IDEAS home Printed from https://ideas.repec.org/a/gam/jgames/v9y2018i2p34-d151564.html
   My bibliography  Save this article

Risk Assessment Uncertainties in Cybersecurity Investments

Author

Listed:
  • Andrew Fielder

    (Institute for Security Science and Technology, Imperial College London, London SW7 2AZ, UK)

  • Sandra König

    (Center for Digital Safety & Security, Austrian Institute of Technology, 1210 Vienna, Austria)

  • Emmanouil Panaousis

    (Surrey Centre for Cyber Security, University of Surrey, Guildford, Surrey GU2 7XH, UK)

  • Stefan Schauer

    (Center for Digital Safety & Security, Austrian Institute of Technology, 1210 Vienna, Austria)

  • Stefan Rass

    (System Security Group, Institute of Applied Informatics, Universität Klagenfurt, 9020 Klagenfurt, Austria)

Abstract

When undertaking cybersecurity risk assessments, it is important to be able to assign numeric values to metrics to compute the final expected loss that represents the risk that an organization is exposed to due to cyber threats. Even if risk assessment is motivated by real-world observations and data, there is always a high chance of assigning inaccurate values due to different uncertainties involved (e.g., evolving threat landscape, human errors) and the natural difficulty of quantifying risk. Existing models empower organizations to compute optimal cybersecurity strategies given their financial constraints, i.e., available cybersecurity budget. Further, a general game-theoretic model with uncertain payoffs (probability-distribution-valued payoffs) shows that such uncertainty can be incorporated in the game-theoretic model by allowing payoffs to be random. This paper extends previous work in the field to tackle uncertainties in risk assessment that affect cybersecurity investments. The findings from simulated examples indicate that although uncertainties in cybersecurity risk assessment lead, on average, to different cybersecurity strategies, they do not play a significant role in the final expected loss of the organization when utilising a game-theoretic model and methodology to derive these strategies. The model determines robust defending strategies even when knowledge regarding risk assessment values is not accurate. As a result, it is possible to show that the cybersecurity investments’ tool is capable of providing effective decision support.

Suggested Citation

  • Andrew Fielder & Sandra König & Emmanouil Panaousis & Stefan Schauer & Stefan Rass, 2018. "Risk Assessment Uncertainties in Cybersecurity Investments," Games, MDPI, vol. 9(2), pages 1-14, June.
    • Handle: RePEc:gam:jgames:v:9:y:2018:i:2:p:34-:d:151564
    as

    Download full text from publisher

    File URL: https://www.mdpi.com/2073-4336/9/2/34/pdf
    Download Restriction: no
    File URL: https://www.mdpi.com/2073-4336/9/2/34/
    Download Restriction: no
    ---><---

    References listed on IDEAS

    as
    1. Michel J. G. van Eeten & Johannes M. Bauer, 2008. "Economics of Malware: Security Decisions, Incentives and Externalities," OECD Science, Technology and Industry Working Papers 2008/1, OECD Publishing.
    Full references (including those not matched with items on IDEAS)

    Citations

    Citations are extracted by the CitEc Project, subscribe to its RSS feed for this item.
    as


    Cited by:

    1. Juntao Chen & Quanyan Zhu & Tamer Başar, 2021. "Dynamic Contract Design for Systemic Cyber Risk Management of Interdependent Enterprise Networks," Dynamic Games and Applications, Springer, vol. 11(2), pages 294-325, June.
    2. Ankit Shah & Katheryn A. Farris & Rajesh Ganesan & Sushil Jajodia, 2022. "Vulnerability Selection for Remediation: An Empirical Analysis," The Journal of Defense Modeling and Simulation, , vol. 19(1), pages 13-22, January.
    3. Diao, Xiaoxu & Zhao, Yunfei & Smidts, Carol & Vaddi, Pavan Kumar & Li, Ruixuan & Lei, Hangtian & Chakhchoukh, Yacine & Johnson, Brian & Blanc, Katya Le, 2024. "Dynamic probabilistic risk assessment for electric grid cybersecurity," Reliability Engineering and System Safety, Elsevier, vol. 241(C).
    4. Hunt, Kyle & Agarwal, Puneet & Zhuang, Jun, 2022. "On the adoption of new technology to enhance counterterrorism measures: An attacker–defender game with risk preferences," Reliability Engineering and System Safety, Elsevier, vol. 218(PB).
    5. Loic Mar'echal & Alain Mermoud & Dimitri Percia David & Mathias Humbert, 2024. "Measuring the performance of investments in information security startups: An empirical analysis by cybersecurity sectors using Crunchbase data," Papers 2402.04765, arXiv.org, revised Feb 2024.

    Most related items

    These are the items that most often cite the same works as this one and are cited by the same works as this one.
    1. Schmidt, Andreas, 2012. "At the boundaries of peer production: The organization of Internet security production in the cases of Estonia 2007 and Conficker," Telecommunications Policy, Elsevier, vol. 36(6), pages 451-461.
    2. Carlos Martí Sempere, 2011. "A Survey of the European Security Market," Economics of Security Working Paper Series 43, DIW Berlin, German Institute for Economic Research.
    3. Milton L Mueller & Wolter Lemstra, 2011. "Liberalization and the Internet," Chapters, in: Matthias Finger & Rolf W. Künneke (ed.), International Handbook of Network Industries, chapter 9, Edward Elgar Publishing.
    4. Kox, Henk L.M., 2013. "Cybersecurity in the perspective of Internet traffic growth," MPRA Paper 47883, University Library of Munich, Germany.
    5. Schneider, Friedrich, 2017. "Restricting or Abolishing Cash: An Effective Instrument for Fighting the Shadow Economy, Crime and Terrorism?," International Cash Conference 2017 – War on Cash: Is there a Future for Cash? 162914, Deutsche Bundesbank.
    6. Johnston, Reuben & Sarkani, Shahryar & Mazzuchi, Thomas & Holzer, Thomas & Eveleigh, Timothy, 2019. "Bayesian-model averaging using MCMCBayes for web-browser vulnerability discovery," Reliability Engineering and System Safety, Elsevier, vol. 183(C), pages 341-359.
    7. Moore, Tyler, 2010. "The economics of cybersecurity: Principles and policy options," International Journal of Critical Infrastructure Protection, Elsevier, vol. 3(3), pages 103-117.

    Corrections

    All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:gam:jgames:v:9:y:2018:i:2:p:34-:d:151564. See general information about how to correct material in RePEc.

    If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.

    If CitEc recognized a bibliographic reference but did not link an item in RePEc to it, you can help with this form .

    If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.

    For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: MDPI Indexing Manager (email available below). General contact details of provider: https://www.mdpi.com .

    Please note that corrections may take a couple of weeks to filter through the various RePEc services.

    IDEAS is a RePEc service. RePEc uses bibliographic data supplied by the respective publishers.