International Association
for Cryptologic Research

Security assessments are an integral part of organisations\' strategies for protecting their digital assets and critical IT infrastructure.

In this paper we propose a game-theoretic modelling of a particular form of security assessment -- one which addresses the question ``are we compromised?\'\'.

We do so by extending the recently proposed game ``FlipIt\'\', which itself can be used to model the interaction between defenders and attackers under the Advanced Persistent Threat (APT) scenario.

Our extension gives players the option to ``test\'\' the state of the game before making a move. This allows one to study the scenario in which organisations have the option to perform periodic security assessments of such nature, and the benefits they may bring.