{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,6,5]],"date-time":"2026-06-05T15:23:37Z","timestamp":1780673017617,"version":"3.54.1"},"reference-count":30,"publisher":"MDPI AG","issue":"2","license":[{"start":{"date-parts":[[2018,6,9]],"date-time":"2018-06-09T00:00:00Z","timestamp":1528502400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Games"],"abstract":"When undertaking cybersecurity risk assessments, it is important to be able to assign numeric values to metrics to compute the final expected loss that represents the risk that an organization is exposed to due to cyber threats. Even if risk assessment is motivated by real-world observations and data, there is always a high chance of assigning inaccurate values due to different uncertainties involved (e.g., evolving threat landscape, human errors) and the natural difficulty of quantifying risk. Existing models empower organizations to compute optimal cybersecurity strategies given their financial constraints, i.e., available cybersecurity budget. Further, a general game-theoretic model with uncertain payoffs (probability-distribution-valued payoffs) shows that such uncertainty can be incorporated in the game-theoretic model by allowing payoffs to be random. This paper extends previous work in the field to tackle uncertainties in risk assessment that affect cybersecurity investments. The findings from simulated examples indicate that although uncertainties in cybersecurity risk assessment lead, on average, to different cybersecurity strategies, they do not play a significant role in the final expected loss of the organization when utilising a game-theoretic model and methodology to derive these strategies. The model determines robust defending strategies even when knowledge regarding risk assessment values is not accurate. As a result, it is possible to show that the cybersecurity investments\u2019 tool is capable of providing effective decision support.<\/jats:p>","DOI":"10.3390\/g9020034","type":"journal-article","created":{"date-parts":[[2018,6,11]],"date-time":"2018-06-11T11:01:01Z","timestamp":1528714861000},"page":"34","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":35,"title":["Risk Assessment Uncertainties in Cybersecurity Investments"],"prefix":"10.3390","volume":"9","author":[{"given":"Andrew","family":"Fielder","sequence":"first","affiliation":[{"name":"Institute for Security Science and Technology, Imperial College London, London SW7 2AZ, UK"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Sandra","family":"K\u00f6nig","sequence":"additional","affiliation":[{"name":"Center for Digital Safety & Security, Austrian Institute of Technology, 1210 Vienna, Austria"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-7306-4062","authenticated-orcid":false,"given":"Emmanouil","family":"Panaousis","sequence":"additional","affiliation":[{"name":"Surrey Centre for Cyber Security, University of Surrey, Guildford, Surrey GU2 7XH, UK"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Stefan","family":"Schauer","sequence":"additional","affiliation":[{"name":"Center for Digital Safety & Security, Austrian Institute of Technology, 1210 Vienna, Austria"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-2821-2489","authenticated-orcid":false,"given":"Stefan","family":"Rass","sequence":"additional","affiliation":[{"name":"System Security Group, Institute of Applied Informatics, Universit\u00e4t Klagenfurt, 9020 Klagenfurt, Austria"}],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"1968","published-online":{"date-parts":[[2018,6,9]]},"reference":[{"key":"ref_1","doi-asserted-by":"crossref","first-page":"13","DOI":"10.1016\/j.dss.2016.02.012","article-title":"Decision support approaches for cybersecurity investment","volume":"86","author":"Fielder","year":"2016","journal-title":"Decis. Support Syst."},{"key":"ref_2","doi-asserted-by":"crossref","unstructured":"Panaousis, E., Fielder, A., Malacaria, P., Hankin, C., and Smeraldi, F. (2014). Cybersecurity Games and Investments: A Decision Support Approach. Decision and Game Theory for Security, Springer.","DOI":"10.1007\/978-3-319-12601-2_15"},{"key":"ref_3","unstructured":"Anderson, R. (2001, January 10\u201314). Why information security is hard-an economic perspective. Proceedings of the Seventeenth Annual Computer Security Applications Conference, New Orleans, LA, USA."},{"key":"ref_4","doi-asserted-by":"crossref","first-page":"438","DOI":"10.1145\/581271.581274","article-title":"The economics of information security investment","volume":"5","author":"Gordon","year":"2002","journal-title":"ACM Trans. Inf. Syst. Secur."},{"key":"ref_5","unstructured":"Anderson, R., and Moore, T. (2007, January 19\u201323). Information security economics\u2013and beyond. Proceedings of the 27th Annual International Cryptology Conference, Santa Barbara, CA, USA."},{"key":"ref_6","unstructured":"Van Eeten, M.J., and Bauer, J.M. (2008). Economics of Malware: Security Decisions, Incentives and Externalities, OECD Publishing. OECD Science, Technology and Industry Working Papers."},{"key":"ref_7","unstructured":"Laszka, A., Farhang, S., and Grossklags, J. (2017, January 23\u201325). On the Economics of Ransomware. Proceedings of the 8th International Conference, GameSec 2017, Vienna, Austria."},{"key":"ref_8","unstructured":"Ponemon Institute LLC (2017). Cost of Data Breach Study, Ponemon Institute LLC. Technical Report."},{"key":"ref_9","unstructured":"Ponemon Institute LLC (2015). The Cost of Malware Containment, Ponemon Institute LLC. Technical Report."},{"key":"ref_10","doi-asserted-by":"crossref","first-page":"229","DOI":"10.1016\/j.cose.2016.08.001","article-title":"Modelling cyber-security experts\u2019 decision making processes using aggregation operators","volume":"62","author":"Miller","year":"2016","journal-title":"Comput. Secur."},{"key":"ref_11","doi-asserted-by":"crossref","first-page":"904","DOI":"10.1016\/j.dss.2011.02.009","article-title":"Profit-maximizing firm investments in customer information security","volume":"51","author":"Lee","year":"2011","journal-title":"Decis. Support Syst."},{"key":"ref_12","doi-asserted-by":"crossref","unstructured":"Chronopoulos, M., Panaousis, E., and Grossklags, J. (2017). An Options Approach to Cybersecurity Investment. IEEE Access, 6.","DOI":"10.1109\/ACCESS.2017.2773366"},{"key":"ref_13","doi-asserted-by":"crossref","unstructured":"Benaroch, M. (2017). Real Options Models for Proactive Uncertainty-Reducing Mitigations and Applications in Cybersecurity Investment Decision-Making. Inf. Syst. Res.","DOI":"10.1287\/isre.2017.0714"},{"key":"ref_14","first-page":"3","article-title":"Increasing cybersecurity investments in private sector firms","volume":"1","author":"Gordon","year":"2015","journal-title":"J. Cybersecur."},{"key":"ref_15","unstructured":"Moore, T., Dynes, S., and Chang, F.R. (2016). Identifying how Firms Manage Cybersecurity Investment, University of California."},{"key":"ref_16","unstructured":"SANS (2015, December 19). The Critical Security Controls for Effective Cyber Defense (Version 5.0). Available online: http:\/\/www.counciloncybersecurity.org\/attachments\/article\/12\/CSC-MASTER-VER50-2-27-2014.pdf."},{"key":"ref_17","unstructured":"CWE (2015, December 19). CWE Top 25 Most Dangerous Software Errors (2011). Available online: http:\/\/cwe.mitre.org\/top25\/."},{"key":"ref_18","doi-asserted-by":"crossref","unstructured":"Fielder, A., and Panaousis, E. (2017, December 19). Decision Support Approaches for Cyber Security Investment: Data for Cyber Essentials Case Study. Available online: http:\/\/www.panaousis.com\/papers\/casestudy.pdf.","DOI":"10.1016\/j.dss.2016.02.012"},{"key":"ref_19","doi-asserted-by":"crossref","unstructured":"Rass, S., K\u00f6nig, S., and Schauer, S. (2015, January 4\u20135). Uncertainty in Games: Using Probability-Distributions as Payoffs. Proceedings of the 6th International Conference on Decision and Game Theory for Security, London, UK.","DOI":"10.1007\/978-3-319-25594-1_20"},{"key":"ref_20","doi-asserted-by":"crossref","unstructured":"Rass, S., K\u00f6nig, S., and Schauer, S. (2016). Decisions with Uncertain Consequences\u2014A Total Ordering on Loss-Distributions. PLoS ONE, 11.","DOI":"10.1371\/journal.pone.0168583"},{"key":"ref_21","unstructured":"Rass, S., and K\u00f6nig, S. (2016). R Package \u2018HyRiM\u2019: Multicriteria Risk Management Using Zero-Sum Games with Vector-Valued Payoffs That Are Probability Distributions, Austrian Institute of Technology."},{"key":"ref_22","doi-asserted-by":"crossref","unstructured":"Busby, J.S., Gouglidis, A., Rass, S., and K\u00f6nig, S. (2016, January 9\u201312). Modelling Security Risk in Critical Utilities: The System at Risk as a Three Player Game and Agent Society. Proceedings of the 2016 IEEE International Conference on Systems, Man, and Cybernetics (SMC), Budapest, Hungary.","DOI":"10.1109\/SMC.2016.7844492"},{"key":"ref_23","doi-asserted-by":"crossref","unstructured":"Rass, S., K\u00f6nig, S., and Schauer, S. (2017). Defending Against Advanced Persistent Threats Using Game-Theory. PLoS ONE, 12.","DOI":"10.1371\/journal.pone.0168675"},{"key":"ref_24","doi-asserted-by":"crossref","unstructured":"Karnouskos, S. (2011, January 7\u201310). Stuxnet worm impact on industrial cyber-physical system security. Proceedings of the IECON 2011\u201437th Annual Conference of the IEEE Industrial Electronics Society, Melbourne, Australia.","DOI":"10.1109\/IECON.2011.6120048"},{"key":"ref_25","unstructured":"E-ISAC (2016). Analysis of the Cyber Attack on the Ukrainian Power Grid, E-ISAC. Technical Report."},{"key":"ref_26","unstructured":"Rass, S., and Schauer, S. (2018). Protecting Water Utility Networks from Advanced Persistent Threats: A Case Study. HyRiM, Springer International Publishing. Chapter 6."},{"key":"ref_27","unstructured":"Rass, S., and Schauer, S. (2018). Advanced Persistent Threats in Water Utility Networks: A Case Study. HyRiM, Springer International Publishing. Chapter 13."},{"key":"ref_28","unstructured":"Rass, S., and Schauer, S. (2018). Assessing the Impact of Malware Attacks in Utility Networks. HyRiM, Springer International Publishing. Chapter 14."},{"key":"ref_29","unstructured":"Linstone, H.A., and Turoff, M. (1975). The Delphi Method, Addison-Wesley."},{"key":"ref_30","doi-asserted-by":"crossref","first-page":"18","DOI":"10.1109\/MSP.2015.118","article-title":"Quantitative Risk Analysis in Information Security Management: A Modern Fairy Tale","volume":"13","author":"Oppliger","year":"2015","journal-title":"IEEE Secur. Priv."}],"container-title":["Games"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/2073-4336\/9\/2\/34\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,11]],"date-time":"2025-10-11T15:07:59Z","timestamp":1760195279000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/2073-4336\/9\/2\/34"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2018,6,9]]},"references-count":30,"journal-issue":{"issue":"2","published-online":{"date-parts":[[2018,6]]}},"alternative-id":["g9020034"],"URL":"https:\/\/doi.org\/10.3390\/g9020034","relation":{},"ISSN":["2073-4336"],"issn-type":[{"value":"2073-4336","type":"electronic"}],"subject":[],"published":{"date-parts":[[2018,6,9]]}}}