Origin
John von Neumann and Oskar Morgenstern, Theory of Games and Economic Behavior, 1944. Extended by John Nash (equilibrium, 1950), Thomas Schelling (focal points, 1960), and decades of economics, political science, and evolutionary biology.
The Principle
Game theory studies strategic interactions between rational agents. Each agent chooses a strategy. Each strategy produces a payoff that depends on the strategies chosen by all other agents. The key insight is that the optimal strategy for any one player depends on what the other players do.
Security is a game. The defender chooses a strategy (input validation, encryption, access control). The attacker chooses a strategy (injection, brute force, social engineering). The outcome depends on both choices. Neither player acts in isolation. Every security decision is a strategic interaction, and every vulnerability is a game-theoretic failure — a strategy that was locally rational for the defender but globally exploitable by the attacker.
Why This Is Bedrock
Software security cannot be understood without understanding incentives. The question is never "is this code secure?" The question is: "given the incentive structure of every actor in this system — developers, managers, attackers, users, regulators — what strategies will they choose, and what equilibrium will result?" Every disaster exhibit upstairs is the answer to that question for a specific system.
This pattern has been found in applications built by talented developers at respected organizations across every decade of software history. Its presence in a codebase is not a reflection of the developer who wrote it — it is a reflection of what that developer was taught, what tools they had, and the path that was easiest given what they were taught. The goal is not to find fault. The goal is to find the pattern — before it finds you.
Katie's Law: The developers were not wrong. The shortcut was not wrong. The context changed and the shortcut didn't.