One of my colleagues is working with a bunch of crazy-smart people at RSA Labs to explore how attacker-defender games can be used to help model behaviors and outcomes in the cyber defense realm. Notice how I am not saying “Information Security.” I know a lot of you hate the term “cyber,” but in this case it is a more accurate usage of what these games really teach us about.

The Art of War, by kainet

Check out this latest blog by Bob Griffin. In it, he discusses how game theory is making its way into the information security mainstream starting with several presentations at RSA Europe 2012 (and next week at GameSec in Budapest). The FlipIt game that these guys created is quite ground breaking, and we are learning quite a bit through mathematical proofs on what good strategies for defense can be. I will be referring to this paper briefly tomorrow at BSidesDFW, and hope to discuss it in more detail with one of my sessions at RSA US 2013 (pending selection of course).

While the paper tests strategies as it relates to password rotation (one of any number of levers that policy makers can pull), the concept is widely applicable to a number of information security constructs. The gist of most of what you can read there (although you really should go read the paper) is that defenders can get ahead by making the game too difficult to play for a given payoff to an attacker. Thus, the attacker moves somewhere else. It’s much more than avoiding being the last guy out of the campground when bears attack, so don’t fall into the trap of equating the two. It’s more about being the must unpredictable vacator of the campground.

If you are in Europe, go catch Bob’s session at GameSec next week. If not, stay tuned to the conference circuit for a live version soon!

This post originally appeared on