{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,28]],"date-time":"2026-04-28T16:35:45Z","timestamp":1777394145447,"version":"3.51.4"},"reference-count":124,"publisher":"Oxford University Press (OUP)","issue":"1","license":[{"start":{"date-parts":[[2024,11,14]],"date-time":"2024-11-14T00:00:00Z","timestamp":1731542400000},"content-version":"vor","delay-in-days":318,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2024,1,2]]},"abstract":"<jats:title>Abstract<\/jats:title>\n               <jats:p>In recent years there have been efforts to bring a degree of quantification to the task of security risk analysis. Various arguments in favour of such developments have been offered: \u2018checklist\u2019- or \u2018tickbox\u2019-based security is insufficiently dynamic; risk matrices are flawed; quantitative approaches must (somehow) be better than qualitative ones; it makes sense to leverage advances in data science, AI, and machine learning in concert with the increasing abundance of data; there is merit in leveraging lessons from economics. While some notes of caution have been offered in the literature (with data availability and quality being prominent concerns), we argue that greater consideration and recognition of the relationship between risk and uncertainty\u2014and, indeed, unawareness\u2014would be of value to the community. In doing so, we look to recent critiques of the prevailing economics orthodoxy before considering potential sources of possible help.<\/jats:p>","DOI":"10.1093\/cybsec\/tyae022","type":"journal-article","created":{"date-parts":[[2024,11,14]],"date-time":"2024-11-14T04:01:50Z","timestamp":1731556910000},"source":"Crossref","is-referenced-by-count":2,"title":["Into the unknown: the need to reframe risk analysis"],"prefix":"10.1093","volume":"10","author":[{"ORCID":"https:\/\/orcid.org\/0000-0003-3597-2232","authenticated-orcid":false,"given":"Andrew","family":"Simpson","sequence":"first","affiliation":[{"name":"Department of Computer Science, University of Oxford , Wolfson Building, Parks Road, Oxford OX1 3QD ,","place":["United Kingdom"]}]}],"member":"286","published-online":{"date-parts":[[2024,11,14]]},"reference":[{"key":"2025092301112608600_bib1","doi-asserted-by":"crossref","DOI":"10.6028\/NIST.SP.800-160v2r1","article-title":"Developing Cyber-Resilient Systems: A Systems Security Engineering Approach","author":"Ross","year":"2021"},{"key":"2025092301112608600_bib2","doi-asserted-by":"crossref","first-page":"53","DOI":"10.1057\/s41288-020-00163-w","article-title":"Data breaches in the catastrophe framework and beyond","volume":"46","author":"Wheatley","year":"2019","journal-title":"The Geneva Papers on Risk and Insurance \u2013 Issues and Practice\u00a0"},{"key":"2025092301112608600_bib3","doi-asserted-by":"publisher","first-page":"279","DOI":"10.1016\/j.clsr.2017.12.003","article-title":"Understanding the notion of risk in the General Data Protection Regulation","volume":"34","author":"Gellert","year":"2018","journal-title":"Comput Law Secur Rev"},{"key":"2025092301112608600_bib4","article-title":"The data protection impact assessment: What can it contribute to data protection?","author":"Quelle","year":"2015"},{"key":"2025092301112608600_bib5","article-title":"Data-Driven Security: Analysis, Visualization and Dashboards","author":"Jacobs","year":"2014"},{"key":"2025092301112608600_bib6","article-title":"A report on the future of finance, future of risk, and future of quant: risk, uncertainty, and profit for the cyber era: model risk management of Cyber insurance models using quantitative finance and advanced analytics","author":"Malhotra","year":"2015"},{"key":"2025092301112608600_bib7","doi-asserted-by":"publisher","first-page":"610","DOI":"10.1126\/science.1130992","article-title":"The economics of information security","volume":"314","author":"Anderson","year":"2006","journal-title":"Science"},{"key":"2025092301112608600_bib8","doi-asserted-by":"crossref","DOI":"10.1007\/978-3-540-74143-5_5","article-title":"Information security economics\u2014and beyond","volume-title":"Proceedings of the 27th Annual International Cryptology Conference (CRYPTO 2007). vol. 4622 of Lecture Notes in Computer Science","author":"Anderson","year":"2007"},{"key":"2025092301112608600_bib9","first-page":"83","article-title":"Electrical Units of Measurement","volume-title":"Popular Lectures and Addresses. Volume I: Constitution of Matter","author":"Thomson","year":"1891"},{"key":"2025092301112608600_bib10","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1086\/255500","article-title":"What is Truth in Economics?\u00a0","volume":"48","author":"Knight","year":"1940","journal-title":"J Polit Econ"},{"key":"2025092301112608600_bib11","doi-asserted-by":"publisher","first-page":"876","DOI":"10.1111\/risa.12899","article-title":"An emerging new risk analysis science: foundations and implications","volume":"38","author":"Aven","year":"2018","journal-title":"Risk Anal"},{"key":"2025092301112608600_bib12","first-page":"119","article-title":"How much should we spend to protect privacy: data breaches and the need for information we do not have","volume":"15","author":"Sloan","year":"2017","journal-title":"J Law Econ Policy"},{"key":"2025092301112608600_bib13","doi-asserted-by":"publisher","first-page":"5","DOI":"10.1109\/MSP.2012.106","article-title":"Security measurement steps, missteps, and next steps","volume":"10","author":"Pfleeger","year":"2012","journal-title":"IEEE Secur Priv"},{"key":"2025092301112608600_bib14","doi-asserted-by":"publisher","first-page":"46","DOI":"10.1109\/MSP.2010.60","article-title":"Why measuring security is hard","volume":"8","author":"Pfleeger","year":"2010","journal-title":"IEEE Secur Priv"},{"key":"2025092301112608600_bib15","doi-asserted-by":"publisher","first-page":"5","DOI":"10.1109\/MSP.2012.75","article-title":"Security analytics and measurements","volume":"10","author":"Cybenko","year":"2012","journal-title":"IEEE Secur Priv"},{"key":"2025092301112608600_bib16","doi-asserted-by":"crossref","DOI":"10.1002\/9781119162315","volume-title":"How to Measure Anything in Cybersecurity Risk","author":"Hubbard","year":"2016"},{"key":"2025092301112608600_bib17","volume-title":"The Scientific Outlook","author":"Russell","year":"1931"},{"key":"2025092301112608600_bib18","volume-title":"A treatise on probability","author":"Keynes","year":"1921"},{"key":"2025092301112608600_bib19","volume-title":"Corporate Priorities: A continuing study of the new demands on business","author":"Yankelovich","year":"1972"},{"key":"2025092301112608600_bib20","volume-title":"Radical Uncertainty: Decision-making for an Unknowable Future","author":"Kay","year":"2020"},{"key":"2025092301112608600_bib21","doi-asserted-by":"crossref","DOI":"10.1007\/978-3-319-55351-1","volume-title":"Uncertainty in economics: a new approach","author":"K\u00f6hn","year":"2017"},{"key":"2025092301112608600_bib22","doi-asserted-by":"publisher","first-page":"77","DOI":"10.1016\/j.cose.2016.10.009","article-title":"Introducing cybernomics: A unifying economic framework for measuring cyber risk","volume":"65","author":"Ruan","year":"2017","journal-title":"Comput Secur"},{"key":"2025092301112608600_bib23","doi-asserted-by":"publisher","first-page":"89","DOI":"10.1257\/aer.p20151066","article-title":"Mathiness in the Theory of Economic Growth","volume":"105","author":"Romer","year":"2015","journal-title":"Am Econ Rev"},{"key":"2025092301112608600_bib24","article-title":"On mathiness and other concerns in the modelling of cybersecurity risk","author":"Simpson","year":"2024"},{"key":"2025092301112608600_bib25","volume-title":"The Black Swan: The Impact of the Highly Improbable","author":"Taleb","year":"2008"},{"key":"2025092301112608600_bib26","doi-asserted-by":"crossref","DOI":"10.1017\/CBO9781139026185","volume-title":"The World in the Model: How Economists Work And Think","author":"Morgan","year":"2012"},{"key":"2025092301112608600_bib27","volume-title":"Predicting Our Climate Future: What We Know, What We Don\u2019t Know, And What We Can\u2019t Know","author":"Stainforth","year":"2023"},{"key":"2025092301112608600_bib28","doi-asserted-by":"publisher","first-page":"105","DOI":"10.1016\/j.strusafe.2008.06.020","article-title":"Aleatory or epistemic? Does it matter?","volume":"31","author":"Der\u00a0Kiureghian","year":"2009","journal-title":"Struct Saf"},{"key":"2025092301112608600_bib29","doi-asserted-by":"publisher","first-page":"155","DOI":"10.1007\/BF01405730","article-title":"Dilemmas in a General Theory of Planning","volume":"4","author":"Rittel","year":"1973","journal-title":"Policy Sci"},{"key":"2025092301112608600_bib30","article-title":"Risks and Riddles","author":"Treverton","year":"2007"},{"key":"2025092301112608600_bib31","doi-asserted-by":"publisher","first-page":"411","DOI":"10.1177\/0967010607084994","article-title":"Knowns and unknowns in the \u2018war on terror\u2019: uncertainty and the political construction of danger","volume":"38","author":"Daase","year":"2007","journal-title":"Secur Dialogue"},{"key":"2025092301112608600_bib32","article-title":"A System of Logic","author":"Mill","year":"1843"},{"key":"2025092301112608600_bib33","first-page":"89","article-title":"Rethinking the Proposition of Privacy Engineering","volume-title":"Proceedings of the 2018 New Security Paradigms Workshop (NSPW 2018)","author":"Ceross","year":"2018"},{"key":"2025092301112608600_bib34","doi-asserted-by":"publisher","first-page":"24","DOI":"10.1109\/MSECP.2003.1219053","article-title":"Information security: Why the future belongs to the quants","volume":"1","author":"Geer,\u00a0Jr","year":"2003","journal-title":"IEEE Secur Priv"},{"key":"2025092301112608600_bib35","doi-asserted-by":"publisher","first-page":"3870","DOI":"10.1038\/s41467-019-11865-8","article-title":"A short comment on statistical versus mathematical modelling","volume":"10","author":"Saltelli","year":"2019","journal-title":"Nat Commun"},{"key":"2025092301112608600_bib36","doi-asserted-by":"crossref","first-page":"84","DOI":"10.1017\/CBO9780511792601.006","article-title":"Are rational actor models \u2018rational\u2019 outside small worlds?","volume-title":"Evolution and Rationality: Decisions, Co-operation and Strategic Behaviour","author":"Brighton","year":"2012"},{"key":"2025092301112608600_bib37","volume-title":"Price Theory: A Provisional Text","author":"Friedman","year":"1962"},{"key":"2025092301112608600_bib38","article-title":"The Foundations of Statistics","author":"Savage","year":"1954"},{"key":"2025092301112608600_bib39","volume-title":"Risk, Uncertainty, and Profit","author":"Knight","year":"1921"},{"key":"2025092301112608600_bib40","doi-asserted-by":"publisher","first-page":"539","DOI":"10.1093\/cje\/22.5.539","article-title":"Clarifying Frank Knight\u2019s discussion of the meaning of risk and uncertainty","volume":"22","author":"Runde","year":"1998","journal-title":"Cambridge J Econ"},{"key":"2025092301112608600_bib41","doi-asserted-by":"publisher","first-page":"283","DOI":"10.2307\/2951614","article-title":"Intertemporal asset pricing under Knightian uncertainty\u2019","volume":"62","author":"Epstein","year":"1994","journal-title":"Econometrica"},{"key":"2025092301112608600_bib42","article-title":"Dealing with uncertainty in risk analysis: combining safety and security","author":"Abdo","year":"2017"},{"key":"2025092301112608600_bib43","doi-asserted-by":"publisher","first-page":"34","DOI":"10.3390\/g9020034","article-title":"Risk Assessment Uncertainties in Cybersecurity Investments","volume":"9","author":"Fielder","year":"2018","journal-title":"Games"},{"key":"2025092301112608600_bib44","first-page":"361","article-title":"Estimating Loss Due to Cyber-Attack in the Presence of Uncertainty","volume-title":"Proceedings of the 19th IEEE International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom 2020)","author":"Nguyen","year":"2020"},{"key":"2025092301112608600_bib45","doi-asserted-by":"publisher","first-page":"tyab001","DOI":"10.1093\/cybsec\/tyab001","article-title":"Risk and uncertainty can be analyzed in cyberspace","volume":"7","author":"Brantly","year":"2021","journal-title":"J Cybersecur"},{"key":"2025092301112608600_bib46","first-page":"267","article-title":"Uncertainty Modeling: The Computational Economists\u2019 View on Cyberwarfare","volume-title":"Intelligent Methods for Cyber Warfare, vol. 563 of Studies in Computational Intelligence","author":"Abel","year":"2015"},{"key":"2025092301112608600_bib47","doi-asserted-by":"crossref","first-page":"1704","DOI":"10.1109\/CCTA.2018.8511535","article-title":"Cyber-Insurance for Cyber-Physical Systems","author":"Barreto","year":"2018","journal-title":"Proceedings of the 2018 IEEE Conference on Control Technology and Applications (CCTA 2018)"},{"key":"2025092301112608600_bib48","doi-asserted-by":"publisher","first-page":"130","DOI":"10.1016\/j.cose.2017.04.010","article-title":"The cyber insurance market in Sweden","volume":"68","author":"Franke","year":"2017","journal-title":"Comput Secur"},{"key":"2025092301112608600_bib49","doi-asserted-by":"publisher","first-page":"12175","DOI":"10.1109\/ACCESS.2017.2773366","article-title":"An Options Approach to Cybersecurity Investment","volume":"6","author":"Chronopoulos","year":"2017","journal-title":"IEEE Access\u00a0"},{"key":"2025092301112608600_bib50","doi-asserted-by":"publisher","first-page":"W05302","DOI":"10.1029\/2005WR004820","article-title":"Ignorance is bliss: Or seven reasons not to use uncertainty analysis","volume":"42","author":"Pappenberger","year":"2006","journal-title":"Water Resour Res"},{"key":"2025092301112608600_bib51","doi-asserted-by":"crossref","first-page":"41","DOI":"10.1145\/508171.508178","article-title":"Safe and sound: A safety-critical approach to security","volume-title":"Proceedings of the 2001 New Security Paradigms Workshop (NSPW 2001)","author":"Brostoff","year":"2001"},{"key":"2025092301112608600_bib52","first-page":"1","article-title":"Why Safety and Security Should and Will Merge","volume-title":"Proceedings of the 23rd International Conference on Computer Safety, Reliability, and Security (SAFECOMP 2004). vol. 3219 of Lecture Notes in Computer Science","author":"Pfitzmann","year":"2004"},{"key":"2025092301112608600_bib53","doi-asserted-by":"publisher","first-page":"110","DOI":"10.1016\/j.ress.2012.09.011","article-title":"Cross-fertilization between safety and security engineering","volume":"110","author":"Pi\u00e8tre-Cambac\u00e9d\u00e8s","year":"2013","journal-title":"Reliab Eng Syst Safe"},{"key":"2025092301112608600_bib54","doi-asserted-by":"publisher","first-page":"547","DOI":"10.2495\/SAFE-V8-N4-547-551","article-title":"Revisiting the relationship between safety and security","volume":"8","author":"Karanikas","year":"2018","journal-title":"Int J Saf Secur Eng"},{"key":"2025092301112608600_bib55","doi-asserted-by":"publisher","first-page":"33","DOI":"10.1016\/j.ress.2011.11.006","article-title":"The risk concept\u2014historical and recent development trends","volume":"99","author":"Aven","year":"2012","journal-title":"Reliab Eng Syst Safe"},{"key":"2025092301112608600_bib56","doi-asserted-by":"publisher","first-page":"42","DOI":"10.1016\/j.ress.2015.04.021","article-title":"On how to understand and acknowledge risk","volume":"142","author":"Amundrud","year":"2015","journal-title":"Reliab Eng Syst Safe"},{"key":"2025092301112608600_bib57","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1080\/13669870802488883","article-title":"On risk defined as an event where the outcome is uncertain","volume":"12","author":"Aven","year":"2009","journal-title":"J Risk Res"},{"key":"2025092301112608600_bib58","first-page":"28","article-title":"On how to conceptualise and describe risk","volume":"2","author":"Aven","year":"2011","journal-title":"Reliab Risk Anal Theory Appl"},{"key":"2025092301112608600_bib59","doi-asserted-by":"publisher","first-page":"54","DOI":"10.1007\/BF03024129","article-title":"Spurious mathematical modelling","volume":"6","author":"Aubert","year":"1984","journal-title":"Math Intell"},{"key":"2025092301112608600_bib60","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1145\/1900546.1900548","article-title":"Why is there no science in cyber science?: A panel discussion at NSPW 2010","volume-title":"Proceedings of the 2010 New Security Paradigms Workshop (NSPW 2010)","author":"Maxion","year":"2010"},{"key":"2025092301112608600_bib61","doi-asserted-by":"crossref","first-page":"19","DOI":"10.1145\/2379616.2379619","article-title":"Realizing scientific methods for cyber security","volume-title":"Proceedings of the 2012 Workshop on Learning from Authoritative Security Experiment Results (LASER 2012)","author":"Carroll","year":"2012"},{"key":"2025092301112608600_bib62","first-page":"article number 14","article-title":"Cybersecurity dynamics: A foundation for the science of cybersecurity","volume-title":"Proceedings of the 2014 Symposium and Bootcamp on the Science of Security (HotSoS 2014)","author":"Xu","year":"2014"},{"key":"2025092301112608600_bib63","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1145\/3171533.3171540","article-title":"Practicing a Science of Security: A Philosophy of Science Perspective","volume-title":"Proceedings of the 2017 New Security Paradigms Workshop (NSPW 2017)","author":"Spring","year":"2017"},{"key":"2025092301112608600_bib64","doi-asserted-by":"publisher","first-page":"5","DOI":"10.1177\/1548512917737635","article-title":"The protoscience of cybersecurity","volume":"15","author":"Hatleback","year":"2018","journal-title":"J Def Model Simul"},{"key":"2025092301112608600_bib65","doi-asserted-by":"publisher","first-page":"12","DOI":"10.1109\/MSP.2018.1331028","article-title":"Science of security: combining theory and measurement to reflect the observable","volume":"16","author":"Herley","year":"2018","journal-title":"IEEE Secur Priv"},{"key":"2025092301112608600_bib66","doi-asserted-by":"publisher","first-page":"4","DOI":"10.1109\/MSEC.2019.2925648","article-title":"Science leaves clues","volume":"17","author":"Williams","year":"2019","journal-title":"IEEE Secur Priv"},{"key":"2025092301112608600_bib67","article-title":"Is economics a science? well, not yet","author":"Dahls","year":"2018"},{"key":"2025092301112608600_bib68","doi-asserted-by":"crossref","first-page":"123","DOI":"10.1109\/SP.1987.10020","article-title":"Reasoning about security models","volume-title":"Proceedings of the 1987 IEEE Symposium on Security and Privacy","author":"McLean","year":"1987"},{"key":"2025092301112608600_bib69","first-page":"205","article-title":"Information Security: The State of Science, Pseudoscience, and Flying Pigs","volume-title":"Proceedings of ACSAC 2001","author":"Schell","year":"2001"},{"key":"2025092301112608600_bib70","doi-asserted-by":"crossref","first-page":"141","DOI":"10.1007\/978-0-387-73269-5_19","article-title":"How to design computer security experiments","volume-title":"Proceedings of the Fifth World Conference on Information Security Education","author":"Peisert","year":"2007"},{"key":"2025092301112608600_bib71","doi-asserted-by":"publisher","first-page":"16","DOI":"10.1109\/MSP.2011.50","article-title":"Guest Editors\u2019 Introduction: The Science of Security","volume":"9","author":"Evans","year":"2011","journal-title":"IEEE Secur Priv"},{"key":"2025092301112608600_bib72","doi-asserted-by":"crossref","first-page":"99","DOI":"10.1109\/SP.2017.38","article-title":"SoK: Science, Security and the Elusive Goal of Security as a Scientific Pursuit","volume-title":"Proceedings of the 38th IEEE Symposium on Security and Privacy (SP 2017)","author":"Herley","year":"2017"},{"key":"2025092301112608600_bib73","first-page":"47","article-title":"Blueprint for a science of cybersecurity","volume":"19","author":"Schneider","year":"2012","journal-title":"Next Wave"},{"key":"2025092301112608600_bib74","first-page":"2","article-title":"Cybersecurity: From engineering to science","volume":"2","author":"Landwehr","year":"2012","journal-title":"Develop Blueprint Sci Cybersecur"},{"key":"2025092301112608600_bib75","first-page":"1","article-title":"Towards fundamental science of cyber security","volume-title":"Network science and cybersecurity, vol. 55 of Advances in Information Security","author":"Kott","year":"2013"},{"key":"2025092301112608600_bib76","first-page":"1","article-title":"A data driven approach for the science of cyber security: challenges and directions","volume-title":"Proceedings of the 17th International Conference Information Reuse and Integration (IRI 2017)","author":"Thuraisingham","year":"2016"},{"key":"2025092301112608600_bib77","doi-asserted-by":"crossref","DOI":"10.1007\/978-3-030-10597-6_1","article-title":"Cybersecurity dynamics: a foundation for the science of cybersecurity","volume-title":"Proactive and Dynamic Network Defense, vol. 74 of Advances in Information Security","author":"Xu","year":"2019"},{"key":"2025092301112608600_bib78","article-title":"Statistics and Data Science for Cybersecurity","volume":"5","author":"Hero","year":"2023","journal-title":"Harvard Data Sci Rev"},{"key":"2025092301112608600_bib79","doi-asserted-by":"publisher","first-page":"101","DOI":"10.1145\/1290958.1290969","article-title":"Necessary measures: Metric-driven information security risk assessment and decision making","volume":"50","author":"Baker","year":"2007","journal-title":"Commun ACM"},{"key":"2025092301112608600_bib80","doi-asserted-by":"publisher","first-page":"639","DOI":"10.1016\/j.jaccpubpol.2007.10.001","article-title":"Information sharing among firms and cyber attacks","volume":"26","author":"Hausken","year":"2007","journal-title":"J Account Public Policy"},{"key":"2025092301112608600_bib81","article-title":"CyBOK: The Cyber Security Body of Knowledge Version 1.1","author":"Rashid","year":"2021"},{"key":"2025092301112608600_bib82","doi-asserted-by":"publisher","first-page":"2119","DOI":"10.1111\/risa.13309","article-title":"Risk and the Five Hard Problems of Cybersecurity","volume":"39","author":"Scala","year":"2019","journal-title":"Risk Anal"},{"key":"2025092301112608600_bib83","doi-asserted-by":"publisher","first-page":"216","DOI":"10.1017\/S0266267119000105","article-title":"The lure of incredible certitude","volume":"36","author":"Manski","year":"2020","journal-title":"Econ Philos"},{"key":"2025092301112608600_bib84","doi-asserted-by":"publisher","first-page":"1173","DOI":"10.1111\/risa.12230","article-title":"Is Risk Analysis Scientific?\u00a0","volume":"34","author":"Hansson","year":"2014","journal-title":"Risk Anal\u00a0"},{"key":"2025092301112608600_bib85","doi-asserted-by":"publisher","first-page":"989","DOI":"10.1093\/cje\/beab033","article-title":"On the relevance of Knight, Keynes and Shackle for unawareness research","volume":"45","author":"Svetlova","year":"2021","journal-title":"Cambridge J Econ\u00a0"},{"key":"2025092301112608600_bib86","volume-title":"Decision Making Under Radical Uncertainty: A Multiple Case Comparison of Companies Creating New Technologies Featuring New Forms of Personal Data","author":"Brooks","year":"2017"},{"key":"2025092301112608600_bib87","doi-asserted-by":"publisher","first-page":"394","DOI":"10.1086\/261461","article-title":"Knight on risk and uncertainty","volume":"95","author":"LeRoy","year":"1987","journal-title":"J Polit Econ"},{"key":"2025092301112608600_bib88","doi-asserted-by":"publisher","first-page":"456","DOI":"10.1111\/j.1465-7295.1993.tb01305.x","article-title":"Frank Knight on risk, uncertainty, and the firm: a new interpretation","volume":"31","author":"Langlois","year":"1993","journal-title":"Econ Inq"},{"key":"2025092301112608600_bib89","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1007\/s12113-007-9005-3","article-title":"The limits of numerical probability: Frank H. Knight and Ludwig von Mises and the frequency interpretation","volume":"10","author":"Hoppe","year":"2007","journal-title":"Q J Aust Econ"},{"key":"2025092301112608600_bib90","doi-asserted-by":"publisher","first-page":"567","DOI":"10.2753\/PKE0160-3477320404","article-title":"Black swans and Knight\u2019s epistemological uncertainty: are these concepts also underlying behavioral and post-Walrasian theory?","volume":"32","author":"Davidson","year":"2010","journal-title":"J Post Keynesian Econ"},{"key":"2025092301112608600_bib91","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1080\/18386318.2010.11682161","article-title":"Theorising risk and uncertainty in social enquiry: exploring the contribution of Frank Knight","volume":"52","author":"Jarvis","year":"2010","journal-title":"Hist Econ Rev"},{"key":"2025092301112608600_bib92","doi-asserted-by":"publisher","first-page":"59","DOI":"10.1002\/sej.1128","article-title":"The mortality problem of learning and mimetic practice in emerging industries: dying to be legitimate","volume":"6","author":"Miller","year":"2012","journal-title":"Strateg Entrep J\u00a0"},{"key":"2025092301112608600_bib93","doi-asserted-by":"publisher","first-page":"1099","DOI":"10.1093\/cje\/beab025","article-title":"Keynes and Knight on uncertainty: peas in a pod or chalk and cheese?","volume":"45","author":"Packard","year":"2021","journal-title":"Cambridge J Econ\u00a0"},{"key":"2025092301112608600_bib94","doi-asserted-by":"publisher","first-page":"209","DOI":"10.2307\/1882087","article-title":"The general theory of employment","volume":"51","author":"Keynes","year":"1937","journal-title":"Q J Econ"},{"key":"2025092301112608600_bib95","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1016\/j.mathsocsci.2014.03.002","article-title":"Unawareness\u2014A gentle introduction to both the literature and the special issue","volume":"70","author":"Schipper","year":"2014","journal-title":"Math Soc Sci"},{"key":"2025092301112608600_bib96","first-page":"230","article-title":"End user and expert perceptions of threats and potential countermeasures","volume-title":"Proceedings of the 2020 IEEE European Symposium on Security and Privacy Workshops","author":"Anell","year":"2020"},{"key":"2025092301112608600_bib97","doi-asserted-by":"publisher","first-page":"11","DOI":"10.1016\/S1361-3723(19)30085-5","article-title":"Improving employees\u2019 cyber security awareness","volume":"2019","author":"Kemper","year":"2019","journal-title":"Comput Fraud Secur"},{"key":"2025092301112608600_bib98","doi-asserted-by":"publisher","first-page":"e10","DOI":"10.1016\/S2589-7500(19)30005-6","article-title":"The challenges of cybersecurity in health care: the UK National Health Service as a case study","volume":"1","author":"Ghafur","year":"2019","journal-title":"Lancet Digital Health"},{"key":"2025092301112608600_bib99","doi-asserted-by":"publisher","first-page":"539","DOI":"10.1016\/j.bushor.2019.03.010","article-title":"Muddling through cybersecurity: Insights from the U.S. healthcare industry","volume":"62","author":"Abraham","year":"2019","journal-title":"Bus Horiz"},{"key":"2025092301112608600_bib100","doi-asserted-by":"publisher","first-page":"531","DOI":"10.1016\/j.bushor.2020.03.010","article-title":"Calculated risk? A cybersecurity evaluation tool for SMEs","volume":"63","author":"Benz","year":"2020","journal-title":"Bus Horiz"},{"key":"2025092301112608600_bib101","doi-asserted-by":"publisher","first-page":"120102","DOI":"10.1016\/j.techfore.2020.120102","article-title":"Cybersecurity threats in the auto industry: Tensions in the knowledge environment","volume":"157","author":"Morris","year":"2020","journal-title":"Technol Fore Soc Change"},{"key":"2025092301112608600_bib102","doi-asserted-by":"publisher","first-page":"895","DOI":"10.1111\/puar.13028","article-title":"Cyberattacks at the grass roots: American local governments and the need for high levels of cybersecurity","volume":"79","author":"Norris","year":"2019","journal-title":"Public Adm Rev\u00a0"},{"key":"2025092301112608600_bib103","doi-asserted-by":"publisher","first-page":"1173","DOI":"10.1080\/07352166.2020.1727295","article-title":"Managing cybersecurity at the grassroots: Evidence from the first nationwide survey of local government cybersecurity","volume":"43","author":"Norris","year":"2021","journal-title":"J Urban Aff"},{"key":"2025092301112608600_bib104","doi-asserted-by":"publisher","first-page":"tyz001","DOI":"10.1093\/cybsec\/tyz001","article-title":"Cybersecurity education in a developing nation: The Ecuadorian environment","volume":"5","author":"Catota","year":"2019","journal-title":"J Cybersecur"},{"key":"2025092301112608600_bib105","doi-asserted-by":"publisher","first-page":"101959","DOI":"10.1016\/j.cose.2020.101959","article-title":"Building cyber security awareness in a developing country: Lessons from Myanmar","volume":"97","author":"Chang","year":"2020","journal-title":"Comput Secur"},{"key":"2025092301112608600_bib106","doi-asserted-by":"publisher","first-page":"1279","DOI":"10.1093\/cje\/bex035","article-title":"Unknowns, Black Swans and the risk\/uncertainty distinction","volume":"41","author":"Faulkner","year":"2017","journal-title":"Cambridge J Econ\u00a0"},{"key":"2025092301112608600_bib107","doi-asserted-by":"publisher","first-page":"659","DOI":"10.5465\/annals.2016.0109","article-title":"Uncertainty, knowledge problems, and entrepreneurial action","volume":"12","author":"Townsend","year":"2018","journal-title":"Acad Manage Ann"},{"key":"2025092301112608600_bib108","doi-asserted-by":"publisher","first-page":"32","DOI":"10.1080\/13669877.2017.1351467","article-title":"A practical road map for assessing cyber risk","volume":"22","author":"Amin","year":"2019","journal-title":"J Risk Res"},{"key":"2025092301112608600_bib109","article-title":"Systematization of Knowledge: Quantifying Cyber Risk","author":"Woods","year":"2021"},{"key":"2025092301112608600_bib110","doi-asserted-by":"crossref","first-page":"37","DOI":"10.1145\/1719030.1719036","article-title":"Quantified security is a weak hypothesis: A critical survey of results and assumptions","volume-title":"Proceedings of the 2009 Workshop on New Security Paradigms Workshop (NSPW 2009)","author":"Verendel","year":"2009"},{"key":"2025092301112608600_bib111","doi-asserted-by":"crossref","first-page":"35","DOI":"10.1007\/978-1-4614-1981-5_3","article-title":"Sex, Lies and Cyber-Crime Surveys","volume-title":"Economics of Information Security and Privacy III","author":"Flor\u00eancio","year":"2013"},{"key":"2025092301112608600_bib112","article-title":"The use, misuse, and abuse of statistics in information security research","volume-title":"Proc. 23rd ASEM National Conference","author":"Ryan","year":"2003"},{"key":"2025092301112608600_bib113","doi-asserted-by":"publisher","first-page":"2101","DOI":"10.1007\/s10270-022-01035-8","article-title":"Modeling should be an independent scientific discipline","volume":"21","author":"Cabot","year":"2022","journal-title":"Softw Syst Model\u00a0"},{"key":"2025092301112608600_bib114","doi-asserted-by":"publisher","first-page":"189","DOI":"10.28945\/2045","article-title":"Disciplinary evolution and the rise of the transdiscipline","volume":"17","author":"Cohen","year":"2014","journal-title":"Inform Sci Int J Emerg Transdiscipl"},{"key":"2025092301112608600_bib115","doi-asserted-by":"publisher","first-page":"tyab008","DOI":"10.1093\/cybsec\/tyab008","article-title":"Restraint under conditions of uncertainty: Why the United States tolerates cyberattacks","volume":"7","author":"Kaminska","year":"2021","journal-title":"J Cybersecur"},{"key":"2025092301112608600_bib116","doi-asserted-by":"publisher","first-page":"tyaa026","DOI":"10.1093\/cybsec\/tyaa026","article-title":"Manipulating uncertainty: cybersecurity politics in Egypt","volume":"7","author":"Hassib","year":"2021","journal-title":"J Cybersecur"},{"key":"2025092301112608600_bib117","doi-asserted-by":"publisher","first-page":"20","DOI":"10.1057\/s41599-020-0396-5","article-title":"Ethics of quantification: illumination, obfuscation and performative legitimation","volume":"6","author":"Sareen","year":"2020","journal-title":"Palgrave Commun\u00a0"},{"key":"2025092301112608600_bib118","doi-asserted-by":"crossref","first-page":"53","DOI":"10.1007\/s11024-022-09481-w","article-title":"The Challenge of Quantification: An Interdisciplinary Reading","volume":"61","author":"Di\u00a0Fiore","year":"2022","journal-title":"Minerva"},{"key":"2025092301112608600_bib119","doi-asserted-by":"crossref","first-page":"51","DOI":"10.1093\/oso\/9780198872412.003.0004","article-title":"Mind the Hubris: Complexity can Misfire","volume-title":"The Politics of Modelling: Numbers Between Science and Policy","author":"Puy","year":"2023"},{"key":"2025092301112608600_bib120","volume-title":"How Big Things Get Done","author":"Flyvbjerg","year":"2023"},{"key":"2025092301112608600_bib121","volume-title":"The Cunning of Uncertainty","author":"Nowotny","year":"2015"},{"key":"2025092301112608600_bib122","article-title":"Varieties of uncertainty: a survey of the economic literature","volume-title":"Anais do XXXVI Encontro Nacional de Economia","author":"Dequech","year":"2008"},{"key":"2025092301112608600_bib123","doi-asserted-by":"publisher","first-page":"828","DOI":"10.1177\/0272989X10393976","article-title":"Varieties of uncertainty in health care: a conceptual taxonomy","volume":"31","author":"Han","year":"2011","journal-title":"Med Decis Making"},{"key":"2025092301112608600_bib124","doi-asserted-by":"publisher","first-page":"226","DOI":"10.1080\/02684527.2021.1857083","article-title":"Reflections on conveying uncertainty","volume":"36","author":"Treverton","year":"2021","journal-title":"Intel Natl Secur"}],"container-title":["Journal of Cybersecurity"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/academic.oup.com\/cybersecurity\/article-pdf\/10\/1\/tyae022\/61182305\/tyae022.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"syndication"},{"URL":"https:\/\/academic.oup.com\/cybersecurity\/article-pdf\/10\/1\/tyae022\/61182305\/tyae022.pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,9,23]],"date-time":"2025-09-23T05:11:48Z","timestamp":1758604308000},"score":1,"resource":{"primary":{"URL":"https:\/\/academic.oup.com\/cybersecurity\/article\/doi\/10.1093\/cybsec\/tyae022\/7900093"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2024]]},"references-count":124,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2024,1,2]]}},"URL":"https:\/\/doi.org\/10.1093\/cybsec\/tyae022","relation":{},"ISSN":["2057-2085","2057-2093"],"issn-type":[{"value":"2057-2085","type":"print"},{"value":"2057-2093","type":"electronic"}],"subject":[],"published-other":{"date-parts":[[2024]]},"published":{"date-parts":[[2024]]},"article-number":"tyae022"}}