Are you game? A bit of GAME THEORY for security

game theory.jpg

Why can’t we just be friends :(

All too often, cyber security and business, they are deemed rivals, same city derby, David and Goliath, vegemite and chocolate.

More often, security gives in to the business for its silver bullets - "risk acceptances", "trivial compensating controls" and "mitigation plans".

Almost certainly, a young budding aspirational security dude/gal, after leaving the ivory tower of security La La Land and going through years of grinding in real business settings, this poor soul would end up in one of two characters.

  1. A cynical, bitter but super technical security SME that CISO keeps to deliver messages he/she doesn't want to deliver and bails out when it is gone too far; some one the business and the rest of IT are trying to avoid at all cost;

  2. A smooth talking, blazer wearing, business-security professional who loves buzz word public speaking, bends rules and cares about the marks on the CV; favoured by the business and the rest of IT but deeply despaired by the security SME from the dark corner.

Well, can't security and business be BFF, comrades, allies, sugar and fat? They can be, in fact, they intrinsically are, in a business setting, if you are game.

Based on game theory, security gain & business outcome is not a zero-sum game, that is, it is not "you win I lose" and no alternatives.

Game Manual


First and foremost, although there may be competing objectives, we need to look at security and business as one entity, that is, swim or sink together.


Take a piece of paper and write down all options in rows, think options such as "going ahead with manual controls", "no can do", "minor or major redesign" etc. Use overlaying columns to represent all participants/stakeholders, e.g., Security, Risk, Project, Business, and use the last column for the Total Payoff.

For each option, give each stakeholder a score and sum them up in the Total Payoff. You can design the scoring system, but there should only be one set of scoring metrics for all participants. For instance, (-1) negative impact, (0) no impact, (1) positive impact from both technical, architectural and reputational viewpoints.


Intuitively, the option of highest payoff is the one. But you may also find that the best option often result in 0s and -1s for security, if you are using my example scoring system.

Well, don't despair. You will still pitch this option to stakeholders, but have a good think of what are your conditions or requests from those stakeholders who got 1s, for your reciprocity and "ability to see the big picture". Lastly, make sure your conditions or requests are recorded and accepted by all stakeholders, so that they are more likely to be honoured after you sign your life away.

Too easy?

This is a genuine question, not the Aussie statement/slang - in case you wonder.

Game Theory is based on assumptions and simplified environment settings. For example, it assumes that all the participants are rational and equally skilled in negotiation - doesn’t sound like describing human beings.

Therefore, to play the game on security well, it is largely depending on, first, to treat it as a “non zero-sum game”; second, pitch the best payoff option in a way that people can’t really object it or they are seen as “not strategic or myopic”; third, spruce up the negotiation skills and ensure the your conditions or requests are impactful ones - don’t waste the hard works to play the game!

Lastly, be bold and creative. Don’t limit the game at "project can't encrypt data at rest but security standard says so" level (micro level), play it at "business wants employees to access apps from anywhere on any devices, what can security do" (macro level).


I remember a CBA GM once asked me “why did you choose security, what do you like about it?” during an interview, and I said “because it is bloody hard. Not because of the technologies, but the people around it, in it and on it”.