2 Related work
Game theory was kicked off in 1944 as a robust field by  and saw application to such national security issues as nuclear deterrence and mutually assured destruction. The essential problems of bargaining and non-cooperative games were laid out by John Nash in the early 1950s [27, 26]. Founded as a branch of mathematics, after the theory acquired conceptual foundations (see [30, 29] for a summary), notions from game theory spread to a number of fields, notably economics (for example ). Some game theorists have also taken influence from other fields, such as evolution and dynamical systems . Some game theory texts are broad, mathematical treatments such as . Useful for the work described in this paper are treatments of non-cooperative games and games of incomplete information, which is included in some of the above but focused in some texts such as [14, 25].
There have been previous efforts to extend game theory into the field of information security;  summarize and categorize the efforts. Game-theoretic models have been proposed for both organization-scale  and single-wireless-node-scale  information security games; both as single-play  and repeated games . As economics intersects game theory it also intersects information security; for a summary of the extensive work on the economics of information security, see .
We heuristically derive our model from case studies and empirical reporting of information-security relevant behavior on the Internet. There are several organizations that report on various aspects of cyber-crime and human behavior, in varying levels of detail, such as [4, 33, 2, 23, 13, 19, 24, 9, 8, 1]. These sources do not generally attempt to derive a general model from the information observed. There is some work in cyber-crime and risk dynamics such as [23, 35] that model criminal behavior, which inform our game theoretic modeling directly.
It seems that all existing applications of game theory to information security force the game to be a two-player game. Some study population dynamics of users and adversaries , which has richer descriptive power, but these retain still only two types of players. These efforts do not seem satisfactory in describing the Internet-scale phenomenon of information security, as reported by the economics, cyber-crime and dynamics literatures. We assert that a primary reason for this shortcoming is that the game cannot be described with fewer than three players.