Next Article in Journal
The Patron Game: the Individual Provision of a Public Good
Next Article in Special Issue
Cyber–Physical Correlation Effects in Defense Games for Large Discrete Infrastructures
Previous Article in Journal
Successful Nash Equilibrium Agent for a Three-Player Imperfect-Information Game
Article Menu

Export Article

Open AccessArticle

Risk Assessment Uncertainties in Cybersecurity Investments

Institute for Security Science and Technology, Imperial College London, London SW7 2AZ, UK
Center for Digital Safety & Security, Austrian Institute of Technology, 1210 Vienna, Austria
Surrey Centre for Cyber Security, University of Surrey, Guildford, Surrey GU2 7XH, UK
System Security Group, Institute of Applied Informatics, Universität Klagenfurt, 9020 Klagenfurt, Austria
Author to whom correspondence should be addressed.
Games 2018, 9(2), 34;
Received: 11 May 2018 / Revised: 3 June 2018 / Accepted: 6 June 2018 / Published: 9 June 2018
(This article belongs to the Special Issue Game Models for Cyber-Physical Infrastructures)
PDF [1070 KB, uploaded 9 June 2018]


When undertaking cybersecurity risk assessments, it is important to be able to assign numeric values to metrics to compute the final expected loss that represents the risk that an organization is exposed to due to cyber threats. Even if risk assessment is motivated by real-world observations and data, there is always a high chance of assigning inaccurate values due to different uncertainties involved (e.g., evolving threat landscape, human errors) and the natural difficulty of quantifying risk. Existing models empower organizations to compute optimal cybersecurity strategies given their financial constraints, i.e., available cybersecurity budget. Further, a general game-theoretic model with uncertain payoffs (probability-distribution-valued payoffs) shows that such uncertainty can be incorporated in the game-theoretic model by allowing payoffs to be random. This paper extends previous work in the field to tackle uncertainties in risk assessment that affect cybersecurity investments. The findings from simulated examples indicate that although uncertainties in cybersecurity risk assessment lead, on average, to different cybersecurity strategies, they do not play a significant role in the final expected loss of the organization when utilising a game-theoretic model and methodology to derive these strategies. The model determines robust defending strategies even when knowledge regarding risk assessment values is not accurate. As a result, it is possible to show that the cybersecurity investments’ tool is capable of providing effective decision support. View Full-Text
Keywords: risk assessment; cybersecurity investments; game theory risk assessment; cybersecurity investments; game theory

Figure 1

This is an open access article distributed under the Creative Commons Attribution License which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited (CC BY 4.0).

Share & Cite This Article

MDPI and ACS Style

Fielder, A.; König, S.; Panaousis, E.; Schauer, S.; Rass, S. Risk Assessment Uncertainties in Cybersecurity Investments. Games 2018, 9, 34.

Show more citation formats Show less citations formats

Note that from the first issue of 2016, MDPI journals use article numbers instead of page numbers. See further details here.

Related Articles

Article Metrics

Article Access Statistics



[Return to top]
Games EISSN 2073-4336 Published by MDPI AG, Basel, Switzerland RSS E-Mail Table of Contents Alert
Back to Top