University of Surrey

Test tubes in the lab Research in the ATI Dance Research

Risk Assessment Uncertainties in Cybersecurity Investments

Fielder, Andrew, König, Sandra, Panaousis, Emmanouil, Schauer, Stefan and Rass, Stefan (2018) Risk Assessment Uncertainties in Cybersecurity Investments Games, 9 (2).

[img]
Preview
Text
Risk Assessment Uncertainties in Cybersecurity Investments.pdf - Version of Record
Available under License Creative Commons Attribution.

Download (1MB) | Preview

Abstract

When undertaking cybersecurity risk assessments, it is important to be able to assign numeric values to metrics to compute the final expected loss that represents the risk that an organization is exposed to due to cyber threats. Even if risk assessment is motivated by real-world observations and data, there is always a high chance of assigning inaccurate values due to different uncertainties involved (e.g., evolving threat landscape, human errors) and the natural difficulty of quantifying risk. Existing models empower organizations to compute optimal cybersecurity strategies given their financial constraints, i.e., available cybersecurity budget. Further, a general game-theoretic model with uncertain payoffs (probability-distribution-valued payoffs) shows that such uncertainty can be incorporated in the game-theoretic model by allowing payoffs to be random. This paper extends previous work in the field to tackle uncertainties in risk assessment that affect cybersecurity investments. The findings from simulated examples indicate that although uncertainties in cybersecurity risk assessment lead, on average, to different cybersecurity strategies, they do not play a significant role in the final expected loss of the organization when utilising a game-theoretic model and methodology to derive these strategies. The model determines robust defending strategies even when knowledge regarding risk assessment values is not accurate. As a result, it is possible to show that the cybersecurity investments’ tool is capable of providing effective decision support.

Item Type: Article
Divisions : Faculty of Engineering and Physical Sciences > Computing Science
Authors :
NameEmailORCID
Fielder, Andrew
König, Sandra
Panaousis, Emmanouile.panaousis@surrey.ac.uk
Schauer, Stefan
Rass, Stefan
Date : 9 June 2018
DOI : 10.3390/g9020034
Copyright Disclaimer : © 2018 by the authors. Licensee MDPI, Basel, Switzerland. This is an open access article distributed under the Creative Commons Attribution License which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited. (CC BY 4.0).
Uncontrolled Keywords : Risk assessment; Cybersecurity investments; Game theory
Depositing User : Clive Harris
Date Deposited : 13 Jun 2018 09:35
Last Modified : 16 Jan 2019 19:11
URI: http://epubs.surrey.ac.uk/id/eprint/847049

Actions (login required)

View Item View Item

Downloads

Downloads per month over past year


Information about this web site

© The University of Surrey, Guildford, Surrey, GU2 7XH, United Kingdom.
+44 (0)1483 300800