A Game-Theoretic Approach for Quantification of Strategic Behaviors in Digital Forensic Readiness

Abstract

Small and Medium-sized Enterprises (SMEs) face disproportionately high risks from Advanced Persistent Threats (APTs), which often evade traditional cybersecurity measures. Existing frameworks catalogue adversary tactics and defensive solutions but provide limited quantitative guidance for allocating limited resources under uncertainty, a challenge amplified by the growing use of AI in both offensive operations and digital forensics. This paper proposes a game-theoretic model for improving digital forensic readiness (DFR) in SMEs. The approach integrates the MITRE ATT&CK and D3FEND frameworks to map APT behaviors to defensive countermeasures and defines 32 custom DFR metrics, weighted using the Analytic Hierarchy Process (AHP), to derive utility functions for both attackers and defenders. The main analysis considers a non-zero-sum attacker–defender bimatrix game and yields a single Nash equilibrium in which the attacker concentrates on Impact-oriented tactics and the defender on Detect-focused controls. In a synthetic calibration across ten organizational profiles, the framework achieves a median readiness improvement of 18.0% (95% confidence interval: 16.3% to 19.7%) relative to pre-framework baselines, with targeted improvements in logging and forensic preservation typically reducing key attacker utility components by around 15–30%. A zero-sum variant of the game is also analyzed as a robustness check and exhibits consistent tactical themes, but all policy conclusions are drawn from the empirical non-zero-sum model. Despite relying on expert-driven AHP weights and synthetic profiles, the framework offers SMEs actionable, equilibrium-informed guidance for strengthening forensic preparedness against advanced cyber threats.

1. Introduction

Digital forensic readiness (DFR) enables organizations to proactively collect and preserve admissible digital evidence, reducing legal risks and supporting business continuity. It is particularly valuable for Small and Medium-sized Businesses and Enterprises (SMBs/SMEs)—encompassing both the commercial/business context (SMB) and the broader organizational/industrial context (SME)—which often face resource constraints in cybersecurity operations. A robust DFR strategy ensures that significant cyber incidents can be addressed efficiently, lawfully, and professionally, conserving investigative resources, reducing costs, protecting organizational reputation, and maintaining compliance with applicable regulations.

Despite heavy investment in Computer Security Incident Response Teams (CSIRTs), digital forensics and incident response (DFIR) units, and advanced monitoring technologies—such as EDR, XDR, NDR, SIEM, and IDPS—organizations still struggle to achieve effective incident detection and response. Such limitations become especially pronounced against Advanced Persistent Threats (APTs), which are sophisticated, well-funded actors conducting prolonged cyber campaigns. APTs are stealthy, long-term cyberattacks by unauthorized entities to remain undetected in networks [1,2]. Recent threat intelligence reports indicate that, while global median dwell time has decreased to 11 days, this metric rises significantly when organizations rely on external notifications (median 26 days), highlighting the importance of internal detection capabilities [3]. Data breaches impose severe financial consequences on organizations; the global average cost reached USD 4.44 million in 2025, with financial sector breaches averaging USD 6.08 million [4,5]. Historical data suggest that cyber incidents can have devastating impacts on small enterprises, with earlier studies indicating that a substantial portion may face severe operational disruptions following major breaches [6]. For example, Baker [7] notes that, in the SolarWinds incident, threats persisted within networks for prolonged periods without detection.

The rapid proliferation of artificial intelligence (AI) has further complicated this landscape. AI-driven tools empower attackers with advanced automation, adaptive tactics, and the ability to launch more sophisticated and targeted attacks, thereby increasing the potency of APTs. Conversely, while AI offers defenders enhanced capabilities for faster and more accurate detection, it also introduces unprecedented forensic challenges. These include the complexity of analyzing AI-generated attacks, the potential for AI-based evidence manipulation, and the need for new techniques to handle AI-related incidents. For SMBs, these challenges are particularly acute due to resource constraints. These technical challenges are compounded by the broader organizational struggle to effectively govern AI systems and mitigate associated risks, a problem highlighted in recent literature [8].

Organizations often perceive this issue as primarily technical in nature. However, this challenge fundamentally encompasses the interplay of technology, human expertise, and processes. Without skilled personnel and planning, even the most advanced technology stack may fail against determined assailants. Situations where inadequate DFR hinders effective cyber security incident investigations—often due to poor data retention, ineffective log management, or compromised digital evidence integrity—exemplify what we term non-forensicability (see Section 5.1 for a detailed discussion). Wrightson [9] emphasizes that understanding an attacker’s motivations and capabilities, as well as knowing their past actions, helps investigators categorize and respond to diverse cyber threats.

Digital forensic investigators must know both defense and offense strategies, preempt emerging attack techniques, and collaborate closely with defense teams. Årnes [10] characterizes digital forensics, as a sub-discipline of forensic science, as encompassing scientifically validated methods for the management of digital evidence. These methods are essential for reconstructing criminal incidents or anticipating unauthorized activities.

To address the need for a formal strategic framework for DFR, we propose a game-theoretic approach to model the strategic interactions between cyber attackers and defenders. This approach helps organizations anticipate threats, optimize defense strategies, and make more informed decisions. We focus on the strategic behavior in digital forensics, drawing from Sun Tzu’s wisdom in The Art of War, which emphasizes the importance of understanding both one’s own abilities and the opponent’s strengths and strategies. As Tzu [11] states, “If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained, you will also suffer a defeat. You will succumb in every battle if you know neither the enemy nor yourself.” This highlights the importance of knowing the adversary’s motivations, methods, and goals, as well as the capabilities and limitations of one’s own tools and techniques.

Inspired by Sun Tzu’s philosophy, our game-theoretic model operationalizes this wisdom by quantifying how knowledge asymmetries between attacker and defender impact forensic readiness. We operationalize “know the enemy” via 16 attacker utilities and “know yourself” via 16 defender metrics that quantify organizational capabilities that model adversary behaviors. These 32 metrics are linked through an explicit ATT&CK↔D3FEND coupling $\Gamma$ that yields measurable forensic readiness improvements and richer post-incident evidence. We formalize three strategic states: comprehensive knowledge (targeted defense), partial knowledge (vulnerable defense), and ignorance (minimal resilience). This approach is especially important in the AI era, where modeling emerging AI-powered attack surfaces and their forensic implications becomes essential for building resilient systems. Game theory provides a mathematical foundation for analyzing strategic interactions among rational decision-makers [12]. Its application in cybersecurity is growing, as it offers a structured approach to the following:

• Model Strategic Decisions: Capture the objectives and constraints of both attackers and defenders [13].
• Conduct Risk Analysis: Elucidate payoffs and tactics to identify critical vulnerabilities and optimal defensive strategies [14].
• Enable Adaptive Defense: Capture the dynamic nature of cyber threats, including those augmented by AI, to inform adaptive countermeasures [15].
• Optimize Resource Allocation: Evaluate strategy effectiveness to guide efficient investment of limited defensive resources [16].

To operationalize this game-theoretic approach, our methodology is grounded in established cybersecurity standards and formal decision-making processes. We build upon best practices from the National Institute of Standards and Technology (NIST) for metric development and forensic readiness [17]. Specifically, we integrate the MITRE ATT&CK framework to systematically model adversary behaviors and the complementary MITRE D3FEND framework to map defensive countermeasures. This integration provides a standardized taxonomy that bridges attacker tactics with defender responses. Based on these frameworks, we define 32 custom DFR metrics, weighted using the Analytic Hierarchy Process (AHP), to compute quantifiable utility functions for both attackers and defenders. This addresses a critical gap in the field: the absence of quantifiable payoffs in strategic DFR planning. Furthermore, we present an end-to-end algorithmic suite for scoring, classification, and gap analysis, moving beyond fragmented assessments towards a holistic readiness model.

This paper makes the following key contributions:

• A game-theoretic readiness-planning framework for DFR that quantifies strategic attacker–defender interactions.
• A practical integration of MITRE ATT&CK and D3FEND with AHP-weighted metrics to ground utilities in real-world tactics and techniques.
• An equilibrium-based analysis that derives actionable, resource-constrained guidance for SMBs/SMEs.
• An empirical evaluation on APT-inspired, multi-vector scenarios showing that the framework can improve readiness and reduce attacker success under realistic constraints.

The remainder of this paper is structured as follows: Section 2 reviews the related works in digital forensics investigation and readiness. Section 3 describes our game-theoretic approach and algorithms for DFR. Section 4 presents our experimental analysis and results. Section 5 concludes with our findings and future work.

2. Related Works

Enhancing cybersecurity and digital forensics has spurred a plethora of studies. These foundational works span technical defenses, strategic modeling, and simulation of cyber interactions. While appreciating their contributions, we identify areas for further exploration.

2.1. Game Theory in Digital Forensics

Alpcan et al. [18] provided a foundational contribution to the field of network security by presenting theoretical approaches for decision making in security from a game-theoretic perspective. Their work serves as a valuable reference not only for researchers and graduate students but also for practitioners such as system administrators and security officers seeking to apply quantitative models grounded in control, optimization, and decision theory. Casey [19] established the conceptual foundation for incorporating game theory into digital forensics, contextualizing how strategic analysis can enhance forensic practices.

Manshaei et al. [20] offered a comprehensive overview of game-theoretic methods in network security and privacy, highlighting their capability to model strategic interactions in complex adversarial environments. Their study provided in-depth insights into how game theory can strengthen computer and communication network security across multiple layers, including physical and MAC layers, self-organizing networks, intrusion detection systems, anonymity and privacy mechanisms, network security economics, and cryptography. The authors summarized key concepts such as equilibrium analysis and mechanism design, emphasizing the significance of addressing information limitations and learning factors in developing effective security solutions.

Several subsequent studies have built on this foundation to explore game-theoretic applications in digital forensics. Nisioti et al. [21] presented a Bayesian game model for analyzing interactions between a forensic investigator and a strategic attacker on a multi-host forensic investigation graph. Hasanabadi et al. [22] developed a model representing attacker–investigator dynamics involving rootkits and anti-rootkits, defining each player’s actions and profiling their characteristics. Extending these ideas, Karabiyik et al. [23] proposed a game-theoretic approach to optimize tool selection in digital forensics, particularly focusing on file carving tools and the strategic adaptation of selection decisions during investigations. Hasanabadi et al. [24] later introduced a memory-based mechanism to expand action spaces within forensic game models, reducing convergence iterations when new anti-forensic or counter-anti-forensic tools emerge. Caporusso et al. [25] further analyzed post-attack decision dynamics in human-controlled ransomware scenarios, modeling negotiation strategies and emphasizing the role of information availability, user education, and human factors in developing resilient defensive responses.

2.2. Digital Forensics Readiness and Techniques

Kebande et al. [26] introduced a technique for implementing DFR in cloud computing environments through a modified obfuscated Non-Malicious Botnet (NMB). Operating as a distributed forensic Agent-Based Solution (ABS), this method enables forensic logging for readiness purposes across cloud infrastructures. In a related effort, Kebande et al. [27] proposed the construction of a Digital Forensic Readiness Intelligence Repository (DFRIR) founded on knowledge-sharing principles. The repository cross-references potential evidence sources, aims to reduce the time required for forensic investigations, and supports sharing across multiple jurisdictions.

Englbrecht et al. [28] developed a DFR-specific Capability Maturity Model (CMM) to guide organizations in implementing readiness measures. The framework draws on COBIT 5 IT-Governance principles and incorporates the core characteristics necessary for effective DFR implementation. Reddy et al. [29] built a Digital Forensic Readiness Management System (DFRMS) tailored for large organizations. Based on requirements identified through a comprehensive literature review, the DFRMS architecture comprises five modules: event analysis, DFR information management, costing, access control, and user interface. A proof-of-concept prototype demonstrated the system’s practical feasibility and its potential to improve readiness in enterprise contexts.

Grobler et al. [30] positioned DFR as a means to strengthen organizational security strategies by preparing for incidents while minimizing disruptions to business processes. Their guidelines emphasize ensuring legal admissibility of evidence, detecting resource misuse, and demonstrating due diligence in protecting valuable company assets. The authors contend that revisions to current information systems architectures, strategies, and best practices are needed to enable successful prosecutions, pointing to deficiencies in admissible evidence and procedural rigor. Lakhdhar et al. [31] proposed a game-theoretic model for forensic-ready systems utilizing cognitive security concepts; however, this work lacks practical tools applicable to SMBs/SMEs.

Elyas et al. [32] designed and validated a DFR framework through expert focus groups. The framework assists organizations in assessing their forensic strategies by identifying critical factors in capacity development. It categorizes governance, top management support, and culture as organizational dimensions, while technology and architecture are grouped under forensic infrastructure. Baiquni and Amiruddin [33] applied the Digital Forensic Readiness Index (DiFRI) to quantitatively evaluate a cyber organization’s operational readiness, offering tailored improvement recommendations. Although informative, this methodology does not address strategic adversary behavior or optimal resource allocation—gaps targeted by our proposed game-theoretic approach.

Complementing DFR frameworks with an SME-focused perspective, Rawindaran et al. [34] introduce an enhanced ROHAN model integrated with the Cyber Guardian Framework (CGF) to improve cybersecurity resilience in resource-constrained organizations. Their mixed-method study emphasizes role-specific awareness, continuous improvement, and the use of AI-enabled decision support—principles aligned with readiness thinking. However, while ROHAN+CGF advance organizational practice, they do not explicitly model adversarial strategy or attacker–defender interdependence; our game-theoretic formulation targets precisely this gap by coupling readiness with strategic behavior and optimal resource allocation.

Trenwith et al. [35] advocated centralized logging as a cornerstone of effective DFR, enabling rapid acquisition of evidential data and accelerated investigative analysis. While centralized log management streamlines evidence collection, it does not account for the diverse evidence types necessary in investigations, particularly within cloud environments. Cloud systems present additional challenges due to the dynamic and distributed nature of data storage and processing, which demand solutions beyond efficient logging.

In the context of microservice architectures, Monteiro et al. [36] proposed “Adaptive Observability,” a game theory-driven method designed to address evidence challenges in ephemeral environments where traditional observability mechanisms fail after container termination. By dynamically adjusting observability based on user–service interactions, the approach enhances evidence retention while optimizing resource consumption. Comparative evaluations show performance improvements ranging from 3.1 % to 42.50 % over conventional techniques. The authors suggest future work should incorporate varying attacker risk preferences and extend into industrial case studies, with additional metrics covering cost-effectiveness and scalability.

2.3. Advancement in Cybersecurity Modeling

Xiong et al. [37] developed a threat modeling language for enterprise security based on the MITRE Enterprise ATT&CK Matrix and implemented using the Meta Attack Language framework. This language enables the simulation of cyberattacks on modeled system instances to analyze security configurations and assess potential architectural modifications aimed at improving system resilience.

Wang et al. [38] proposed a sequential Defend–Attack framework that integrates adversarial risk analysis. Their approach introduces a new class of influence diagram algorithms, termed hybrid Bayesian network inference, to identify optimal defensive strategies under adversarial conditions. This model enhances understanding of the interdependent decision processes between attackers and defenders in dynamic threat environments.

Usman et al. [39] presented a hybrid methodology for IP reputation prediction and zero-day attack categorization that fuses Dynamic Malware Analysis, Cyber Threat Intelligence, Machine Learning, and Data Forensics. This integrated system simultaneously evaluates severity, risk score, confidence, and threat lifespan using machine learning techniques, illustrating how data-driven analytics can support forensic and security objectives. The study also highlights persistent data forensic challenges when automating classification and reputation modeling for emerging cyber threats.

2.4. Innovative Tools and Methodologies

Li et al. [40] introduced LEChain, a blockchain-based lawful evidence management scheme for digital forensics designed to address security and privacy concerns often overlooked in cloud computing and blockchain-based evidence management. LEChain implements fine-grained access control through ciphertext-policy attribute-based encryption and employs brief randomizable signatures to protect witness privacy during evidence collection.

Soltani and Seno [41] presented a Software Signature Detection Engine (SSDE) for digital forensic triage. The SSDE architecture comprises two subsystems: signature construction and signature detection. Signatures are generated using a differential analysis model that compares file system states before and after execution of specific software. Their study evaluates multiple design parameters, resulting in the creation and assessment of 576 distinct SSDE models.

At the storage–firmware boundary, Rother and Chen [42] present ACRecovery, a flash-translation-layer (FTL) forensics mechanism that can roll back OS access-control metadata after an OS-level compromise by exploiting out-of-place updates in raw flash. Their prototype on EXT2/EXT3 and OpenNFM demonstrates efficient recovery with minimal performance impact, highlighting a promising post-compromise remediation path. While orthogonal to our strategic readiness modeling, such FTL-aware techniques complement DFR by preserving evidential integrity and enabling rapid restoration when preventive controls are bypassed.

Nikkle [43] described the Registration Data Access Protocol (RDAP) as a secure, standardized, and internationalized alternative to the legacy WHOIS system. While WHOIS and RDAP are expected to coexist for some time, RDAP offers enhanced security, automation capabilities, tool integration, and authoritative data sourcing—features that strengthen its utility in digital forensic investigations. Furthermore, Nikkle [44] introduced the concept of Fintech Forensics as a new sub-discipline, noting how the rise of digital transformation and financial technology has created novel avenues for criminal activity, necessitating dedicated forensic methodologies for financial transactions.

2.5. Digital Forensics in Emerging Domains

Seo et al. [45] proposed a Metaverse forensic framework structured around four phases derived from NIST’s digital forensic guidelines: data collection, examination and retrieval of evidence, analysis, and reporting. The study also outlines three procedures for data collection and examination distributed across user, service, and Metaverse platform domains, providing a systematic approach for investigating offenses occurring in virtual environments.

Malhotra [46] explored the intersection of digital forensics and artificial intelligence (AI), presenting current approaches and emerging trends. The author emphasized that, in today’s increasingly digital society, the rise in cybercrimes and financial frauds has made digital forensics indispensable. Integrating AI techniques into forensic analysis offers promising opportunities to address these challenges effectively. Malhotra further argued that AI-driven digital forensics could transform investigative efficiency, catalyzing the so-called Fourth Industrial Revolution. Consequently, continued investment in AI-enabled forensic technologies, specialized training, and advanced analytical tools is critical for ensuring preparedness against evolving cyber threats.

Tok and Chattopadhyay [47] examined cybersecurity challenges within Smart City Infrastructures (SCIs), proposing a unified definition and applying the STRIDE threat modeling methodology to identify potential offenses and evidence sources. Their study provides valuable guidance for investigators by mapping technical and legal aspects of digital forensics in SCI environments. However, the authors note that the applicability of their framework may depend on contextual variations in regulatory standards and implementation practices across jurisdictions.

2.6. Advanced Persistent Threats and Cybercrime

Han et al. [48] examined defensive strategies against long-term and stealthy cyberattacks, such as Advanced Persistent Threats (APTs). Their work underscores the necessity of strategic and proactive measures to counter increasingly sophisticated adversaries capable of prolonged network infiltration.

Chandra and Snowe [49] defined cybercrime as criminal activity involving computer technology and proposed a taxonomy built upon four foundational principles: mutual exclusivity, structural clarity, exhaustiveness, and well-defined categorization. This taxonomy facilitates the classification and differentiation of various cybercrime types and could be extended to organizational applications, metrics development, integration with traditional crime taxonomies, and automated classification for improved efficiency.

Collectively, these contributions highlight the potential of combining game theory with advanced technologies—such as artificial intelligence and blockchain—to enhance the effectiveness of digital forensic investigations. Casey et al. [50] introduced the Cyber-investigation Analysis Standard Expression (CASE), a community-driven specification language designed to improve interoperability and coordination among investigative tools. By building upon the Unified Cyber Ontology (UCO), CASE offers a standardized structure for representing and exchanging cyber-investigation data across multiple organizations and jurisdictions. Its versatility allows application in criminal, corporate, and intelligence contexts, supporting comprehensive analysis. Through illustrative examples and a proof-of-concept API, Casey et al. demonstrated how CASE enables structured data capture, facilitates sharing and collaboration, and incorporates data marking for controlled dissemination within the cyber-investigation community.

Despite notable progress in cybersecurity and digital forensics—particularly via the integration of game theory, enhanced readiness techniques, and diverse modeling tools—several critical challenges remain. Current approaches often struggle to represent the dynamic and asymmetric interactions between attackers and defenders in APT scenarios. Moreover, game-theoretic models frequently overlook nuanced decision-making processes inherent to forensic investigations and fail to fully account for the rapidly evolving tactics of modern cyber adversaries. Additionally, many DFR frameworks emphasize technical countermeasures while insufficiently addressing strategic adversary dynamics, leaving organizations vulnerable and less responsive to emerging threats.

2.7. Novelty

This work develops a quantitative game-theoretic model of digital forensic readiness for APT-focused SMEs. Its main contribution is the metricization of readiness via AHP-weighted utilities explicitly grounded in MITRE ATT&CK/D3FEND, as opposed to proposing a new game-theoretic solution concept.

To clarify the scope and positioning of our work relative to prior digital forensics and cybersecurity games, we compare our framework systematically with the closest prior work. Our approach integrates four key components that, to our knowledge, have not previously been combined in a single readiness-planning framework: (i) ATT&CK–D3FEND knowledge coupling with quantified utilities; (ii) AHP-weighted DFR metrics for payoff grounding; (iii) explicit PNE and MNE analysis with support conditions (one MNE for the non-zero-sum bimatrix $(A,D)$, and five equilibria—two pure-strategy and three mixed-strategy—for the zero-sum variant $(A,-D)$ as a robustness check); and (iv) actionable SME guidance under resource constraints.

Table 1. Comparative analysis of game-theoretic approaches to digital forensic readiness.

Dimension	Our Approach	Nisioti et al. [21]	Karabiyik et al. [23]	Lakhdhar et al. [31]	Wang et al. [38]	Monteiro et al. [36]
Game Model	Non-zero-sum Bimatrix (MNE/PNE)	Bayesian (BNE)	2 × 2 Normal-Form	Non-cooperative	ARA (Influence Diagram)	Bayesian (BNE)
ATT&CK	✓Explicit (14 Tactics)	✓Explicit	×	×	×	×
D3FEND	✓Explicit (6 Families)	×	×	×	×	×
Knowledge Coupling	✓ ATT&CK↔D3FEND	△ ATT&CK + CVSS	△ Empirical (ForGe)	△ Internal (CSLib)	△ Probabilistic (HBN)	△ CVSS + OpenTelemetry
Weighting Method	✓AHP (10 Experts)	△ CVSS + SME	△ Rule-based	△ Parametric ($\alpha$)	△ Implicit	△ Scalar Parameters
Quantitative Utilities	✓32 AHP Metrics	✓Payoff Functions	✓Payoff Matrix	✓Parametric	✓Utility Nodes	✓ Closed-Form
Equilibrium	✓PNE & MNE	✓BNE	✓Pure/Mixed NE	✓Pure/Mixed NE	× ARA	✓BNE
DFR Focus	✓DFR	△ Post-mortem	△ Investigation Efficiency	✓Forensic Readiness	× Cyber Risk	✓Forensic Readiness
SME/SMB	✓Explicitly Targeted	△ Domain-Agnostic	△ Potential	△ Applicable	△ Feasible	△ Implicit
Standardization	△ ATT&CK, D3FEND, STIX	△ ATT&CK, STIX, CVSS	△ Open-Source	△ CVE/US-CERT	△ Self-Contained	△ CVSS, OpenTelemetry
Reproducibility	✓Code, Data, Seeds	△ Public Inputs, No Code	△ Code on Request	△ No Public Code/Data	△ No Code, Commercial	✓Benchmark, Repo
Key Differentiator	Integrated DFR	Bayesian Anti-Forensics	Tool Selection	Provability Taxonomy	Adversarial Risk Analysis	Microservice Observability

Legend: ✓ = fully addressed; △ = partially addressed; and × = not addressed. Abbreviations: AHP (Analytic Hierarchy Process), MNE (Mixed Nash Equilibrium), PNE (Pure Nash Equilibrium), BNE (Bayesian Nash Equilibrium), ARA (Adversarial Risk Analysis), HBN (Hybrid Bayesian Network). Our framework uniquely integrates ATT&CK–D3FEND knowledge with AHP-weighted utilities and explicit SME/SMB targeting—a combination not found in prior work.

provides a systematic comparison across 12 evaluation dimensions, comparing our framework against five representative works in game-theoretic forensics: Nisioti et al. (Bayesian anti-forensics), Karabiyik et al. (tool selection games), Lakhdhar et al. (provability taxonomies), Wang et al. (adversarial risk analysis), and Monteiro et al. (microservice observability). This comparison demonstrates how our integration of standardized knowledge frameworks (ATT&CK/D3FEND), expert-driven metric weighting (AHP), and quantitative equilibrium analysis (MNE) addresses gaps in prior work, particularly the lack of quantitative payoffs, standardized taxonomies, and SME-focused guidance. Prior work has advanced game-theoretic forensics in specific domains: Nisioti et al. focus on Bayesian anti-forensics, Karabiyik et al. on tool selection games, Lakhdhar et al. on provability taxonomies, Wang et al. on adversarial risk analysis, and Monteiro et al. on microservice observability. Building on these foundations, our framework jointly (i) integrates both ATT&CK and D3FEND (whereas Nisioti et al. use ATT&CK without D3FEND, and others use neither); (ii) employs the AHP with expert panels for metric weighting (whereas others use CVSS mapping, rule-based, or implicit weighting); (iii) provides explicit MNE analysis with support conditions for non-zero-sum bimatrix games; and (iv) explicitly targets SME/SMB applicability with resource-constrained guidance.

This combination is, to our knowledge, not yet available in existing work, and is intended as a practical integration that addresses a gap in quantifying strategic payoffs in DFR planning using standardised knowledge frameworks; it does not introduce a new game-theoretic solution concept.

3. Materials and Methods

In this section, the problem statement is provided in Section 3.1. The methodology of the research is stated in Section 3.2. The fundamental concepts of game theory are presented in Appendix B.12. The proposed approach is detailed in Section 3.3, followed by the utility function discussion in Section 3.4. The prioritization of DFR is addressed in Section 3.5, respectively. The reevaluation of DFR is covered in Section 3.6.

3.1. Problem Statement

Let A represent the set of attackers and D represent the set of defenders in a cyber environment. The objective of this research is to model the strategic interactions between A and D during the DFR phase using game theory.

Let us define the following variables:

• $S_A$: Strategies available to attackers, corresponding to MITRE ATT&CK tactics (e.g., Reconnaissance, Resource Development, Initial Access, Execution, Persistence, etc.).
• $S_D$: Strategies available to defenders, corresponding to MITRE D3FEND countermeasures (e.g., Model, Detect, Harden, Isolate, Deceive, etc.)
• P: Parameters influencing game models, such as attack severity, defense effectiveness, and forensic capability.
• $U_A(s_A,s_D)$: Utility function for attackers, representing the payoff based on their strategy $s_A$ and the defenders’ strategy $s_D$.
• $U_D(s_A,s_D)$: Utility function for defenders, representing the payoff based on their strategy $s_D$ and the attackers’ strategy $s_A$.

This research aims to solve the following problems:

• Model Construction: Construct game models $G(A,D,S_A,S_D,P)$ to represent the interactions between A and D.
• Equilibrium Analysis: Identify Nash equilibria $(s_A^{*},s_D^{*})$ such that

  $$\begin{array}{cc}\hfill U_A(s_A^{*},s_D^{*})& \ge U_A(s_A,s_D^{*})\forall s_A\in S_A\hfill \\ \hfill U_D(s_A^{*},s_D^{*})& \ge U_D(s_A^{*},s_D)\forall s_D\in S_D\hfill \end{array}$$

The goal is to derive optimal strategies $(s_A^{*},s_D^{*})$ that enhance DFR, thereby informing the development of effective cybersecurity policies and strategies. This research contributes to the theoretical understanding of strategic interactions in cybersecurity, providing a foundation for future empirical studies and practical applications.

3.2. Methodology

We implemented a game-theoretic framework (Appendix B.12) integrating ATT&CK–D3FEND knowledge mapping with AHP-weighted DFR metrics. The framework consists of five components: (i) ATT&CK–D3FEND mapping (Section 4.1), (ii) DFR metric development, (iii) AHP weight determination (Section 3.5), (iv) payoff matrix construction (Section 3.3.3), and (v) equilibrium computation (Section 3.3.5).

Notation and Symbols

We employ standard mathematical notation throughout the paper, including sets ($\mathcal{S}$, $\mathcal{T}$), matrices (A, D), vectors (x, y), and scalar-valued functions ($A(s,t)$, $D(s,t)$). Key symbols are listed in

Table 2. Notation reference for key symbols (see Table A1 in Appendix B for complete listing).

Symbol	Description
Game Structure
$\mathcal{S}$	Attacker strategy set: $\mathcal{S}=\{s_1,\dots ,s_{14}\}$, $\left|\mathcal{S}\right|=14$ ATT&CK tactics
$\mathcal{T}$	Defender strategy set: $\mathcal{T}=\{t_1,\dots ,t_6\}$, $\left|\mathcal{T}\right|=6$ D3FEND control families
A	Attacker payoff matrix: $A\in {\mathbb{R}}^{14\times 6}$, entry $A(s,t)\in [0,41]$
D	Defender payoff matrix: $D\in {\mathbb{R}}^{14\times 6}$, entry $D(s,t)\in [0,41]$
Strategies
$s\in \mathcal{S}$	Attacker pure strategy (ATT&CK tactic)
$t\in \mathcal{T}$	Defender pure strategy (D3FEND control family)
x	Attacker mixed strategy: $x\in {\Delta }^{13}$, probability vector over $\mathcal{S}$
y	Defender mixed strategy: $y\in {\Delta }^5$, probability vector over $\mathcal{T}$
$x^{*}$, $y^{*}$	Nash equilibrium mixed strategies
Utilities and Metrics
$\tilde{A}(s,t)$	Normalized attacker utility: $\tilde{A}(s,t)={\sum }_{i=1}^{16}{w}_i^{\left(A\right)}{M}_i(s,t)\in [0,1]$
$\tilde{D}(s,t)$	Normalized defender utility: $\tilde{D}(s,t)={\sum }_{j=1}^{16}{w}_j^{\left(D\right)}{M}_j^{\left(D\right)}(s,t)\in [0,1]$
$w_i^{\left(A\right)}$	AHP weight for attacker metric i: $w_i^{\left(A\right)}\in [0,1]$, ${\sum }_{i=1}^{16}{w}_i^{\left(A\right)}=1$
$w_j^{\left(D\right)}$	AHP weight for defender metric j: $w_j^{\left(D\right)}\in [0,1]$, ${\sum }_{j=1}^{16}{w}_j^{\left(D\right)}=1$
$M_i(s,t)$	Attacker DFR metric i value: $M_i(s,t)\in [0,1]$
$M_j^{\left(D\right)}(s,t)$	Defender DFR metric j value: $M_j^{\left(D\right)}(s,t)\in [0,1]$
Notation Disambiguation
$A(s,t)$ vs. A	$A(s,t)$ is a scalar (single entry); A is the entire matrix
x, y vs. x*, y*	x, y are elements/indices; x*, y* are mixed-strategy vectors

, while the comprehensive notation table is provided in Appendix B.1. A summary of all strategy-related notation is presented in

Table 3. Strategy notation reference.

Defender Strategies	ATT&CK Tactics
$t_1=\mathtt{Model}$	$s_1=\mathtt{Reconnaissance}$
$t_2=\mathtt{Harden}$	$s_2=\mathtt{Resource\; Development}$
$t_3=\mathtt{Detect}$	$s_3=\mathtt{Initial\; Access}$
$t_4=\mathtt{Isolate}$	$s_4=\mathtt{Execution}$
$t_5=\mathtt{Deceive}$	$s_5=\mathtt{Persistence}$
$t_6=\mathtt{Evict}$	$s_6=\mathtt{Privilege\; Escalation}$
	$s_7=\mathtt{Defense\; Evasion}$
	$s_8=\mathtt{Credential\; Access}$
	$s_9=\mathtt{Discovery}$
	$s_{10}=\mathtt{Lateral\; Movement}$
	$s_{11}=\mathtt{Collection}$
	$s_{12}=\mathtt{Command\; and\; Control}$
	$s_{13}=\mathtt{Exfiltration}$
	$s_{14}=\mathtt{Impact}$

.

3.3. Proposed Approach

Inspired by Sun Tzu’s strategic principles, our approach models digital forensics as a normal-form game between two primary entities: attacker and defender. This game captures their strategy sets and resulting payoffs as follows:

• Players:

  –

  Attacker: 14 strategies ($s_1,s_2,\dots ,s_{14}$).

  –

  Defender: 6 strategies ($t_1,t_2,\dots ,t_6$).

• Payoff Matrices: Shown in

  Table 4. Attacker’s Payoff Matrix $A(s,t)$ (utility values; higher is better). Column labels: $t_1=\mathtt{Model}$, $t_2=\mathtt{Harden}$, $t_3=\mathtt{Detect}$, $t_4=\mathtt{Isolate}$, $t_5=\mathtt{Deceive}$, and $t_6=\mathtt{Evict}$.

  	t1	t2	t3	t4	t5	t6
  s1	5	6	7	8	9	10
  s2	0	0	1	2	3	4
  s3	14	13	12	11	0	0
  s4	16	17	18	18	0	0
  s5	19	20	20	18	0	0
  s6	23	22	21	7	6	5
  s7	24	25	26	24	25	26
  s8	32	28	29	30	31	27
  s9	33	34	35	30	33	32
  s10	32	35	36	6	7	5
  s11	36	37	38	6	35	30
  s12	37	38	39	39	0	0
  s13	38	39	40	0	0	0
  s14	39	40	41	0	0	0

  for the attacker and

  Table 5. Defender’s Payoff Matrix $D(s,t)$ (utility values; higher is better). Column labels: $t_1=\mathtt{Model}$, $t_2=\mathtt{Harden}$, $t_3=\mathtt{Detect}$, $t_4=\mathtt{Isolate}$, $t_5=\mathtt{Deceive}$ and, $t_6=\mathtt{Evict}$.

  	t1	t2	t3	t4	t5	t6
  s1	5	7	1	1	7	5
  s2	6	8	10	2	6	6
  s3	7	9	11	5	8	11
  s4	8	10	25	25	9	12
  s5	9	11	24	8	10	13
  s6	10	12	24	8	11	10
  s7	11	21	20	10	12	7
  s8	18	14	25	9	5	25
  s9	13	15	23	12	4	8
  s10	14	16	22	11	14	9
  s11	15	17	20	12	13	14
  s12	16	18	21	13	15	25
  s13	17	20	20	10	16	17
  s14	12	19	29	16	17	16

  for the defender, each matrix displays payoffs for every strategy combination.
• Rationality: Both players are presumed rational, seeking to maximize their individual payoffs given knowledge of the opponent’s strategy. The game is simultaneous and non-zero-sum.

Attacker strategies include actions such as reconnaissance, execution, privilege escalation, and others. Defender strategies encompass modeling, detecting, deceiving, and additional controls. Modeling these interactions provides insight into the dynamic strategic landscape of digital forensics. As visualized in Figure 1, analysis of the payoff matrices reveals both outcomes and equilibrium points, highlighting the evolving nature of cyber threats. Darker matrix shades indicate higher attacker payoffs.

3.3.1. PNE Analysis

A pure-strategy Nash equilibrium (PNE) represents a stable outcome where neither player can improve their payoff by unilaterally changing strategy. Intuitively, this means that, (i) given the defender’s choice, the attacker’s strategy yields the highest possible payoff and (ii) given the attacker’s choice, the defender’s strategy yields the highest possible payoff. For the non-zero-sum bimatrix $(A,D)$, a strategy profile $(s^{*},t^{*})$ is a PNE if

$$A(s^{*},t^{*})\ge A(s,t^{*})\forall s\in \mathcal{S},D(s^{*},t^{*})\ge D(s^{*},t)\forall t\in \mathcal{T},$$

(1)

where $\mathcal{S}$ and $\mathcal{T}$ are the attacker and defender pure strategy sets, respectively. The first inequality ensures the attacker cannot gain by switching from $s^{*}$ to any other strategy s when the defender plays $t^{*}$; the second ensures the defender cannot gain by switching from $t^{*}$ to any other strategy t when the attacker plays $s^{*}$.

For our game, we find that $(s_{14},t_3)$ = (‘Impact’, ‘Detect’) is a PNE, verified by checking the best-response conditions:

$$\begin{array}{cc}\hfill A(s_{14},t_3)& \ge A(s_k,t_3)\forall k\in \{1,2,\dots ,14\},\hfill \end{array}$$

(2)

$$\begin{array}{cc}\hfill D(s_{14},t_3)& \ge D(s_{14},t_l)\forall l\in \{1,2,\dots ,6\}.\hfill \end{array}$$

(3)

Specifically, by inspecting Table 4 and Table 5, (i) $A(s_{14},t_3)=41$ is the maximum in column $t_3$ (attacker’s best response); (ii) $D(s_{14},t_3)=29$ is the maximum in row $s_{14}$ (defender’s best response). A full best-response scan over all $14\times 6=84$ pure strategy pairs confirms this is the unique PNE (see Appendix B.7 for the verification algorithm). This PNE is highlighted in Figure 1.

3.3.2. MNE Analysis

Main Equilibrium (Non-Zero-Sum)

All results in the main text are based on the non-zero-sum bimatrix $(A,D)$ constructed from independent attacker/defender utilities. Using nashpy’s vertex_enumeration on $(A,D)$, we obtained exactly one Nash equilibrium, which is pure at $(s_{14}=\mathit{Impact},t_3=\mathit{Detect})$. Support enumeration yields the same point, and the Karush–Kuhn–Tucker (KKT) conditions [51] are satisfied. The equilibrium is non-degenerate and stable under $\epsilon$-perturbations up to $\epsilon \le {10}^{-6}$. This is the equilibrium reported in Table 4 and Table 5 and Figure 1. The zero-sum transform $(A,-D)$ yields exactly five equilibria under vertex enumeration: two pure equilibria at $(s_{14},t_1)=(\mathit{Impact},\mathit{Model})$ and $(s_{12},t_4)=(\mathit{Command} \mathit{and} \mathit{Control},\mathit{Isolate})$, and three mixed equilibria with supports $\{s_{12},s_{14}\}\times \{t_1,t_4\}$, $\{s_9,s_{12}\}\times \{t_4,t_5\}$, and $\{s_9,s_{11}\}\times \{t_4,t_5\}$. All pass KKT verification, are non-degenerate, and are $\epsilon$-stable for $\epsilon \le {10}^{-6}$ (Note: Support enumeration reports only 3 equilibria on this instance; therefore, vertex enumeration is used as the primary method and ground truth). Complete support sets and probability distributions for these five equilibria are provided in

Table A3. Zero-sum sensitivity variant $(A,-D)$: Complete support sets and probability distributions for all five Mixed Nash Equilibria (MNE). Only strategies with non-zero probabilities are shown. Probabilities rounded to four decimal places. MNE 2 and MNE 4 are pure-strategy equilibria; MNE 1, MNE 3, and MNE 5 are mixed-strategy equilibria. Note: These equilibria are from the zero-sum transform $(A,-D)$; main results use the non-zero-sum bimatrix $(A,D)$.

MNE	Attacker Strategy	Defender Strategy
MNE 1	$s_{12}$: Command and Control (0.5714)	$t_1$: Model (0.9512)
(mixed)	$s_{14}$: Impact (0.4286)	$t_4$: Isolate (0.0488)
MNE 2	$s_{14}$: Impact (1.0000)	$t_1$: Model (1.0000)
(pure)
MNE 3	$s_9$: Discovery (0.2000)	$t_4$: Isolate (0.7857)
(mixed)	$s_{12}$: Command and Control (0.8000)	$t_5$: Deceive (0.2143)
MNE 4	$s_{12}$: Command and Control (1.0000)	$t_4$: Isolate (1.0000)
(pure)
MNE 5	$s_9$: Discovery (0.1111)	$t_4$: Isolate (0.0769)
(mixed)	$s_{11}$: Collection (0.8889)	$t_5$: Deceive (0.9231)

in the Appendix B.9, where they are presented as a robustness check.

3.3.3. Payoff Construction from ATT&CK→D3FEND Coverage

We construct defender-side coverage rates by aggregating many-to-many links from MITRE ATT&CK^® Enterprise techniques (v13.1) to MITRE D3FEND techniques (v0.12.0-BETA-2) at the tactic × control-family level. Let $\mathcal{S}$ be the set of 14 ATT&CK tactics and $\mathcal{T}$ the set of six D3FEND control families. For each cell $(s,t)$ we define

$$C(s,t)={\displaystyle \frac{\#\{k\in s:k\mapsto t\}}{\#\{k\in s\}}},$$

where $k\mapsto t$ denotes the existence of at least one D3FEND technique in family t mitigating technique (or sub-technique) k. Sub-techniques were treated as first-class and were not rolled up into parent techniques. Counts were de-duplicated once per $(\mathrm{APT},\mathrm{technique},\mathrm{family})$ when aggregating to tactics, as detailed in Section 4.2.

The attacker payoff matrix A is defined analogously from attacker-centric effectiveness against the same family t (selection rules unchanged).

For each strategy pair $(s,t)$ (attacker tactic s vs. defender countermeasure t), we computed a weighted utility score that aggregates multiple DFR metrics. Intuitive explanation: We evaluated how well a defender countermeasure t addresses an attacker tactic s across 16 different dimensions (e.g., logging quality, evidence preservation, detection capability), weighted each dimension by its importance (determined via AHP expert elicitation), and summed the weighted scores to get an overall utility. Formal computation: Let $w_i$ denote the AHP weight for the i-th DFR metric (16 attacker metrics + 16 defender metrics = 32 total), and let $M_i(s,t)$ be the normalized metric score (0–1) for tactic s and countermeasure family t. The raw payoff value $\tilde{A}(s,t)$ was computed as a weighted sum:

$$\tilde{A}(s,t)=\sum _{i=1}^{16}{w}_i^{\left(\mathrm{attacker}\right)}·M_i(s,t),$$

where the metric scores $M_i(s,t)$ are derived from coverage statistics (e.g., $C(s,t)$) and attacker-centric effectiveness assessments. The defender-side matrix $\tilde{D}(s,t)$ was computed analogously using the 16 defender metrics. These raw utility scores (typically in the range $[0,1]$) were then linearly scaled and rounded to integers in the range $[0,41]$ to produce the final payoff matrices shown in Table 4 and Table 5. The scaling transformation is as follows:

$$A(s,t)=\lfloor 41·\tilde{A}(s,t)+0.5\rfloor ,D(s,t)=\lfloor 41·\tilde{D}(s,t)+0.5\rfloor ,$$

where $\lfloor ·+0.5\rfloor$ denotes rounding to the nearest integer. This scaling preserves the relative magnitudes of utility differences while mapping to a discrete payoff range suitable for equilibrium computation. Example: If $\tilde{A}(s,t)=0.85$, then $A(s,t)=\lfloor 41\times 0.85+0.5\rfloor =\lfloor 35.35\rfloor =35$. Because A and the defender-side matrix D are derived from distinct statistics, the game is non-zero-sum; in particular, we do not impose $D=-C$. All main-text equilibria are computed on the non-zero-sum bimatrix $(\mathrm{A},\mathrm{D})$; the zero-sum transform $(\mathrm{A},-\mathrm{D})$ is provided only as a robustness check in the Appendix B.9.

All scripts, versioning, and reproducibility information are provided in the Appendix B.

3.3.4. Payoff Matrices

The final payoff matrices for attacker and defender strategies are then shown in Table 4 and Table 5.

3.3.5. Mixed Nash Equilibrium Computation

We computed mixed Nash equilibria (MNE) using nashpy’s vertex_enumeration routine [52], which implements the vertex enumeration algorithm for bimatrix games (see [52] for implementation details). The method operates on the non-zero-sum bimatrix $(A,D)$, where A and D are attacker and defender payoff matrices derived independently from ATT&CK→D3FEND mappings (see Section 3.3.3).

Both A and D are utilities to be maximized. We passed the bimatrix $(A,D)$ directly to the solver. When presenting defender costs C for interpretability, we converted to utilities via $D=-C$ for equilibrium computation and stated this explicitly where applicable. In our case, D was already constructed as a utility matrix (higher values are better for the defender), so no transformation was needed; the game was passed to nashpy as Game(A, D) without modification (where A and D are the matrix arrays). All code for equilibrium computation was archived in a public repository (see Appendix B).

For payoff matrices A and D, a mixed-strategy Nash equilibrium (MNE) is a pair of probability distributions $(x^{*},y^{*})$ over strategies where neither player can improve their expected payoff by changing their probability distribution. Here, $x^{*}\in {\Delta }_{14}$ represents the attacker’s probability distribution over 14 strategies, and $y^{*}\in {\Delta }_6$ represents the defender’s probability distribution over 6 strategies.

Intuitive interpretation: In an MNE, players randomize over strategies such that (i) all strategies used with positive probability yield the same expected payoff (no strategy is better than another), and (ii) any unused strategy would yield a lower expected payoff (no incentive to switch). This creates strategic unpredictability while maintaining optimality.

Formal conditions: Let ${\left(A{y}^{*}\right)}_i={\sum }_{j=1}^{6}A(s_i,t_j)y_j^{*}$ denote the attacker’s expected payoff when playing pure strategy $s_i$ against the defender’s mixed strategy $y^{*}$ (i.e., the weighted average of payoffs across all defender strategies, weighted by their probabilities). Similarly, ${\left(x^{*\top }D\right)}_j={\sum }_{i=1}^{14}{x}_i^{*}D(s_i,t_j)$ denotes the defender’s expected payoff when playing pure strategy $t_j$ against the attacker’s mixed strategy $x^{*}$. Then $(x^{*},y^{*})$ is an MNE if and only if there exist constants $v_A$ and $v_D$ (the equilibrium values) such that

$${\left(A{y}^{*}\right)}_i=v_A\forall i\in \mathrm{supp}\left(x^{*}\right),{\left(A{y}^{*}\right)}_i\le v_A\forall i\notin \mathrm{supp}\left(x^{*}\right),$$

(4)

$${\left(x^{*\top }D\right)}_j=v_D\forall j\in \mathrm{supp}\left(y^{*}\right),{\left(x^{*\top }D\right)}_j\le v_D\forall j\notin \mathrm{supp}\left(y^{*}\right),$$

(5)

where $\mathrm{supp}\left(x^{*}\right)=\{i:x_i^{*}>0\}$ and $\mathrm{supp}\left(y^{*}\right)=\{j:y_j^{*}>0\}$ are the supports of the mixed strategies.

These are the standard KKT conditions for Nash equilibrium, ensuring that (i) all actions in support receive equal expected payoffs ($v_A$ and $v_D$) and (ii) no excluded action yields a higher payoff (no profitable deviations).

For the non-zero-sum bimatrix $(A,D)$, vertex enumeration yields exactly one Nash equilibrium, which is pure at $(s_{14},t_3)=(\mathit{Impact},\mathit{Detect})$. The vertex_enumeration method enumerates all vertices of the best-response polytopes, returning all equilibria of the game. Vertex enumeration can return equilibria that support enumeration misses in some numerical configurations, as it covers all polytope vertices rather than searching only over specific support sizes; for this reason, we use vertex enumeration as the primary method and ground truth.

3.3.6. Dynamics Illustration (Zero-Sum Variant)

The convergence trajectories shown in Figure 2 are based on the zero-sum variant $(A,-D)$ and illustrate attractor points under discrete-time best-response dynamics. For visualization, we ran best-response dynamics: starting from uniform random initial strategies, each player iteratively updates to a pure best response against the opponent’s current strategy. The attacker updates via $s^{(t+1)}=arg{max}_{s\in \mathcal{S}}A(s,t^{\left(t\right)})$, and the defender updates via $t^{(t+1)}=arg{max}_{t\in \mathcal{T}}(-D)(s^{\left(t\right)},t)$ (equivalently, $arg{min}_{t\in \mathcal{T}}D(s^{\left(t\right)},t)$ for the zero-sum variant), where $s^{\left(t\right)}$ and $t^{\left(t\right)}$ denote pure strategies at iteration t. The process converges to attractor points corresponding to equilibria of $(A,-D)$.

For the non-zero-sum bimatrix $(A,D)$, best-response dynamics converge to the unique PNE $(\mathit{Impact},\mathit{Detect})$. The trajectories shown in Figure 2 illustrate multiple attractor points under the zero-sum variant $(A,-D)$, demonstrating different strategic patterns that emerge under the transformed game structure. These results are provided for exploratory purposes; all policy conclusions in this paper are drawn from the non-zero-sum bimatrix $(A,D)$.

Methodological Transparency Statement

Our main strategic conclusions are drawn from the empirical, non-zero-sum bimatrix $(A,D)$. To probe sensitivity to a worst-case, antagonistic setting, we also study a zero-sum variant $(A,-D)$ in Appendix B.9; this produces five equilibria (two pure-strategy and three mixed-strategy) and consistent tactical themes but is not used for headline results.

3.4. Utility Function

We modeled attacker–defender interactions using utility functions that quantify the payoff for each party. This is grounded in Multi-Criteria Decision Analysis (MCDA), an established framework for evaluating complex, conflicting criteria [13,52,53]. MCDA is well-suited for assessing the multifaceted nature of cybersecurity strategies.

3.4.1. Attacker Utility Function

The attacker’s utility was evaluated across 16 dimensions, such as Attack Success Rate, Resource Efficiency, and Stealthiness. Each metric was normalized between 0 (least favorable) and 1 (most favorable) and assigned a weight $w_i$ based on its relative importance. The attacker utility function is formulated as follows:

$$U_{\mathrm{Attacker}}=\sum _{i=1}^{16}{w}_i{M}_i$$

(6)

where $M_i$ is the normalized score for the i-th metric. This provides a granular view of attacker priorities and effectiveness (

Table 6. Attacker Utility Metrics (Summary). Each metric is evaluated on a continuous scale from 0 (least favorable) to 1 (most favorable). Detailed scoring preferences with qualitative descriptions for each metric level are provided in Appendix B (Table A9).

Metric	Description
Attack Success Rate (ASR)	Likelihood of successful attack execution
Resource Efficiency (RE)	Ratio of attack payoff to resource expenditure
Stealthiness (ST)	Ability to avoid detection and attribution
Data Exfiltration Effectiveness (DEE)	Success rate of data exfiltration attempts
Time-to-Exploit (TTE)	Speed of vulnerability exploitation before patching
Evasion of Countermeasures (EC)	Ability to bypass defensive measures
Attribution Resistance (AR)	Difficulty in identifying the attacker
Reusability of Attack Techniques (RT)	Extent to which attack techniques can be reused
Impact of Attacks (IA)	Magnitude of disruption or loss caused
Persistence (P)	Ability to maintain control over compromised systems
Adaptability (AD)	Capacity to adjust strategies in response to defenses
Deniability (DN)	Ability to deny involvement in attacks
Longevity (LG)	Duration of operations before disruption
Collaboration (CB)	Extent of collaboration with other attackers
Financial Gain (FG)	Monetary profit from attacks
Reputation and Prestige (RP)	Enhancement of attacker reputation

).

3.4.2. Defender Utility Function

Similarly, the defender’s utility evaluates 16 dimensions such as Logging Capabilities, Evidence Integrity, and Standards Compliance. The defender utility function is the following:

$$U_{\mathrm{Defender}}=\sum _{j=1}^{16}{w}_j{M}_j$$

(7)

where $M_j$ is the normalized score for the j-th metric. This reflects the organization’s forensic readiness (

Table 7. Defender Utility Metrics (Summary). Each metric is evaluated on a continuous scale from 0 (least favorable) to 1 (most favorable). Detailed scoring preferences with qualitative descriptions for each metric level are provided in Appendix B (Table A10).

Metric	Description
Logging and Audit Trail Capabilities (L)	Extent of logging and audit trail coverage
Integrity and Preservation of Digital Evidence (I)	Ability to preserve evidence integrity and backups
Documentation and Compliance with Digital Forensic Standards (D)	Adherence to forensic standards and documentation quality
Volatile Data Capture Capabilities (VDCC)	Effectiveness of volatile data capture
Encryption and Decryption Capabilities (E)	Strength of encryption/decryption capabilities
Incident Response Preparedness (IR)	Quality of incident response plans and team readiness
Data Recovery Capabilities (DR)	Effectiveness of data recovery tools and processes
Network Forensics Capabilities (NF)	Sophistication of network forensic analysis
Staff Training and Expertise (${\mathrm{ST}}_d$)	Level of staff training and certifications
Legal & Regulatory Compliance (LR)	Compliance with legal and regulatory requirements
Accuracy (A)	Consistency and correctness of forensic analysis
Completeness (C)	Extent of comprehensive data collection and analysis
Timeliness (T)	Speed and efficiency of forensic investigation process
Reliability (R)	Consistency and repeatability of forensic techniques
Validity (V)	Adherence to legal and scientific standards
Preservation (${\mathrm{P}}_d$)	Effectiveness of evidence preservation procedures

).

Ten DFIR practitioners independently completed two $16\times 16$ pairwise comparison matrices (PCMs) covering attacker and defender metrics. We aggregated their Saaty-scale judgments via the geometric-mean consensus recommended in [54], normalized the resulting vectors to unit sum, and verified $CR<0.10$ for both attacker and defender PCMs (details in Appendix B). Figure 3 summarizes the elicitation workflow; the full instrument, anonymized PCMs, and processing scripts are released with Appendix B. An expanded, step-by-step description of the elicitation protocol is provided in Appendix B.13.

3.4.3. Utility Calculation Algorithms

Utility scores follow the weighted sums in Equations (6) and (7). In practice this is a single $O\left(n\right)$ pass that validates metric inputs, normalizes the AHP weights when necessary, and clamps floating-point drift to the $[0,1]$ range. The exact pseudocode and input-checking logic are provided in Appendix B (Algorithm A1).

Readiness classification compares the resulting score u with a policy threshold $T\in [0,1]$ (typically $T\approx 0.7$ for “High DFR”). The decision rule is a constant-time check summarized in Algorithm A2 (Appendix B); we retain the notation here only to reference subsequent analyses that condition the $\{\mathtt{HighDFR},\mathtt{NeedsImprovement}\}$ outcome.

Given a readiness classification of $\mathtt{NeedsImprovement}$, we flagged low-performing metrics by comparing each $m_i$ to the same threshold T. This scan produces an index set of candidate improvements that subsequently feeds the prioritisation step. The simple iteration is described in Algorithm A3 (Appendix B) and underpins the gap analysis reported in Section 4.7.

3.5. Prioritizing DFR Improvements

Enhancing DFR requires strategically targeting metrics within the utility function that have the greatest potential impact. Calibration with real-world experimental data ensures the validity of the model, aligning the results with operational realities [55].

To systematically determine improvement priorities, we apply the AHP, a structured multi-criteria decision framework that combines quantitative and qualitative assessments [54]. AHP provides a mathematical basis for ranking metrics, particularly highlighting low-scoring factors with high weight (Figure 4).

3.5.1. AHP Methodology for Weight Determination

We aggregate expert PCMs via the element-wise geometric mean, compute the principal eigenvector of the consensus matrix, and normalize the resulting weights to unit sum. The full eigenvector/LLSM workflow, together with numerical tolerances and fallback rules, is documented in Algorithm A4 (Appendix B). For both attacker and defender matrices the resulting $CR$ values remain below $0.10$, confirming acceptable consistency. Figure 4 visualizes the prioritized weights, and

Table 8. AHP-derived metric weights for attacker and defender utility functions. Notation: Defender metrics use subscript d ($S{T}_d$ = Staff Training, $P_d$ = Preservation); attacker metrics use bare symbols ($ST$ = Stealthiness, P = Persistence).

Metric (Attacker)	Weight	Metric (Defender)	Weight
ASR	0.1094	L	0.0881
RE	0.0476	I	0.0881
ST	0.0921	D	0.0423
DEE	0.0887	VDCC	0.0642
TTE	0.0476	E	0.0461
EC	0.0887	IR	0.0881
AR	0.0814	DR	0.0481
RT	0.0476	NF	0.0819
IA	0.0921	${\mathrm{ST}}_d$	0.0819
P	0.0814	LR	0.0481
AD	0.0571	A	0.0557
DN	0.0264	C	0.0460
LG	0.0433	T	0.0693
CB	0.0262	R	0.0531
FG	0.0210	V	0.0423
RP	0.0487	${\mathrm{P}}_d$	0.0557

Precision note. Values are rounded to four decimals for readability. Six-decimal weights are provided in Table A4; apparent duplicates at four decimals are either rounding artifacts or reflect intended equal-importance judgments.

lists the values used throughout the analysis.

Expert Panel Procedures and Transparency

Recruitment and inclusion criteria. Ten domain experts were recruited based on the following criteria: (i) a minimum of 5 years of professional experience in digital forensics (DF), digital forensics and incident response (DFIR), or security operations; and/or (ii) peer-reviewed publications on game-theoretic security or digital forensic readiness. All participants provided written informed consent for participation and publication of anonymized, aggregated results. Participants declared any conflicts of interest and submitted domain-only email addresses for communication.

Data collection and independence. To limit anchoring bias and dominance effects, judgments were collected independently via an online instrument. Each expert completed two $16\times 16$ PCMs, one for attacker metrics and one for defender metrics, without knowledge of other participants’ responses. Per-expert consistency ratios (CRs) were computed; participants had the option to revise judgments if $CR>0.10$. The released CSV files report per-expert CRs; no personally identifiable information is included.

Anonymization and data availability. Expert responses were anonymized prior to analysis. Anonymized demographics (years of experience, primary domain expertise, geographic region) and per-expert CR distributions are summarized in Appendix B (Figure A9) and provided in Appendix B. The full attacker/defender PCMs (six-decimal precision) and aggregated weights are released as CSV tables (

Table A4. Six-decimal AHP-derived metric weights (attacker/defender).

Attacker		Defender
Metric	Weight	Metric	Weight
ASR	0.109 421	L	0.088 138
RE	0.047 640	I	0.088 138
ST	0.092 165	D	0.042 359
DEE	0.088 782	VDCC	0.064 290
TTE	0.047 640	E	0.046 193
EC	0.088 782	IR	0.088 138
AR	0.081 419	DR	0.048 163
RT	0.047 640	NF	0.081 980
IA	0.092 165	ST	0.081 980
P	0.081 419	LR	0.048 163
AD	0.057 193	A	0.055 784
DN	0.026 406	C	0.046 039
LG	0.043 317	T	0.069 305
CB	0.026 246	R	0.053 188
FG	0.021 048	V	0.042 359
RP	0.048 717	P	0.055 784

) together with scripts to recompute eigenvector and LLSM priorities (available in the repository, Appendix B).

Institutional review and ethics. Under the Islamic Azad University Research Ethics policy, this expert-elicitation exercise—in which adult professionals provided non-sensitive technical judgments anonymously and no personally identifiable information was collected—does not constitute human-subject research requiring REC/IRB review. Electronic consent was obtained at the start of the instrument via an on-screen information sheet and an “I agree to participate” confirmation. No names, emails, IP addresses, or other identifiers were recorded; responses were stored only in anonymized, aggregate form (see Section 3 and the institutional review statement in the Acknowledgments Section).

Reporting Precision and Repeated Weights

Weights in Table 8 are shown to four decimals for readability. Because (i) judgments use a discrete 1–9 Saaty scale and (ii) we aggregate experts multiplicatively via geometric means, priority-vector components can legitimately cluster; rounding can therefore make nearby values appear equal (e.g., 0.0881 repeated). We provide six-decimal weights in Table A4; except where experts explicitly judged equal importance (yielding proportional rows/columns and thus equal eigenvector components), clustered entries separate at higher precision. Both aggregated PCMs satisfy the usual AHP criterion ($CR<0.10$).

Plausibility of Small and Similar CR Values

For each consensus PCM, we compute $CI=({\lambda }_{max}-n)/(n-1)$ and $CR=CI/RI$ with $n=16$ and $RI=1.59$. Our consensus matrices yield ${\lambda }_{max}=16.3200$ and $16.3157$, hence $CI=0.02133,0.02105$ and $CR=0.038,0.0132$. Low and similar CRs are expected under log-space geometric aggregation, which reduces dispersion and improves consistency across both PCMs produced by the same expert panel and protocol.

Additional AHP Diagnostics and Robustness

As robustness checks, we (i) recomputed priorities using the logarithmic least-squares (row geometric mean, LLSM) method and obtained cosine similarity > 0.999 with the eigenvector solution as well as identical top-k rankings; (ii) reported Koczkodaj’s triad inconsistency and the geometric consistency index (GCI) for the consensus PCMs (

Table A5. Consistency diagnostics for aggregated AHP matrices.

Matrix	n	${\mathit{\lambda }}_{max}$	CI	CR	GCI	Koczkodaj
Attacker	16	16.452 800	0.030 200	0.019 000	0.066 600	0.875 000
Defender	16	16.315 700	0.021 000	0.013 200	0.047 700	0.500 000

); (iii) performed a local perturbation study (1000 runs) that jitters entries by $\pm 1$ Saaty step and applies $\pm 5\%$ multiplicative noise, observing median Spearman rank correlation $\rho \ge 0.95$ and $CR\ll 0.10$ (Figure A8); and (iv) summarized per-expert consistency via CR distributions, where aggregation reduces inconsistency (Figure A9).

3.5.2. Prioritization Process

The prioritization step ranks metrics by combining their AHP weight with the observed score gap and then screens the list against organizational feasibility constraints. We therefore concentrate remediation on high-weight, low-score metrics while treating the remaining steps (strategy design, deployment, monitoring) as operational details covered in Appendix B.

3.5.3. DFR Improvement Algorithm

We translate the priority list into an actionable program by sorting candidate metrics by their weight–gap product and selecting those that pass feasibility checks on cost, time, and staffing. Implementation details, including deterministic tie-breaking and monitoring hooks, are documented in Algorithm A5 (Appendix B). This keeps the main text focused on how the prioritized improvements feed the readiness evaluation reported in Section 4.7.

This process ensures high-impact improvements are implemented first, maximizing readiness gains within resource constraints.

3.6. Reevaluating the DFR

Following improvement implementation, the system’s forensic readiness was reevaluated by comparing updated utility scores to baseline values. An increased score confirms readiness enhancement, whereas stagnant or diminished scores indicate the need for further targeted measures.

This reevaluation provides a quantitative, evidence-based feedback loop, reinforcing decision making grounded in rigorous analysis. A comprehensive understanding of potential threats, combined with expertise in defensive and forensic techniques, enables organizations to continually strengthen preparedness and accelerate investigative processes.

4. Results

This section presents a detailed analysis of cyber threat dynamics, emphasizing the interplay between attacker tactics and defender strategies. It integrates empirical data, game-theoretic insights, and readiness evaluation to examine how different strategic behaviors influence DFR. Our findings illustrate the alignment between simulated outcomes and practical cybersecurity trends, providing a comprehensive understanding of real-world implications.

4.1. Data Collection and Methodology

We used MITRE ATT&CK^® Enterprise v13.1 (9 May 2023) and MITRE D3FEND v0.12.0-BETA-2 (21 March 2023) via STIX 2.1 [56]. From the relationship path

$$\mathtt{intrusion-set}\stackrel{\mathrm{uses}}{\to }\mathtt{attack-pattern}$$

(Enterprise scope; direct edges only), we excluded objects/relations with revoked==true or x_mitre_deprecated==true. Technique IDs were normalized to uppercase; sub-techniques (e.g., T1027.013) were treated as distinct from their parents (e.g., T1027) and counted separately (no roll-up to parent techniques).

The final ATT&CK evidence set contains 260 technique assignments across ten intrusion sets: LeafMiner (17), Silent Librarian (13), OilRig (56), Ajax Security Team (6), Moses Staff (12), Cleaver (5), CopyKittens (8), APT33 (32), APT39 (52), MuddyWater (59).

Let S denote the 14 ATT&CK tactics and T the six D3FEND control families $F=\{\mathtt{Harden},\mathtt{Model},\mathtt{Evict},\mathtt{Isolate},\mathtt{Deceive},\mathtt{Detect}\}$. For each cell $(s,t)$ we aggregate many-to-many ATT&CK→D3FEND links and normalize by the number of (sub-)techniques under tactic s:

$$C(s,t)={\displaystyle \frac{\#\{k\in s:k\mapsto t\}}{\#\{k\in s\}}}.$$

Here C is a tactic × family coverage rate. Game-theoretic payoff functions for attackers and defenders are defined later in Section 4.6; they are not constrained to satisfy $D=-C$; hence, the bimatrix game is non-zero-sum. Versioning, STIX scripts, and mapping CSVs are provided in the repository (Appendix B).

Extraction and Mapping Objects

Let A be the set of APT groups (intrusion sets), X the ATT&CK (sub-)techniques (Enterprise v13.1), and Y the D3FEND techniques (v0.12.0-BETA-2). We extract

$$E=\{(a,x)\in A\times X:a\mathrm{uses}x\},M=\{(x,y)\in X\times Y:x\mathrm{mitigated\_by}y\},$$

drop revoked/deprecated objects, and retain sub-techniques as first-class elements. D3FEND techniques are categorized by family$\left(y\right)\in F$.

Versioning, STIX scripts, and the robustness check are provided in the Appendix B.3.

4.2. Analysis of Tactics and Techniques

We clarify how the many-to-many ATT&CK↔D3FEND graph is aggregated at the tactic layer and how double counting is avoided.

4.2.1. Named Metrics

We use two de-duplicated, tactic-level metrics:

• Family-coverage count (APT–technique–family incidence):

  $$\mathrm{Count}(\tau ,f)=\sum _{(a,x):x\in \tau }1\left(\exists y:(x,y)\in M,\mathrm{family}\left(y\right)=f\right),$$

  which counts, for each ATT&CK tactic $\tau$ and D3FEND family f, the number of unique $(\mathrm{APT}a,\mathrm{technique}x)$ instances with at least one mapped D3FEND technique in family f, de-duplicated once per $(a,x,f)$ even if multiple y in the same family map to $(a,x)$.
• Tactic recurrence (de-duplicated):

  $$\mathrm{Freq}\left(\tau \right)=\sum _{a\in A}1(\exists x\in \tau :(a,x)\in E\mathrm{and}x\mathrm{is}\mathrm{the}\mathrm{most}\mathrm{specific}\mathrm{technique}\mathrm{observed}\mathrm{for}\tau \mathrm{in}a),$$

i.e., for each APT a a tactic $\tau$ is credited at most once, preferring the most specific observed sub-technique (no observed sub-technique of x exists for a under $\tau$). Raw counts are shown in the figure; shares $s\left(\tau \right)=\mathrm{Freq}\left(\tau \right)/{\sum }_{{\tau }^{\prime }}\mathrm{Freq}\left({\tau }^{\prime }\right)$ and per-APT normalizations are reported in Appendix B.

4.2.2. How Figures Are Computed

Figure 5 reports $\mathrm{Count}(\tau ,f)$ as defined above (family coverage, not raw edge multiplicity). We also report per-APT normalizations $\widehat{p}(\tau ,f)=\mathrm{Count}(\tau ,f)/\left|A\right|$ in Appendix B. Figure 6 reports $\mathrm{Freq}\left(\tau \right)$ (one credit per APT per tactic, preferring the most specific sub-technique).

4.2.3. Notes and Limitations

Results inherit snapshot bias (versioning and reporting density). Mappings capture plausible mitigations, not guaranteed prevention. Full STIX extraction scripts and JSON snapshots are archived for reproducibility.

4.3. DFR Metrics Overview and Impact Quantification

Our analysis employs a set of 32 DFR metrics—16 attacker-centric and 16 defender-centric—detailed in Table 6 and Table 7. Each metric is normalized and weighted according to expert-driven AHP priorities.

The aggregate utility scores are computed as weighted sums of these metric values using Equations (6) and (7). Readiness is then computed as the difference between defender and attacker utility scores (Equation (9)).

4.3.1. Methods: Calibration-Based Synthetic Attacker Profiles

Notation Disambiguation

To avoid ambiguity, we use subscript notation consistently throughout: $S{T}_d$ for defender Staff Training (vs. $ST$ for attacker Stealthiness) and $P_d$ for defender Preservation (vs. P for attacker Persistence). This notation is applied in tables, figures, and text wherever defender metrics are referenced.

To ensure coherence between defender improvements and adversary pressure, we co-generated attacker utility profiles under an explicit coupling prior. Let $X^{\left(d\right)}\in {[0,1]}^{16}$ and $X^{\left(a\right)}\in {[0,1]}^{16}$ denote defender/attacker metric vectors. We specified a sparse coupling matrix $\Gamma$ (ATT&CK↔D3FEND-informed) that links defender capabilities (e.g., logging L, volatile capture $VDCC$, network forensics $NF$) to reductions in adversarial stealth ($ST$), exfiltration effectiveness ($DEE$), and attribution resistance ($AR$), among others. For each case, attacker “before” profiles were drawn from weakly correlated Beta priors; “after” profiles were updated by the calibrated rule

$$X_{\mathrm{after}}^{\left(a\right)}={clip}_{[0,1]}\left(X_{\mathrm{before}}^{\left(a\right)}-\lambda \Gamma {\Delta }_d+ϵ\right),{\Delta }_d=X_{\mathrm{after}}^{\left(d\right)}-X_{\mathrm{before}}^{\left(d\right)},$$

(8)

with case-wise $\lambda \in [0.8,1.2]$ and small noise $ϵ\in [-0.02,0.02]$. This construction avoids unrealistic across-the-board gains, preserves heterogeneity across cases, and operationalizes the ATT&CK↔D3FEND mapping. The AHP weights $w^{\left(d\right)},w^{\left(a\right)}$ are then applied to quantify readiness as

$$\mathrm{Readiness}=\sum _{k=1}^{16}{w}_k^{\left(d\right)}{x}_k^{\left(d\right)}-\sum _{\ell =1}^{16}{w}_{\ell }^{\left(a\right)}{x}_{\ell }^{\left(a\right)}.$$

(9)

Limitations

These attacker profiles are synthetic, calibration-based for illustrative evaluation rather than field measurements; inter-rater reliability is not applicable to this section. For per-expert consistency ratios (CRs) and AHP validation, see Figure A9 (Appendix B).

In our synthetic calibration, profiles with limited logging exhibit higher attacker utility in the readiness balance; targeted improvements centered on logging and forensic preservation typically reduce the attacker utility component by approximately 15–30% under the specified $\Gamma$ settings (see manifest and coupling files in Appendix B.5), contributing to higher net readiness. Specifically, linked attacker metrics (e.g., $ST$, DEE, AR) show reductions in the 15–30% range, while the overall weighted attacker utility component (computed via Equation (6)) shows a median reduction of approximately 8.0% across the $C=10$ cases. Across the $C=10$ synthetic cases, median readiness improvement ($\Delta$Readiness) is 18.0% (95% CI: [16.3%, 19.7%]).

This explicit linkage confirms the abstract’s key quantitative claims, grounded in our comprehensive DFR metric framework and empirical simulations.

4.4. Comparative Overview of Prior Game-Theoretic Models

To clarify how our contribution fits within the existing game-theoretic literature on digital forensic readiness,

Table 9. Representative game-theoretic approaches to digital forensic readiness and observability.

	Lakhdhar et al. [31]	Monteiro et al. [36]	This Work
Forensic objective	Investigation-ready infrastructure with cognitive defence	Adaptive observability and evidence collection for microservices	ATT&CK/D3FEND-grounded readiness planning for APT-focused organisations
Game formulation	2-player non-cooperative game; pure/mixed Nash equilibria	2-player Bayesian game; Bayesian Nash equilibria	Non-zero-sum bimatrix game, zero-sum variant, and evolutionary dynamics
Reported quantitative effects	Security cost gain of ≈45–$75\%$ vs. static defence; false decisions reduced by ≈70–$90\%$	${\mathrm{F}}_1$ improvements of ≈$3.1$–$42.5\%$ vs. full/sampling observability	Median readiness improvement of $18.0\%$ (95% CI [16.3, 19.7]); linked attacker metrics reduced by ≈15–$30\%$
Evaluation assets	Symbolic scenario library (CSLib); parameter sweeps over $(w_1,w_2,w_3,\gamma )$	TrainTicket benchmark (41 microservices, ${10}^2$–${10}^5$ concurrent users)	Empirical ATT&CK→D3FEND mappings (10 APT groups); 10 calibrated synthetic readiness profiles
Released artefacts	Not publicly documented	Prototype and evaluation scripts (GitHub:no public version available)	STIX extraction scripts, mapping CSVs, and YAML manifests for profile generation (GitHub; version: v1.0)

Reported percentages are taken directly from the original studies; because objectives, datasets, and metrics differ (cost, ${\mathrm{F}}_1$, readiness), these figures are not directly comparable across columns.

contrasts the problem focus, game formulation, and reported quantitative effects of three representative approaches. The goal is not a head-to-head benchmark—the objectives, datasets, and evaluation protocols differ substantially—but rather to highlight complementary emphases and outputs.

These approaches address different operational contexts and are complementary. Our contribution adds an ATT&CK/D3FEND-grounded readiness score for APT-focused SMEs, analyzes both equilibrium and evolutionary dynamics, and also releases reproducible artifacts that practitioners can adapt to their environments.

Connection to Sun Tzu’s Strategic Wisdom

Our results quantitatively validate the strategic principles introduced in Section 3.3, operationalizing Sun Tzu’s dictum: “If you know the enemy and know yourself, you need not fear the result of a hundred battles.” “Know yourself” is operationalized through the 16 defender metrics (Table 7) that quantify organizational capabilities. Our results demonstrate that organizations with limited logging (incomplete self-knowledge) exhibit higher attacker utility, whereas strategic improvements centered on logging and forensic preservation (enhanced self-knowledge) reduce attacker utility by 15–30%, validating the importance of self-awareness. Know the enemy is operationalized through the 16 attacker utilities (Table 6) derived from empirical ATT&CK data on real APT groups. The Nash equilibrium at $(s_{14}=\mathit{Impact},t_3=\mathit{Detect})$ reveals that understanding attacker priorities (Impact tactics) enables optimal defensive strategy (Detect), demonstrating the practical value of threat intelligence. We formalize three strategic states from Sun Tzu’s wisdom: comprehensive knowledge (targeted defense, high readiness), partial knowledge (vulnerable defense, moderate readiness), and ignorance (minimal resilience, low readiness). Our quantitative results show that moving from ignorance to comprehensive knowledge yields 18.0% median readiness improvement, providing concrete evidence that Sun Tzu’s strategic principles translate into measurable forensic readiness gains.

4.5. Attackers vs. Defenders: A Comparative Study

We analyzed how defensive techniques correspond to attacker strategies in frequency and efficacy. Figure 7 shows the distribution of D3FEND methods, such as Detect, Harden, Model, Evict, Isolate, and Deceive.

Our results indicate that attackers most frequently employ the Credential Access technique, with Impact-related tactics demonstrating the highest success rates. On the defense side, Detect emerged as the most frequently employed strategy, albeit with data limitations for the Impact category within the MITRE frameworks.

4.6. Game Dynamics and Strategy Analysis

4.6.1. Non-Zero-Sum $(A,D)$

Using vertex enumeration, we obtain exactly one Nash equilibrium, which is pure at $(s_{14}=\mathit{Impact},t_3=\mathit{Detect})$. Support enumeration yields the same point, and the KKT conditions are satisfied. The equilibrium is non-degenerate and stable under $\epsilon$-perturbations up to $\epsilon \le {10}^{-6}$.

4.6.2. Zero-Sum $(A,-D)$

Vertex enumeration returns exactly five Nash equilibria: two pure at $(s_{14},t_1)=(\mathit{Impact},\mathit{Model})$ and $(s_{12},t_4)=(\mathit{Command} \mathit{and} \mathit{Control},\mathit{Isolate})$ and three mixed with supports $\{s_{12},s_{14}\}\times \{t_1,t_4\}$, $\{s_9,s_{12}\}\times \{t_4,t_5\}$, and $\{s_9,s_{11}\}\times \{t_4,t_5\}$. All pass KKT verification, are non-degenerate, and are $\epsilon$-stable for $\epsilon \le {10}^{-6}$ (Note: Support enumeration reports only three equilibria on this instance; therefore, vertex enumeration is used as the primary method and ground truth). These results, detailed in Appendix B.9 and Table A3, demonstrate different strategic patterns under the transformed game structure and illustrate that attackers diversify tactics in response to defender adaptations, while defenders strategically redistribute effort based on attack probability.

All computed equilibria satisfy the KKT optimality conditions, are non-degenerate in the game-theoretic sense, and remain invariant under small payoff perturbations up to $\epsilon \le {10}^{-6}$. For each equilibrium we numerically verified KKT feasibility, dual feasibility, and complementarity, and we report best-response residuals $<{10}^{-14}$ (see Appendix B.8 for details).

Both analyses align with empirical evidence, showing that strategic flexibility—not rigid planning—enhances readiness. Convergence between theoretical modeling and real-world data reveals interdependencies between adaptive behaviors, informing more resilient DFR optimization frameworks.

While support enumeration formally identifies the PNE at the Attacker strategy ‘Impact’ paired with the Defender strategy ‘Detect’, the dynamic convergence analysis reveals that early trajectory states—starting from uniform or neutral mixed strategies—tend to gravitate toward the ‘Command_and_Control’ strategy for the attacker paired with ‘Detect’ for the defender. This suggests that, during the learning or adaptation phase, the system often stabilizes near this local attractor before potentially progressing to the PNE or possibly remaining trapped depending on the adaptation dynamics and information of the players. Therefore, both states are significant: the PNE represents the theoretically stable solution assuming full rationality and optimal play, whereas the observed convergence behavior reflects realistic intermediate strategic positioning players may occupy during actual cybersecurity engagements. Recognizing this duality informs defenders that, while ‘Impact/Detect’ is a strategic target equilibrium, adaptive defense must also address the commonly emerging patterns around ‘Command_and_Control/Detect’ to guide attackers toward less damaging behaviors.

4.7. Synthetic, Calibration-Based Case Profiles

To validate the effectiveness of our proposed framework, we generated synthetic, calibration-based case profiles that simulate forensic readiness scenarios before and after implementing the framework. These profiles are illustrative and calibration-based rather than field measurements; they operationalize the ATT&CK↔D3FEND mapping through an explicit coupling mechanism (see Section 4.3.1 and Appendix B). Ten case profiles are presented in

Table 10. Synthetic DFR profiles (before implementation). Illustrative, calibration-based scenarios; not field measurements.

Case	L	I	D	VDCC	E	IR	DR	NF	${\mathrm{ST}}_{\mathit{d}}$	LR	A	C	T	R	V	${\mathrm{P}}_{\mathit{d}}$
1	0.5	0.6	0.3	0.4	0.5	0.6	0.2	0.5	0.2	0.6	0.7	0.2	0.6	0.1	0.2	0.4
2	0.1	0.2	0.7	0.6	0.1	0.2	0.6	0.1	0.6	0.4	0.2	0.6	0.2	0.1	0.6	0.5
3	0.6	0.1	0.6	0.5	0.6	0.4	0.2	0.2	0.6	0.1	0.6	0.1	0.2	0.6	0.1	0.6
4	0.7	0.2	0.2	0.7	0.2	0.6	0.4	0.6	0.2	0.1	0.2	0.6	0.1	0.2	0.6	0.2
5	0.7	0.6	0.3	0.5	0.6	0.7	0.4	0.2	0.6	0.3	0.6	0.2	0.1	0.6	0.2	0.3
6	0.5	0.7	0.5	0.7	0.5	0.4	0.6	0.6	0.3	0.2	0.6	0.1	0.6	0.2	0.4	0.6
7	0.4	0.6	0.3	0.6	0.7	0.6	0.2	0.2	0.7	0.6	0.2	0.7	0.6	0.2	0.5	0.4
8	0.1	0.2	0.6	0.5	0.6	0.2	0.5	0.4	0.2	0.6	0.1	0.2	0.6	0.7	0.6	0.2
9	0.6	0.3	0.2	0.6	0.2	0.3	0.6	0.6	0.4	0.2	0.6	0.3	0.2	0.6	0.2	0.5
10	0.5	0.6	0.3	0.2	0.6	0.2	0.7	0.2	0.5	0.6	0.2	0.4	0.2	0.6	0.5	0.2

and

Table 11. Synthetic DFR profiles (after implementation). Illustrative, calibration-based scenarios; not field measurements. Profiles generated using targeted framework uplift with coupling constraints (see Section 4.3.1).

Case	L	I	D	VDCC	E	IR	DR	NF	${\mathrm{ST}}_{\mathit{d}}$	LR	A	C	T	R	V	${\mathrm{P}}_{\mathit{d}}$
1	0.8	0.8	0.7	0.9	0.8	0.8	0.7	0.9	0.7	0.6	0.8	0.7	0.8	0.7	0.7	0.7
2	0.9	0.8	0.9	0.8	0.7	0.9	0.7	0.8	0.6	0.7	0.7	0.8	0.7	0.6	0.6	0.8
3	0.8	0.7	0.8	0.9	0.8	0.9	0.8	0.9	0.7	0.8	0.8	0.7	0.7	0.7	0.8	0.7
4	0.8	0.9	0.9	0.8	0.7	0.9	0.9	0.8	0.7	0.7	0.7	0.8	0.7	0.7	0.6	0.8
5	0.7	0.7	0.9	0.7	0.8	0.9	0.7	0.9	0.8	0.8	0.7	0.7	0.6	0.8	0.7	0.7
6	0.7	0.8	0.8	0.9	0.7	0.8	0.6	0.9	0.6	0.7	0.6	0.8	0.7	0.9	0.7	0.7
7	0.8	0.7	0.9	0.7	0.6	0.9	0.8	0.9	0.7	0.8	0.7	0.7	0.8	0.7	0.8	0.8
8	0.7	0.6	0.9	0.8	0.8	0.9	0.8	0.8	0.8	0.7	0.7	0.8	0.7	0.6	0.8	0.7
9	0.9	0.7	0.8	0.7	0.7	0.9	0.7	0.8	0.7	0.8	0.8	0.7	0.6	0.7	0.7	0.7
10	0.8	0.8	0.9	0.7	0.7	0.9	0.8	0.7	0.7	0.8	0.7	0.7	0.8	0.8	0.6	0.8

.

Notation: To avoid ambiguity, defender metrics use a subscript d (e.g., $S{T}_d$ = Staff Training, $P_d$ = Preservation), while attacker metrics keep bare symbols (e.g., $ST$ = Stealthiness, P = Persistence).

A comparative visualization (Figure 8) shows measurable improvement in post-implementation readiness scores for most metrics, validating the framework’s effectiveness. The 32 DFR metrics (16 defender + 16 attacker) serve as quantitative indicators of both forensic readiness (process capability) and forensicability (system capability to support investigations). Higher metric scores indicate improved readiness and enhanced forensicability, enabling organizations to transition from non-forensicability to forensicable states. Quality control metrics (detailed in Appendix B.5) confirm that all cases show positive defender and readiness improvements, with realistic heterogeneity: mean readiness improvement of approximately 18.0% (95% CI: [$16.3\%,19.7\%$]), with 34% of attacker metrics remaining unchanged per case, demonstrating selective suppression rather than global collapse. Across the 10 synthetic cases, organizations showed measurable improvements in forensic readiness, with systems becoming more forensicable as evidenced by enhanced logging, volatile data capture, and network forensics capabilities. The scores in Table 10 and Table 11 are generated from the YAML configuration and RNG seed (42) listed in the manifest (Appendix B.5), enabling exact regeneration of these values.

4.8. Sensitivity Analysis

4.8.1. Local Perturbation Sensitivity

We assess ranking robustness for both attacker and defender criteria using local perturbations of the aggregated AHP pairwise comparison matrices. For each metric i in turn, all entries in the i-th row/column (i.e., all comparisons involving i) are shifted by exactly one step on the Saaty 1–9 scale (up or down with equal probability), reciprocity is re-enforced, and a multiplicative uniform noise of $\pm 5\%$ is applied. We repeat this $R=200$ times per metric and recompute the principal-eigenvector weights after each perturbation. The stability of metric i is quantified as

$${\mathrm{Stability}}_i={\displaystyle \frac{1}{n}}\sum _{j=1}^n\left|{rank}_j^{\left(i\right)}-{rank}_j^{\left(\mathrm{orig}\right)}\right|,$$

where ${rank}^{\left(\mathrm{orig}\right)}$ are ranks under the unperturbed matrix and ${rank}^{\left(i\right)}$ are ranks after perturbing metric i. Lower values indicate higher rank stability. The combined results for attacker (orange) and defender (blue) metrics are shown in Figure 9. In our data several metrics (e.g., ASR on the attacker side and L (Logging) on the defender side) exhibit relatively low average rank changes.

4.8.2. Monte Carlo Simulation

To examine how uncertainty in metric levels affects overall readiness, we run a Monte Carlo simulation with $N=20,000$ draws. For each run we sample attacker and defender metric values independently from $[0,1]$ and compute weighted scores using the AHP-derived weights. Readiness is computed as in Equation (9). We quantify each metric’s global sensitivity as the absolute Pearson correlation between the metric value and the readiness score. Figure 10 reports these correlations (higher bars indicate stronger influence). Figure 11 and Figure 12 visualize the bivariate relationships for each side.

Parameters including Collaboration (CB), Reputation and Prestige (RP), and Volatile Data Capture Capabilities (VDCC) had lower sensitivities (Figure 11), but their presence contributes to broader defense stability.

Overall, a few high-sensitivity metrics drive most of the variability in readiness, while the remaining ones provide a complementary signal that stabilizes performance.

4.9. Distribution of Readiness Score

The histogram in Figure 13 displays the standardized (z-scored) readiness values, $z=(x-\mu )/\sigma$, centered at zero. Because readiness is defined as defender minus attacker score, the raw values lie approximately in $[-1,1]$; standardization clarifies relative deviations from the mean, hence, the presence of both negative and positive values. The near-symmetric shape indicates a balanced spread around the average level of preparedness, with low-frequency tails representing unusually weak or unusually strong cases.

Key observations include the following:

• Central Peak at 0.0: A high frequency around 0.0 indicates balanced readiness in most systems.
• Symmetrical Spread: Even tapering on both sides suggests system stability across environments.
• Low-Frequency Extremes: Outliers at the tails (−0.3 and +0.3) denote rare but critical deviations requiring targeted intervention.

This symmetrical distribution implies consistent readiness performance with occasional exceptional cases—either highly prepared or notably weak systems. When combined with sensitivity outcomes, this distribution reinforces the importance of continuous evaluation, adaptive planning, and targeted investment in high-impact metrics to sustain forensic readiness.

5. Discussion

Applying the proposed game-theoretic framework within an organizational cybersecurity context entails multiple phases and distinct challenges. Figure 14 could visualize these steps, which are summarized as follows:

• Implementation Challenges: Real-world adoption may encounter barriers such as limited resources, integration costs, and the need for game theory expertise. Organizational resistance to change and adaptation to new analytical frameworks are additional challenges.
• Integration with Existing Tools: The framework can align synergistically with existing platforms such as threat intelligence systems, SIEM, and EDR tools. These integrations can enhance decision making and optimize forensic investigation response times.
• Decision Support Systems: Game-theoretic models can augment decision support processes by helping security teams prioritize investments, allocate resources, and optimize incident response based on adaptive risk modeling.
• Training and Awareness Programs: Building internal capability is crucial. Training programs integrating game-theoretic principles into cybersecurity curricula can strengthen decision making under adversarial uncertainty.
• Collaborative Defense Strategies: The framework supports collective defense through shared intelligence and coordinated responses. Collaborative action can improve deterrence and resilience against complex, multi-organizational threats.
• Policy Implications: Incorporating game theory into cybersecurity has policy ramifications, including regulatory alignment, responsible behavior standards, and ethical considerations regarding autonomous or strategic decision models.
• Case Studies and Use Cases: Documented implementations of game-theoretic approaches demonstrate measurable improvements in risk response and forensic readiness. Future research can expand these to varied industry sectors.
• Future Directions: Continued innovation in game model development, integration with AI-driven threat analysis, and tackling emerging cyber challenges remain promising directions.

While adoption may face organizational or technical barriers, the approach remains adaptable. Incorporation with SIEM, EDR, and threat intelligence workflows allows for effective deployment, while targeted training mitigates skill gaps. Ultimately, these methods can significantly enhance decision support and defense coordination across security ecosystems.

5.1. Forensicability and Non-Forensicability

The dual concepts of forensicability and non-forensicability capture the degree to which digital systems are prepared to support forensic investigation and incident response.

Non-forensicability refers to an environment’s inability to effectively preserve or provide forensic evidence, typically arising from poor data retention, weak logging, or compromised evidence integrity. It represents a subjective assessment grounded in measurable deficiencies of DFR. Quantitatively, this can be evaluated via parameters such as log resolution, retention time, or audit trail completeness.

Conversely, forensicability characterizes systems that exhibit the structural and procedural maturity necessary for reliable forensic investigations. Hallmarks of forensicable systems include secure log management, redundancy in evidence capture, and adherence to recognized forensic standards. These factors not only strengthen internal visibility but also ensure evidence admissibility in legal contexts.

For organizations, enhancing forensicability means institutionalizing proactive DFR practices—ensuring data capture, protection, and retrieval mechanisms are integral to operations. Continuous assessment through forensic readiness metrics helps organizations transition from fragile, reactive postures to resilient, evidence-supported defenses.

5.2. Evolutionary Game Theory Analysis

Using Evolutionary Game Theory (EGT) enables modeling of how attacker and defender strategies evolve concurrently over time. This approach captures adaptation cycles that traditional static game models overlook.

The simulation results in

Table 12. Simulation results based on evolutionary game theory.

Res.	Def.	Att.	Scen.	Final Val.	Avg. Att.	Avg. Def.	Avg. Read.
1	10	5	a	0.56	0.84	–	0.00
1	15	5	b	0.52	0.94	–	0.00
1	25	5	c	0.61	0.69	–	0.00
3	10	5	d	0.96	0.58	–	0.00
3	25	5	f	1.00	1.00	–	0.00
5	15	5	h	0.91	0.75	–	0.03

and Figure 15 illustrate how strategy populations change across generations. Attackers and defenders adjust probabilistically based on observed payoffs, with defender readiness influencing long-term stability.

Key insights derived from EGT include the following:

• Evolutionary Dynamics: Attackers and defenders co-adapt in continuous feedback cycles; the success of one influences the next strategic shift in the other.
• Replication and Mutation: Successful tactics replicate, while mutations introduce strategic diversity critical for both exploration and adaptation.
• Equilibrium and Stability: Evolutionary Stable Strategies (ESSs) represent steady states where neither party benefits from deviation.
• Co-evolutionary Context: The model exposes the perpetual nature of cyber escalation, showing that proactive defense and continuous readiness optimization are essential to remain resilient.

5.3. Attack Impact on Readiness and Investigation Phases

The simulation represented in Figure 16 demonstrates how attacks influence DFR through overlapping utility functions between attackers and defenders during investigation phases. Each incident reveals opportunities for defenders to improve readiness, forming a feedback mechanism between preparedness and investigative learning.

Observed overlaps indicate that investigation phases contribute directly to capability growth—highlighting that post-incident analysis enriches strategic defense planning and improves future preparedness.

5.4. Readiness and Training Level of the Defender

Simulations comparing varying defender experience levels (Junior, Mid-level, Senior) reveal a direct correlation between training maturity and overall forensic readiness (Figure 17). Higher training levels correlate with improved detection accuracy and evidence capture, illustrating that defensive effectiveness is both strategic and skill-dependent.

5.5. Attack Success and Evidence Collection Rates

Monte Carlo simulations of attack outcomes (

Table 13. Simulation results (mean ± 95% CI; $N=50,000$ trials per setting).

	Low	Medium	High
Attack success rate	0.25 ± 0.0038	0.53 ± 0.0044	0.75 ± 0.0038
Evidence collection rate	0.93 ± 0.0022	0.96 ± 0.0017	0.94 ± 0.0021

) show that higher attacker capability increases success rates, while robust forensic processes substantially raise evidence collection probability across scenarios.

5.6. Comparative Analysis in SMB and SME Organizations

Recognizing that SMEs and SMBs differ in resource availability and defensive maturity, a comparative simulation was conducted (

Table 14. Simulation results of attack success rate for SME and SMB organizations.

ID	SME					SMB					Impact Metrics
	Type	Malic.	Str.	Impact	CVSS	Type	Malic.	Str.	Impact	CVSS	Workload	Avail.	Conf.	Integ.
0	DDoS	0.75	1.12	High	7	DDoS	0.75	1.12	High	7	1.125	0.8	0	0
1	SQLI	0.75	1.12	High	9	SQLI	0.75	1.12	High	9	2.7	2.58	7.2	7.2
2	DDoS	0.75	1.12	Med	0	DDoS	0.75	1.12	Med	0	1.125	0.96	0	0
3	SQLI	0.75	1.12	High	9	SQLI	0.75	1.12	High	9	1.125	1.005	7.2	7.2
4	DDoS	0.75	1.12	Low	0	DDoS	0.75	1.12	Low	0	1.125	0.96	0	0
5	SQLI	0.75	1.12	Med	7	SQLI	0.75	1.12	Med	7	2.7	2.58	2.8	2.8

and

Table 15. Simulation result of attack success rate—irrational behavior.

ID	SME					SMB					Impact Metrics
	Type	Malic.	Str.	Impact	CVSS	Type	Malic.	Str.	Impact	CVSS	Workload	Avail.	Conf.	Integ.
0	SQLI	0.49	0.73	Med	7	SQLI	0.49	0.73	Med	7	0.73	0.61	2.8	2.8
1	DDoS	0.75	1.12	High	7	DDoS	0.75	1.12	High	7	1.12	0.80	0	0
2	DDoS	0.80	1.21	High	7	DDoS	0.80	1.21	High	7	1.21	0.80	0	0
3	SQLI	0.16	0.24	High	9	SQLI	0.16	0.24	High	9	0.24	0.12	7.2	7.2
4	SQLI	0.58	0.87	High	9	SQLI	0.58	0.87	High	9	2.45	2.33	7.2	7.2
5	DDoS	0.84	1.26	High	7	DDoS	0.84	1.26	High	7	2.84	0.80	0	0

). Results show that SMBs typically exhibit higher resilience, yet both types face elevated risks under “irrational” attacker behaviors.

Figure 18 visualizes how SME/SMB impact metrics shift between baseline and irrational attacker settings for the SQLi and DDoS scenarios described above.

Irrational Attacker Behavior Analysis

By modeling partial randomness in adversarial decision making, “irrational behavior” introduces deviations from expected attacks, thus reflecting real-world unpredictability. Figure 19 and Figure 20 illustrate the expanded range of outcomes.

This model highlights the necessity for robust intrusion detection, endpoint monitoring, and anomaly-based analytics to counteract unpredictable threats and enhance resilience in both small- and mid-scale organizations.

5.7. Limitations and Future Work

While this research offers a structured quantitative contribution to DFR and security strategy development, certain limitations acknowledge the boundaries of current modeling:

• Model Complexity: Real-world human elements and deep organizational dynamics may extend beyond current model parameters.
• Data Availability: Reliance on open-source ATT&CK and D3FEND datasets limits coverage of emerging threat behaviors.
• Computational Needs: Evolutionary modeling and large-scale simulations require high-performance computing resources.
• Expert Bias: AHP-based weighting depends on expert judgment, introducing potential subjective bias despite structured controls.

Future research could pursue the following:

• Real-time Adaptive Models: Integrating continuous learning to instantly adapt to threat changes.
• AI/ML Integration: Employing predictive modeling for attacker intent recognition and defense automation.
• Cross-Organizational Collaboration: Expanding to cooperative game structures for shared threat response.
• Empirical Validation: Conducting large-scale quantitative studies to reinforce and generalize model applicability.

6. Conclusions

This study presents a comprehensive game-theoretic framework that formalizes classical strategic principles, notably those of Sun Tzu, into a structured model applicable to contemporary cyber conflict analysis. By modeling the strategic interplay between attackers and defenders, the framework bridges traditional strategic insight and modern decision-theoretic planning. It integrates MITRE ATT&CK–D3FEND mappings, incorporates readiness scoring across simulated organizational scenarios, and aligns these insights with quantitative game-theoretical analyses.

Our results on the non-zero-sum bimatrix $(A,D)$ identify exactly one Nash equilibrium, which is pure at $(s_{14}=\mathit{Impact},t_3=\mathit{Detect})$. The PNE emphasizes the defender’s Detect strategy as a robust counter to attackers’ Impact-focused operations. Analysis of the zero-sum variant $(A,-D)$ (see Appendix B.9) yields exactly five equilibria: two pure at $(s_{14},t_1)=(\mathit{Impact},\mathit{Model})$ and $(s_{12},t_4)=(\mathit{Command} \mathit{and} \mathit{Control},\mathit{Isolate})$ and three mixed with supports $\{s_{12},s_{14}\}\times \{t_1,t_4\}$, $\{s_9,s_{12}\}\times \{t_4,t_5\}$, and $\{s_9,s_{11}\}\times \{t_4,t_5\}$. These results suggest that, under the transformed game structure, defenders should allocate approximately 90–95% of their forensic effort toward modeling controls, preserving a smaller fraction for real-time detection. This balance introduces useful strategic unpredictability, increases the attacker’s required effort, and diminishes overall intrusion success probabilities. However, all policy conclusions in this paper are drawn from the non-zero-sum bimatrix $(A,D)$.

Operationally, these insights were translated into a four-phase assessment process encompassing readiness scoring, maturity classification, gap identification, and roadmap prioritization. Through this practical translation, our model enables measurable digital forensic improvements. In our synthetic calibration across 10 organizational profiles, limited logging increases the attacker utility component of readiness, whereas strategic improvements centered on logging and forensic preservation typically reduce it. Specifically, linked attacker metrics (e.g., $ST$, DEE, AR) show reductions in the 15–30% range, while the overall weighted attacker utility component (computed via Equation (6)) shows a median reduction of approximately 8.0% across cases, contributing to higher net readiness. Most importantly, our quantitative results demonstrate that moving from ignorance to comprehensive knowledge yields a median readiness improvement of 18.0% (95% CI: [16.3%, 19.7%]) across $N=20,000$ Monte Carlo trials, providing concrete evidence that Sun Tzu’s strategic principles translate into measurable forensic readiness gains (see manifest hyperparameters in Appendix B.5).

The contribution of the framework is best seen through the systematic comparison with prior game-theoretic forensics approaches (Table 1). While prior work has advanced game-theoretic forensics in specific domains (Bayesian modelling, tool selection, cognitive security, risk analysis, adaptive observability), our framework brings these ideas together by the following: (i) systematically integrating ATT&CK and D3FEND into a unified game-theoretic model; (ii) grounding quantitative utilities in AHP-weighted DFR metrics; (iii) providing explicit MNE analysis with support conditions; and (iv) delivering actionable SME guidance under resource constraints.

Our goal is to complement prior theoretical work by showing how existing game-theoretic concepts and knowledge graphs can be instantiated for quantitative forensic-readiness planning. The novelty lies in the metricisation and integration choices, not in proposing a new game-theoretic foundation.

6.1. Limitations

The framework’s accuracy depends on the quality and granularity of metric data as well as expert input for AHP weighting. Factors such as organizational diversity, resource variability, and evolving adversary behaviors could influence transferability across different organizational contexts. Additionally, the assumption of static utility parameters (derived from ATT&CK–D3FEND mappings and AHP weights) in our normal-form bimatrix game model simplifies real-world dynamics, which are inherently fluid and adaptive. The simultaneous-move structure does not capture temporal evolution or learning behaviors that may occur in extended adversarial interactions.

6.2. Future Research Directions

Building upon this foundation, several research extensions are envisaged:

• Extended Environmental Applications: Adapting the framework to cloud-native, IoT, and blockchain ecosystems where architectural differences create distinct forensic challenges.
• Dynamic Threat Intelligence Integration: Employing real-time data feeds and AI-based analytics to enable adaptive recalibration of utilities and strategy distributions.
• Standardized Readiness Benchmarks: Developing comparative industry baselines for forensic maturity that support cross-organizational evaluation and improvement.
• Automated Response Coupling: Integrating automated incident response and orchestration tools to bridge the gap between detection and remediation.
• Enhanced Evolutionary Models: Expanding evolutionary game formulations to capture longer-term strategic co-adaptations between attackers and defenders.
• Large-Scale Empirical Validation: Conducting multi-sector, empirical measurement campaigns to statistically validate and refine equilibrium predictions.

In conclusion, the proposed game-theoretic approach provides a mathematically grounded, strategically informed basis for advancing DFR. By linking equilibrium analysis with empirical readiness metrics, the framework offers a repeatable methodology for optimizing resource allocation, reducing attacker advantage, and fostering systemic resilience against persistent and adaptive cyber threats.