The game as proposed indicates some useful ways to think about the true nature of the real-world situation. The fact that the interaction between the rogue and the user is non-zero-sum is critical. This fact is due to the nature of digital resources — they are not truly rivalrous. Thus, there may be a strategy in which the rogue benefits and the user has negligible losses. In this case, the architect could not expect to impose constraints on the user to prevent the rogue’s gains. The user’s payoff may well be higher by not accepting such constraints. This situation helps explain the general difficulty the security community experiences with getting users to heed their warnings , for example.
The assertion that the game of network and Internet security as (at least) a three-person game is noteworthy. The game as described cannot be reduced to two players by putting two of the three players in a coalition. The facts of the Internet ecosystem prevent genuine coalitions in practice, and many interests of the parties do not align even in principle. Since the game has three players, a straightforward calculation of a globally-optimal strategy is not possible.
The game description also provides some practical guidance for policy and decision making. For example, if the payoff matrix is affected by the size of the rogue’s infrastructure, and negotiations with the user community is stalled, then the architect’s efforts would be best targeting at removing key elements of the criminal infrastructure. It also may be able to highlight certain areas that can only be solved politically as Internet governance issues, and so on.
The fact that each player has imperfect information, and that each player has different information about the game, is also a key point. Internet security is not chess, in which each player knows all the moves the other player makes — chess is a game of perfect information . In chess, if one could enumerate the strategy space then one can select the globally-optimal strategy. Internet security should not be modeled as such a game, as the Internet does not function as a system with perfect information. Operational security cannot, in principle, hope to find a globally-optimal strategy.