Next Article in Journal
The Patron Game: the Individual Provision of a Public Good
Next Article in Special Issue
Cyber–Physical Correlation Effects in Defense Games for Large Discrete Infrastructures
Previous Article in Journal
Successful Nash Equilibrium Agent for a Three-Player Imperfect-Information Game

Risk Assessment Uncertainties in Cybersecurity Investments

Institute for Security Science and Technology, Imperial College London, London SW7 2AZ, UK
Center for Digital Safety & Security, Austrian Institute of Technology, 1210 Vienna, Austria
Surrey Centre for Cyber Security, University of Surrey, Guildford, Surrey GU2 7XH, UK
System Security Group, Institute of Applied Informatics, Universität Klagenfurt, 9020 Klagenfurt, Austria
Author to whom correspondence should be addressed.
Games 2018, 9(2), 34;
Received: 11 May 2018 / Revised: 3 June 2018 / Accepted: 6 June 2018 / Published: 9 June 2018
(This article belongs to the Special Issue Game Models for Cyber-Physical Infrastructures)
When undertaking cybersecurity risk assessments, it is important to be able to assign numeric values to metrics to compute the final expected loss that represents the risk that an organization is exposed to due to cyber threats. Even if risk assessment is motivated by real-world observations and data, there is always a high chance of assigning inaccurate values due to different uncertainties involved (e.g., evolving threat landscape, human errors) and the natural difficulty of quantifying risk. Existing models empower organizations to compute optimal cybersecurity strategies given their financial constraints, i.e., available cybersecurity budget. Further, a general game-theoretic model with uncertain payoffs (probability-distribution-valued payoffs) shows that such uncertainty can be incorporated in the game-theoretic model by allowing payoffs to be random. This paper extends previous work in the field to tackle uncertainties in risk assessment that affect cybersecurity investments. The findings from simulated examples indicate that although uncertainties in cybersecurity risk assessment lead, on average, to different cybersecurity strategies, they do not play a significant role in the final expected loss of the organization when utilising a game-theoretic model and methodology to derive these strategies. The model determines robust defending strategies even when knowledge regarding risk assessment values is not accurate. As a result, it is possible to show that the cybersecurity investments’ tool is capable of providing effective decision support. View Full-Text
Keywords: risk assessment; cybersecurity investments; game theory risk assessment; cybersecurity investments; game theory
Show Figures

Figure 1

MDPI and ACS Style

Fielder, A.; König, S.; Panaousis, E.; Schauer, S.; Rass, S. Risk Assessment Uncertainties in Cybersecurity Investments. Games 2018, 9, 34.

AMA Style

Fielder A, König S, Panaousis E, Schauer S, Rass S. Risk Assessment Uncertainties in Cybersecurity Investments. Games. 2018; 9(2):34.

Chicago/Turabian Style

Fielder, Andrew, Sandra König, Emmanouil Panaousis, Stefan Schauer, and Stefan Rass. 2018. "Risk Assessment Uncertainties in Cybersecurity Investments" Games 9, no. 2: 34.

Find Other Styles
Note that from the first issue of 2016, MDPI journals use article numbers instead of page numbers. See further details here.

Article Access Map by Country/Region

Back to TopTop