Over the last year I’ve started reviewing game theory in more depth, looking for some models I can use to understand system management (vis a vis risk) better. Game theory is one of the more interesting branches of economics for me, but I don’t actually have a great intuition for it yet (I really have to work at absorbing the material). Since it doesn’t come super-naturally to me, I’m particularly proud of the presentation I gave at SOURCE Boston last year: Games We Play: Defenses and Disincentives (description here). Luckily, there is a good video of the presentation, because when I wanted to expand out the presentation a few months later, my notes were totally undecipherable. 🙂

BruCon 2012 -- A Million Mousetraps: Using Big Data and Little Loops to Build Better Defenses

Yes, that is a Pringles can sharing the podium with me. Photo credit (and Pringles credit) go to @attritionorg.

Since I am still a proponent of applied risk analytics (as in my talk at Brucon this year: A Million Mousetraps: Using Big Data and Little Loops to Build Better Defenses (description here), I’ll never be able to escape behaviorally-driven defenses, but even with the power of big data behind us it feels like we defenders often find ourselves playing the wrong game. I don’t disagree the deck might be stacked against us, but we might be able to at least take control of the game board a little better.

Essentially — I am interested in we how might be able to adjust incentives in order to improve both risk reduction, whether from a fraud, security, or general operational dynamics perspective. Fraud reduction typically considers incentives and system design rather vaguely (not in a systematic way, except maybe in the case of authentication), and instead relies almost exclusively on behavioralist approaches (as typified by the complex predictive models launched looking for patterns in real time. I have been wondering for a while if we can “change the game” and get improved results.

More on that to come. As I’ve learned more and had a few more months to consider how game theoretic models can be used to explain certain tendencies/behaviors/trends in risk/infosec, I’ve found a lot more tools/theorems that can be applied. And of course research being done in the intersection of behavioral economics and game theory is yielding additional material. (So little time, so many research papers.) I’m going to try and weave some of this together and will be attempting a second presentation on the topic at SOURCE this year, hopefully it will be similarly well-received.

So, in case you’re interested, here are a few of the better books I’ve read on the topic:

Rock Paper Scissors: Game Theory in Everyday Life, by Len Fisher — this book is kind of a pop-econ review of some of the primary concepts in game theory

Game Theory for Applied Economists, by Robert Gibbons — this text is very academic and has been a good survey/reference.

Game Theory Evolving: A Problem-Centered Introduction to Modeling Strategic Interaction, by Herbert Gintis — I love this book! But it is extremely math-y, meaning the concepts are all described in mathematical nomenclature and then the reader is given problems that can be solved by applying the math. I desperately want to absorb this book but it’s going to take me a while, and I probably will need to enlist a tutor (hello any Stanford grad students reading this, I will totally buy you coffee to make this happen).

And of course I spent so much time on Wikipedia’s Game Theory section that I finally decided to donate.

Under Creative Commons License: Attribution