Mapping between Classical Risk Management and Game Theoretical Approaches

  • Lisa Rajbhandari
  • Einar Arthur Snekkenes
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7025)


In a typical classical risk assessment approach, the probabilities are usually guessed and not much guidance is provided on how to get the probabilities right. When coming up with probabilities, people are generally not well calibrated. History may not always be a very good teacher. Hence, in this paper, we explain how game theory can be integrated into classical risk management. Game theory puts emphasis on collecting representative data on how stakeholders assess the values of the outcomes of incidents rather than collecting the likelihood or probability of incident scenarios for future events that may not be stochastic. We describe how it can be mapped and utilized for risk management by relating a game theoretically inspired risk management process to ISO/IEC 27005. This shows how all the steps of classical risk management can be mapped to steps in the game theoretical model, however, some of the game theoretical steps at best have a very limited existence in ISO/IEC 27005.


Game theory Risk management Equilibrium Strategies 


  1. 1.
    Anderson, R., Moore, T.: Information security economics – and beyond. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 68–91. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  2. 2.
    Campbell, P.L., Stamp, J.E.: A Classification Scheme for Risk Assessment Methods. Sandia National Laboratories, Sandia Report (August 2004)Google Scholar
  3. 3.
    Carin, L., Cybenko, G., Hughes, J.: Quantitative Evaluation of Risk for Investment Efficient Strategies in Cybersecurity: The QuERIES Methodology. Approved for Public Release: AFRL/WS-07-2145 (September 2007)Google Scholar
  4. 4.
    Carin, L., Cybenko, G., Hughes, J.: Cybersecurity Strategies: The QuERIES Methodology. Computer 41, 20–26 (2008)CrossRefGoogle Scholar
  5. 5.
    Cox Jr., L.A.: Game Theory and Risk Analysis. Risk Analysis 29, 1062–1068 (2009)CrossRefGoogle Scholar
  6. 6.
    Hausken, K.: Probabilistic Risk Analysis and Game Theory. Risk Analysis 22(1) (2002)Google Scholar
  7. 7.
    ISACA. The Risk IT Framework (2009),
  8. 8.
    ISO/IEC 27005. Information technology -Security techniques -Information security risk management. International Organization for Standardization, 1st edn. (2008)Google Scholar
  9. 9.
    ISO/IEC Guide 73. Risk management - Vocabulary - Guidelines for use in standards (2002)Google Scholar
  10. 10.
    Jormakka, J., Mölsä, J.V.E.: Modelling Information Warfare as a Game. Journal of Information Warfare 4(2), 12–25 (2005)Google Scholar
  11. 11.
    Liu, P., Zang, W.: Incentive-based modeling and inference of attacker intent, objectives, and strategies. In: Proceedings of the 10th ACM Conference on Computer and Communications Security, CCS 2003, pp. 179–189. ACM, New York (2003)Google Scholar
  12. 12.
    Lund, M.S., Solhaug, B., Stølen, K.: A Guided Tour of the CORAS Method. In: Model-Driven Risk Analysis, pp. 23–43. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  13. 13.
    Rasmusen, E.: Games and information: An introduction to game theory, 4th edn. Blackwell Publishers, Malden (2006)MATHGoogle Scholar
  14. 14.
    Fricker Jr., R.D.: Game theory in an age of terrorism: How can statisticians contribute. Springer, Heidelberg (2006)Google Scholar
  15. 15.
    Ross, D.: Game theory. The Stanford Encyclopedia of Philosophy (2010),
  16. 16.
    Roy, S., Ellis, C., Shiva, S., Dasgupta, D., Shandilya, V., Wu, Q.: A Survey of Game Theory as Applied to Network Security. In: 43rd Hawaii International Conference on System Sciences (HICSS), pp. 1–10 (January 2010)Google Scholar
  17. 17.
    Stoneburner, G., Goguen, A., Feringa, A.: Risk Management Guide for Information Technology Systems, NIST Special Publication 800-30 (July 2002)Google Scholar
  18. 18.
    Taleb, N.N.: The Black Swan: The Impact of the Highly Improbable. Random House Trade Paperbacks, 2nd edn. (May 2010)Google Scholar
  19. 19.
    Vorster, A., Labuschagne, L.: A framework for comparing different information security risk analysis methodologies. In: Proceedings of the 2005 Annual Research Conference of the South African Institute of Computer Scientists and Information Technologists on IT Research in Developing Countries, SAICSIT 2005, pp. 95–103. South African Institute for Computer Scientists and Information Technologists (2005)Google Scholar
  20. 20.
    Watson, J.: Strategy: An Introduction to Game Theory, 2nd edn. W. W. Norton & Company, New York (2008)Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2011

Authors and Affiliations

  • Lisa Rajbhandari
    • 1
  • Einar Arthur Snekkenes
    • 1
  1. 1.Norwegian Information Security LabGjøvik University CollegeNorway

Personalised recommendations