Game theory is applied in many domains to bring clarity and insight into complex environments and relationships. Cybersecurity can also be viewed as a game, one between attackers and defenders, where the rules continually change. Cybersecurity is not a simple game that ends with a clear victory or defeat. It’s not about winning or losing. It’s an ongoing challenge in which success means continuing to play effectively.  This session explores how game theory, along with familiar games like chess and poker, offers practical and approachable mental models for improving real-world cyber strategy, no doctorate in game theory required. 

Examples will include applying these models to SOC analyst scheduling, privilege rotation, and deception planning to illustrate how theoretical insights translate into daily defensive decisions. 

Game theory will be presented in straightforward language that helps cyber leaders, architects, and managers identify ways to strengthen their programs by: 

Recognizing the difference between making decisions based on “perfect knowledge” versus “imperfect knowledge.” 
Learning new ways to view planning and understand the value of trade-offs. 
Understanding the power of incomplete information and randomness to deceive an opponent. 
Allocating scarce resources across many fronts rather than over-protecting a single crown jewel. 
Applying the concept of stealthy persistence to emphasize the value of continuously renewing or rotating credentials, keys, tokens, systems, and defenses to limit attacker control. 
Implementing structured randomness where it can outperform equal coverage or predictable rotation schedules. 
Understanding why threat-intelligence sharing often fails without proper incentives. 
Building on these models, we’ll also touch on how payoff balance and diminishing returns help leaders assess appropriate levels of cybersecurity staffing and investment—how underfunded defenses create predictable weaknesses, and how right-sized teams are better equipped to sustain the infinite game. 

Attendees will leave with a clearer view of the cyber “meta-game,” enabling them to identify players and payoffs in their own environments and apply these lessons directly within their own cyber arena. The goal is not to “win” cybersecurity—it’s to keep playing smarter. 

 
Learning Objectives 

• Recognize how different game-theory models and familiar games illustrate real-world cyber dynamics.
• Identify attacker and defender payoffs to prioritize controls and resource allocation more strategically.
• Apply structured randomness, deception, and adaptive planning to reduce attacker advantage.
• Relate payoff balance and diminishing returns to real decisions about cybersecurity staffing and investment.