Uncertainty in Cyber Security Investments

When undertaking cyber security risk assessments, we must assign numeric values to metrics to compute the final expected loss that represents the risk that an organization is exposed to due to cyber threats. Even if risk assessment is motivated from real-world observations and data, there is always a high chance of assigning inaccurate values due to different uncertainties involved (e.g., evolving threat landscape, human errors) and the natural difficulty of quantifying risk per se. Our previous work [1] has proposed a model and a software tool that empowers organizations to compute optimal cyber security strategies given their financial constraints, i.e., available cyber security budget. We have also introduced a general game-theoretic model [2] with uncertain payoffs (probability-distribution-valued payoffs) showing that such uncertainty can be incorporated in the game-theoretic model by allowing payoffs to be random. In this paper, we combine our aforesaid works and we conclude that although uncertainties in cyber security risk assessment lead, on average, to different cyber security strategies, they do not play significant role into the final expected loss of the organization when using our model and methodology to derive this strategies. We show that our tool is capable of providing effective decision support. To the best of our knowledge this is the first paper that investigates how uncertainties on various parameters affect cyber security investments.