On Game-Theoretic Risk Management (Part Three) - Modeling and Applications

Abstract

The game-theoretic risk management framework put forth in the precursor reports "Towards a Theory of Games with Payoffs that are Probability-Distributions" (arXiv:1506.07368 [q-fin.EC]) and "Algorithms to Compute Nash-Equilibria in Games with Distributions as Payoffs" (arXiv:1511.08591v1 [q-fin.EC]) is herein concluded by discussing how to integrate the previously developed theory into risk management processes. To this end, we discuss how loss models (primarily but not exclusively non-parametric) can be constructed from data. Furthermore, hints are given on how a meaningful game theoretic model can be set up, and how it can be used in various stages of the ISO 27000 risk management process. Examples related to advanced persistent threats and social engineering are given. We conclude by a discussion on the meaning and practical use of (mixed) Nash equilibria equilibria for risk management.