The Minimax theorem, a key concept in game theory, offers valuable insights for risk and cybersecurity professionals. Originally developed for zero-sum games with perfect information, it also applies to scenarios with imperfect information. The theorem states that in zero-sum games (where one player’s gain is exactly balanced by the other’s loss), each player can choose a strategy to minimise their maximum possible loss — known as the minimax strategy. This approach limits worst-case losses, even against an optimal adversary. While cybersecurity scenarios aren’t always perfectly zero-sum, the analogy is useful because a defender’s loss (a successful attack) is often the attacker’s gain.

In risk and cybersecurity, the minimax principle guides the development of strong defensive strategies. By assuming an attacker will act to maximise damage, security teams can prioritise resources to address the most critical vulnerabilities. This worst-case, loss-focused approach strengthens decision-making under uncertainty, enhancing resilience against sophisticated or unexpected threats. It’s important to note that both attackers and defenders often operate with imperfect information, meaning neither side has complete knowledge of the other’s capabilities and vulnerabilities.

In Plain English? Prepare for the worst, focusing on vulnerabilities that could cause catastrophic harm if exploited. Some threats may seem unlikely, but if their impact is existential, they demand protection.

The minimax algorithm in 3 minutes

Further reading

  • Golden Rules - Great Theories of 20th-Century Mathematics, by John Casti
  • Minimax theorem
  • Zero-sum game
  • Game theory
  • Greedy algorithms
  • Uniform-cost