonable).

Answer 1)

As the rankings in Table 8 indicate, the experts found the parameters used in the model reasonable. They only had a comment about the assumption of p₁ being always higher than p₂. They mentioned that this assumption is reasonable when the detection and identification of a malicious insider is considered. However, they suggested that this study could also consider the probability of detecting malicious activity. They indicated that the probability of detecting malicious activity when the insider is using a cyberattack would be higher than the probability of detecting malicious activity when the insider is using authentication.

Question 2) The file security level and cost of cyberattack (C_cyb) are estimated as follows:

File security level = (Project security level) x (File accessibility level)

C_cyb = max {File security level − malicious insider expertise level, 0}

Are the formulae used to estimate the file security level and C_cyb reasonable?

Answer 2) After a round of discussion, the experts agreed that the provided formulae used in the model are reasonable. They could understand the logic behind the formulae and did not have further suggestions to improve them.

4.3.3. Overview of the File Types

The experts were asked to provide two types of files commonly used in their projects that could be valuable to attackers. The experts agreed on discussing the following file types:

File type 1—Structural design file: Similar to the hypothetical example in this study, the experts suggested that the structural design files would be valuable to potential attackers. They mentioned that their company utilizes BIM; therefore, the structural design files are developed and stored in digital environments. Structural design files include all relevant details, such as material lists, structural element details, load analysis, connection details, and specifications.

File type 2—Resource management file (for labor): This type of file includes all details about the labor used in a project, such as the detailed list of labor, distribution of worker types required for different tasks, total manhours required for each task, and unit labor cost for different worker types. The experts mentioned that these files are also created in digital environments and stored in the CDE of the project.

4.3.4. Overview of Projects

The interviewed experts were asked to provide the details of two projects of their company with different characteristics. The projects chosen by the experts were as follows:

Project 1—High-rise building: This project was delivered by the experts’ company in Dubai, UAE. The project included constructing a complex high-rise commercial building equipped with IoT devices. It was a design–bid–build (DBB) project. Therefore, the construction company was not responsible for the design development. Their scope only included the construction phase. The project utilized BIM technologies, and project stakeholders collaborated via a CDE.

Project 2—Theme park: The second project provided by the interviewees was a horizontal construction project for a theme park in Abu Dhabi. The project utilized advanced construction technologies, such as virtual reality for collaborating over building information models, augmented reality onsite for visualizing building elements using tablet PCs, and robots to collect data for assessing site conditions. The theme park included various state-of-the-art IoT devices for automation during the operation and maintenance phase. Moreover, the experts mentioned that this project’s client had strict measures regarding the confidentiality of project information.

The summary of the project-related information, including the security level of the projects, is presented in

Table 9. Characteristics of projects 1 and 2.

Project Phase	Construction Phase
Scenarios	Characteristic	Value
Project 1 (High-rise building)	The overall security level of the project	Medium (0.5) (See Table 3)
	The probability that the malicious insider who launches a cyberattack is detected $\left({\mathrm{p}}_2\right)$	0.49
	The probability that the malicious insider who uses authentication is detected $\left({\mathrm{p}}_1\right)$	0.55
Project 2 (Theme park)	The overall security level of the project	Medium (0.5) (See Table 3)
	The probability that the malicious insider who launches a cyberattack is detected $\left({\mathrm{p}}_2\right)$	0.49
	The probability that the malicious insider who uses authentication is detected $\left({\mathrm{p}}_1\right)$	0.55

. The project phase for both examples is construction since the company was only responsible for construction works in both cases. Moreover, the experts indicated the project security level as “medium” and mentioned that they had similar cybersecurity measures in both projects.

4.3.5. Implementation of the Model

The experts were asked to provide the relevant characteristics of both file types in two different projects for the implementation of the game-theoretic model. When the file accessibility levels were assessed, the experts mentioned that structural design files were much less accessible in both projects than resource management files. Moreover, they indicated that the second project’s client had a higher priority for confidentiality. Therefore, the accessibility of both files was lower in project 1 compared to project 2. For resource management files, the experts indicated that even though they were accessible to most project employees, the files’ cost-related columns were only accessible to a small group. For this reason, they did not assign “very high” accessibility for this file type, even for project 1. All file accessibility levels are summarized in

Table 10. File accessibility levels for projects 1 and 2.

File Type	File Accessibility Level (Project 1)	File Accessibility Level (Project 2)
Structural design file	Low	Very low
Resource management file	High	Medium

.

The experts were asked to provide their opinion about the value of the provided file types to a potential malicious insider with a financial motivation—the same malicious insider as the hypothetical scenario. They argued that the structural design files would be “critical” to potential malicious insiders since they are considered intellectual property with high financial value. They mentioned that the resource management file would have a “medium” value in project 1 and a “high” value in project 2 since they included cost information. Since this file type included labor cost and project 2 had higher commercial value, its value to a potential malicious insider in project 2 was considered higher by the experts. These values are shown in

Table 11. Value of the files to potential malicious insiders in projects 1 and 2.

File Type	Value of the File to a Potential Malicious Insider (Project 1)	Value of the File to a Potential Malicious Insider (Project 2)
Structural design file	Critical	Critical
Resource management file	Medium	High

.

Finally, the experts were asked about the criticality of the given file types in both projects considering different cybersecurity attributes (i.e., confidentiality, integrity, availability). They mentioned that in both projects, the confidentiality and integrity of the structural design files were “critical”. They emphasized the financial value of the structural design files, which increased the importance of confidentiality. From the integrity perspective, they agreed that a potential unauthorized change in structural design files could lead to a catastrophic outcome if not discovered quickly. They considered the availability of the design files to have a “medium” level of importance in both projects since their unavailability would cause a minor delay in the project and require additional resources to recover. However, they did not think that it would have a significant impact on both projects.

For resource management files, the experts considered confidentiality important for project 2 (theme park) due to the client’s effort to keep the internal project information confidential. Therefore, they assigned a level of “high” for this file type’s criticality for project 2. Other than this aspect, they did not consider any other cybersecurity attribute of the resource management file type to be of more than “low” criticality for both projects. Therefore, all the remaining values were assigned “low”. All cybersecurity attribute values and the other aspects of each file type discussed are summarized in

Table 12. Parameters and BNE for project 1.

File Type	Criticality of the File (for the Project)		Payoff Due to Discovery of Malicious Insider Identity or Data Protection (ω)		Value of the File to the Malicious Insider	Payoff Corresponding to Compromised Data (β)	File Accessibility Level	Project Security Level	File Security Level	Malicious Insider’s Expertise Level	Cost of Cyberattack (Ccyb)	Bayesian Nash Equilibrium (BNE)
	Cybersecurity Attribute	Criticality	ω	Average ω
Structural Design File	Confidentiality	Critical	0.95	0.82	Critical	0.95	Low: 0.7	Medium: 0.5	(0.5 × 0.7) = 0.35	Advanced beginner: 0.3	Max{0.35 − 0.3, 0} = 0.05	A
	Integrity	Critical	0.95
	Availability	Medium	0.55
Resource Management File	Confidentiality	Low	0.2	0.2	Medium	0.5	High: 0.3		(0.5 × 0.3) = 0.15		Max{0.15 − 0.3, 0} = 0	A
	Integrity	Low	0.2
	Availability	Low	0.2

and

Table 13. Parameters and BNE for project 2.

File Type	Criticality of the File (for the Project)		Payoff Due to Discovery of Malicious Insider Identity or Data Protection (ω)		Value of the File to the Malicious Insider	Payoff Corresponding to Compromised Data (β)	File Accessibility Level	Project Security Level	File Security Level	Malicious Insider’s Expertise Level	Cost of Cyberattack (Ccyb)	Bayesian Nash Equilibrium (BNE)
	Cybersecurity Attribute	Criticality	ω	Average ω
Structural Design File	Confidentiality	Critical	0.95	0.82	Critical	0.95	Very low: 0.9	Medium: 0.5	(0.5 × 0.9) = 0.45	Advanced beginner: 0.3	Max{0.45 − 0.3, 0} = 0.15	B
	Integrity	Critical	0.95
	Availability	Medium	0.55
Resource Management File	Confidentiality	High	0.8	0.4	High	0.8	Medium: 0.5		(0.5 × 0.5) = 0.25		Max{0.15 − 0.3, 0} = 0	A
	Integrity	Low	0.2
	Availability	Low	0.2

. Based on these values collected from the experts, the file security levels, cost of cyberattack (C_cyb) values considering the hypothetical malicious insider, and the BNEs are also presented in these tables.

4.3.6. Discussion of the BNE for Real Project Data

Table 12 presents the BNE corresponding to project 2 (high-rise building) with the project security level of medium. It can be observed from Table 12 that for both the files—the structural design file and the resource management file—the BNE was $\mathrm{A}=\left(R_{cyb}^M{R}_{\mathrm{aut} }^L,D_{\mathrm{accept} }^{\mathrm{aut} }{D}_{\mathrm{reject} }^{cyb}\right)$, with the cost of cyberattack $C_{cyb}=0.05 \mathrm{a}\mathrm{n}\mathrm{d} 0$, respectively. The equilibrium implied that if the insider was malicious, he/she would launch a cyberattack to access the file at a very low cost or no cost at all. The defender would observe this action and respond to it by rejecting the access request. In this situation, the probability of the malicious insider’s identity being detected ($p_2$) would be approximately 0.5, characterized by the project security level of medium. Therefore, the best strategy for the defender would be to reject the file access request. Additionally, the equilibrium stated that if the insider was legitimate, then he/she would launch authentication to obtain access to the file, and the best strategy for the defender would be to accept the access request.

Furthermore, Table 13 presents the BNE calculation for project 2 (theme park). The BNE for the structural design file was $\mathrm{B}=\left(R_{\mathrm{aut} }^M{R}_{\mathrm{aut} }^L,D_{\mathrm{accept} }^{\mathrm{aut} }{D}_{\mathrm{reject} }^{\mathrm{cyb} }\right)$, whereas the BNE for the resource management file was $\mathrm{A}=\left(R_{cyb}^M{R}_{\mathrm{aut} }^L,D_{\mathrm{accept} }^{\mathrm{aut} }{D}_{\mathrm{reject} }^{cyb}\right)$ (see Table 13). In the case of the structural design file, the cost of cyberattack was 0.15, while, for the resource management file, it was 0. As the cost of cyberattack was relatively high, the malicious insider would prefer authentication over launching a cyberattack for the structural design file. However, for the resource management file, with zero cost, he/she would opt for a cyberattack. After observing the cyberattack, the defender would respond by rejecting the file access request. This decision would be driven by the defender’s unwillingness to risk data security due to the low probability of detecting the malicious insider’s identity (approximately 0.5 for a medium project security level). Furthermore, the equilibrium for both files dictated that if the insider was legitimate, he/she would perform authentication to request file access. In response, the defender would accept this request and release the file.

5. Discussion and Limitations

The previous section presented the implementation of the proposed game-theoretical models using two scenarios for constructing a smart hospital building. The scenarios differed from each other based on the assumed project security level. In both scenarios, two types of files were considered for the implementation: cost and schedule forecast and structural design files. While the confidentiality of the first file type was assumed to be “high”, it was considered “medium” for the second file type due to the nature of the project. If the scenario included a project with high design sensitivity, the second file type’s confidentiality would also be “high”. For example, if the project were a military base, embassy, or intelligence agency building, the confidentiality of all design files, including the structural ones, would be “critical”. Moreover, if the malicious insider’s motivation was espionage, the value of the design files of such projects to the malicious insider (see Table 6 and Table 7, column “value of the file to malicious insider”) would be “critical”. If the project type was a residential building, the confidentiality of the design files could be considered even lower than the hospital construction scenario since the design would not have the same criticality level. Therefore, different file types would have different “cybersecurity attribute” (see Table 6 and Table 7) values for different project types based on the characteristics of the projects.

While this study presented the implementation of the proposed models in a theoretical scenario, the real-life application might have several constraints and difficulties. The first difficulty in a real-life scenario would be assigning confidentiality, integrity, and availability values for all types of files in the project. Since they have qualitative values, they might change based on the person assigning them. The problem regarding the subjectivity of the values also applies to the other qualitative values in Table 6 and Table 7, such as “value of the file to malicious insider” and “malicious insider’s expertise level”. Another challenge would be identifying the security level of the project. This would require the project to perform security risk assessments regularly. However, even with regular risk assessments, choosing one of the five values for the security level in Table 3 reduces accuracy. The constraints of simplification and reduced accuracy in values also apply to the “malicious insider expertise level” and “file accessibility level”. Identifying these values and making them realistic is one of the considerable real-life challenges of this study.

This study also simplified the motivation of the malicious insider. The insider might have several motivations, some not given in this study. Therefore, assigning values for the “Value of the File to Malicious Insider” would be more difficult and complex. Moreover, in this study, the expertise level of the attacker did not affect the values of “the probability of being a malicious insider at the time of the access request $\left({\delta }_{\mathrm{current} }\right)$”, “the probability that the malicious insider who launches authentication is detected $\left(p_1\right)$”, and “the probability that the malicious insider who launches a cyberattack is detected $\left(p_2\right)\mathrm{”}$. However, if the attacker is stealthy enough, the IDS might not be able to detect unusual traffic from the insider. Thus, the ${\delta }_{\mathrm{current} }$ value would stay low, affecting the best strategy for the defender. Similarly, the stealthiness would significantly affect the probability of being detected, corresponding to the $p_1$ and $p_2$ values in this study. The evaluation of the proposed model was made by only two experts from a construction company, which can be considered another limitation of this study. Receiving the feedback of more experts would help improve the study further. Finally, as insider threats are not only concerned with intentional malicious acts but also inadvertent acts, our proposed game models could not capture the scenario of unintentional/inadvertent insider threats, which could be considered a future research direction.

6. Conclusions and Future Work

CDEs have emerged as critical platforms for enhancing collaboration and data management in the AEC industry, particularly with the increasing adoption of BIM. While CDEs have the potential to secure sensitive project information, insider threats—where authorized users misuse their access privileges—remain a significant concern. These threats, which may involve data theft, modification, or leakage, can result in substantial financial losses, intellectual property theft, and strategic disadvantages for construction companies. In this study, we developed game-theoretic models based on Bayesian games, that is a game of incomplete information, to better understand and predict malicious insider behavior within CDEs. These models account for both static and dynamic interactions between insiders, who may act as either malicious or legitimate, and the data defender. Through the application of these models to two real project scenarios (a high-rise building and a theme park), we demonstrated how different project types and sensitivity levels of information (e.g., structural design files and resource management files) affected the interaction between the insiders and the defender. Our models provided insights into how malicious insiders, driven by various motivations such as financial gain or espionage, might behave in these settings and highlighted the corresponding strategies the defender can adopt to mitigate these threats. The findings of this research offer valuable practical guidance for improving CDE security, especially in high-risk construction projects involving sensitive data. By considering various insider threat scenarios, we provide actionable recommendations for enhancing existing cybersecurity protocols in the AEC industry, particularly in response to insider threats, which are often more difficult to detect than external attacks. As the industry continues to digitize, these insights are crucial for securing sensitive construction data and ensuring the success of collaborative, data-driven projects. The proposed models offer a strategic approach for both mitigating insider threats and supporting the ongoing efforts to bolster cybersecurity in the construction sector.

The growing adoption of large language models (LLMs) in cybersecurity is transforming the field by leveraging their abilities, such as in-context learning, instruction following, and step-by-step reasoning, to address complex challenges [49]. These capabilities enable LLMs to solve downstream tasks, such as cryptographic operations and data protection, without extensive retraining, presenting a novel approach to enhancing cybersecurity systems. Moreover, advancements in prompt engineering have further optimized LLM performance, making them effective tools for mitigating evolving cyber threats [49]. Integrating LLMs with game-theoretic models could unlock new opportunities for designing robust, adaptive cybersecurity solutions that address both external and insider threats within the AEC industry. Therefore, the use of LLMs and generative AI will be investigated in future work.