Multi-agent influence diagrams to hybrid threat modeling

Abstract

Western governments have adopted an assortment of counter-hybrid threat measures to defend against hostile actions below the conventional military threshold. The impact of these measures is unclear because of the ambiguity of hybrid threats, their cross-domain nature, and uncertainty about how countermeasures shape adversarial behavior. This paper offers a novel approach to clarifying this impact by unifying previously bifurcating hybrid threat modeling methods through a (multi-agent) influence diagram framework. The model balances the costs of countermeasures, their ability to dissuade the adversary from executing hybrid threats, and their potential to mitigate the impact of hybrid threats. We run 1000 semi-synthetic variants of a real-world-inspired scenario simulating the strategic interaction between attacking agent A and defending agent B over a cyberattack on critical infrastructure to explore the effectiveness of a set of five different counter-hybrid threat measures. Counter-hybrid measures range from strengthening resilience and denial of the adversary’s ability to execute a hybrid threat to dissuasion through the threat of punishment. Our analysis primarily evaluates the overarching characteristics of counter-hybrid threat measures. This approach allows us to generalize the effectiveness of these measures and examine parameter impact sensitivity. In addition, we discuss policy relevance and outline future research avenues.

Keywords

Hybrid threats adversarial behavior analysis strategic interaction modeling deterrence influence diagrams causal inference game theory

1. Introduction

Hybrid threats, defined as the coordinated use of violent and non-violent means to exploit vulnerabilities and influence adversaries below the threshold of armed conflict, pose an escalating challenge in an era of growing global interconnectedness. In response, states have implemented a broad spectrum of potential counter-hybrid measures, including economic sanctions, cyber defense strategies, information campaigns, and diplomatic initiatives. However, the effectiveness of these measures remains uncertain due to the complex and opaque nature of hybrid threats, which often operate across multiple domains and resist attribution. Therefore, researchers have resorted to modeling approaches, employing either game theoretic¹ or probabilistic methods,² as they offer a means to address this uncertainty by systematically evaluating the impact of different measures under varying conditions while providing actionable insights into the interplay between threats and countermeasures.

Building on these methodologically distinct approaches, this paper proposes an integrated probabilistic and game-theoretic model to comprehensively assess the effectiveness of counter-hybrid threat measures. The interaction between two state-like agents is modeled probabilistically to account for cognitive and psychological deterrence factors,³ and game-theoretically to capture strategic decision-making. The defender’s pay-off is based on the balance between the costs of countermeasures and the potential damage from hybrid attacks, accounting for the possibility that such attacks may or may not have been successfully deterred. Optimal countermeasures are derived by maximizing expected pay-offs while game equilibria are distilled by considering the adversary’s strategic responses.

To test the modeling approach, a cyber threat scenario on critical infrastructure was developed, inspired by real-world incidents. Policy experts and available literature were consulted to identify relevant countermeasures to this cyber threat and collate estimates of the cost, damage mitigation ability, and deterrence ability of each of the counter-hybrid measures. These estimates provided a basis for analyzing counter-hybrid measures and allowed us to gauge their effectiveness across different scenarios, including scenarios where the adversary engages in strategic competition. To validate our proposed approach, we contextualized our findings within the framework of existing studies and conducted sensitivity analyses to identify and quantify the most influential variables driving the model’s outcomes. This enabled us to address the following research questions:

Which characteristics of counter-hybrid threat measures most effectively enable the defending agent to address the cyber threat on critical infrastructure posed by the attacking agent given uncertainty about (1) the measures’ ability to dissuade the adversary from carrying out the attack, (2) the measures’ ability to mitigate the impact of the attack, and (3) the measures’ cost.

Which characteristics of counter-hybrid threat measures within the context of a cyber threat on critical infrastructure can cause the strategies of players to form an equilibrium given (1) the costs of counter-hybrid measures and hybrid operations, (2) the measures’ ability to mitigate the impact of the attack, and (3) a strategically operating adversary.

In answering these research questions, this paper is structured as follows: the following section introduces background information on deterrence and hybrid threats. Thereafter, we outline the modeling methodology along with a discussion of the transformation of insights from the literature review and expert opinion into input for the model via probability distributions. The subsequent section describes the content of the hybrid threat scenario and the associated cross-domain counter-hybrid measures. The results are then presented and analyzed in the penultimate section, where they are contextualized within a broader framework of similar studies. The final section reflects on the policy relevance of the findings and identifies future research avenues.

2. Background

Fast-paced technological developments, deeper economic integration, and the digitally wiring of societies have reshaped contemporary interstate competition, furnishing revisionist states with innovative tools to pursue strategic objectives below the threshold of large-scale armed conflict. In Europe, observers use the term hybrid threats to broadly define behaviors corresponding to the “coordinated and synchronized” use of violent and non-violent means, often difficult to detect and attribute, aimed at weaponizing democratic processes and exerting influence over adversaries (Hybrid CoE, Hybrid Threats as a Concept, Accessed 7 June 2023, https://www.hybridcoe.fi/hybrid-threats-as-a-phenomenon/). Although often used interchangeably, the term “hybrid conflict” is conceptually different from what U.S. scholars and strategists refer to as “gray zone” strategy.⁴ Grey zone strategies refer to a peculiar condition of quasi-persistent interstate conflict in which aggressive operations apparently covered by legal justifications are used to coerce adversaries and pursue limited objectives, exploiting adversaries’ vulnerabilities below the threshold of detection and attribution.⁵ Both terms however refer to aggressive behavior below the threshold of conflict that includes information and psychological operations, political, diplomatic and economic coercion, offensive cyber operations, and the use of proxies to destabilize adversaries.

States currently seek to devise a range of counter-hybrid policies aimed at increasing resilience and imposing costs on rival states in order to deter such behaviors. However, when compared to openly aggressive or offensive conducts in the conventional and nuclear domains, hybrid operations pose unique challenges that, because of their opaque and cross-domain nature, prove difficult to deter and defend against.⁶

Traditionally, deterrence is about “discouraging or restraining a nation-state from taking unwanted actions”⁷ by either denying an adversary the ability to achieve its objectives (deterrence by denial)^8–10 or threatening to impose cost following the actions (deterrence by punishment).^11,12 In writings on conventional and nuclear deterrence, it is widely acknowledged that perceptions are key to successful deterrent efforts⁷ in the sense that the adversary must perceive “that the costs likely to be incurred from his initiative will outweigh the potential gains.”¹³ To achieve their objective, deterrent efforts should be clear, proportional, and credible. Clarity entails the ability to communicate unambiguously which measures the defender will likely adopt to respond; proportionality describes the equivalence between the means used to deter and the objectives pursued by the defender; finally, credibility—which is a function of clarity and proportionality—is rooted in the deterrer’s capability and willingness to act in face of external aggression.⁷ Therefore, traditional tenets of deterrence rest on a credible threat of punishment or the credible denial of gains.

The application of these favoring conditions of classical deterrence is significantly hampered in the hybrid context. First, aggressive behaviors in the gray zone do not simply materialize as military confrontation but rather as a complex combination of military and non-military, overt and covert, operations involving economic coercion, disinformation campaigns, offensive cyber operations, and even the deployment of armed groups (NATO’s response to hybrid threats, Accessed 19 April 2023, https://www.nato.int/cps/en/natohq/topics_156338.htm). Second, hybrid threats present additional and unique problems that significantly blur the way in which confrontations take place. Among many, two of the most pressing issues in tackling hybrid threats derive from the fact that gray zone activities occur on a continuous basis and are often difficult to attribute to a specific adversary. This makes deterrence even more complicated.¹⁴

Traditional in-domain punishment and denial strategies, while maintaining some relevance, are no longer sufficient to address the complex interactions occurring in the gray zone.¹⁵ Traditional deterrence strategies should evolve into complex cross-domain strategies that—in addition to the threat of costs and the denial of potential gains—include the provision of reassurances and incentives to the adversary (assurance), the promotion of international cooperation and norm development (norms), and the exploitation of economic and systemic (inter)dependencies (entanglement) to influence adversarial behaviors. In addition, given the perpetual state of tension in the gray zone, deterrent efforts should be “cumulative”: defenders should consider counter-hybrid strategies as a “longer-term process in which a one-off transgression does not spell failure” and in which adversarial behavior “is shaped by the deterrer in a concerted effort.”^16,17 In this sense, the authors suggest that a broader strategy of dissuasion is better equipped to address hybrid threats. Dissuasion is hereby understood as the overarching strategy encompassing both punishment and denial responses with advanced countermeasures that can leverage political, diplomatic, and economic relations among peers.¹⁸ Consequently, to dissuade adversaries in the gray zone, counter-hybrid strategies can only be effective if all instruments of state power across the Diplomatic-Information-Military-Economic-Financial-Intelligence-Law enforcement (DIMEFIL) spectrum are strategically deployed, while simultaneously managing escalation dynamics and potential retaliatory responses from adversaries (Strategic Communications Hybrid Threats Toolkit, Monika Gill, Ben Heap, and Pia Hansen (NATO Strategic Communications Center of Excellence), 30–36, accessed 26 April 2023, https://stratcomcoe.org/publications/strategic-communications-hybrid-threats-toolkit/213).

In practice, however, there are no agreed-upon principles, metrics or guidelines to craft successful cross-domain responses and the risk of disproportional and ambiguous behaviors is ever-present.¹⁴ Since deterrence and dissuasion are ultimately rooted in perception, the effectiveness of counter-hybrid strategies is dependent on real-world motivations and perceived core interests of the adversary. This includes its propensity for offensive action as well as the vulnerabilities it seeks to protect from possible retaliation (The Nine Commandments on Countering Hybrid Threats Threats — Internationale Politik Quarterly, Michael Rühle, accessed 20 May 2023, https://ip-quarterly.com/en/nine-commandments-countering-hybrid-threats). In most situations, however, policymakers lack sufficient information regarding the broader strategic objectives that adversaries pursue in the gray zone; what decision-making processes and pay-off calculus drive operations below the threshold of war; and, to what extent counter-hybrid policies affect hybrid threat behavior, not in the least, because a vast array of hybrid threats takes place below the threshold of detection and attribution.¹⁹ Hence, it is extremely difficult to gauge the effectiveness of counter-hybrid policies in the real world.

While attempting to model hybrid threat dynamics, some authors have resorted to game theory to examine strategic interactions among rival states in an effort to overcome the paucity of information available.^2,20 Others have incorporated scarce data sources into Bayesian modeling techniques^1,21 with the aim of refining domain knowledge with available data. Although current game-theoretic approaches struggle to capture the complexities and uncertainties inherent in hybrid threat dynamics, Bayesian modeling techniques, while effective at handling uncertainty, fall short in representing strategic interactions.

This paper introduces a novel contribution by proposing an influence diagram approach that models the deep uncertainties of counter-hybrid policies (e.g., threat detection, attribution, and mitigation effects) as probabilistic relations.²² By extending this approach to a multi-agent framework,²³ it integrates game-theoretic considerations, offering a unified methodology that not only bridges these two approaches but also enhances their applicability to complex, multi-actor hybrid threat scenarios.

3. Methodology

This section outlines the underlying mechanism of the simulation model, along with the process of eliciting inputs required to run simulations using the model. The full scope of the proposed method, including the extent of expert involvement, is illustrated in Figure 1.

Figure 1.

The figure illustrates the processes involved in counter-hybrid threat analysis as proposed in this study. Initially, domain experts identify the hybrid threat and develop corresponding counter-hybrid measures. They also provide key input parameters, which are used to construct probabilistic input distributions for the model. Samples from these distributions are used to run simulations with the causal influence diagram (CID) as well as the multi-agent influence diagram (MAID) model. Finally, a sensitivity analysis is performed and the model results are interpreted and compared with existing studies.

The model considers the behavior of two agents possessing the characteristics of sovereign states, following the two-agent approach of Balcaen et al.² and Attiah et al.²⁰ On one side, agent A aims to pursue its strategic objectives using hybrid attacks. On the other side, agent B wishes to protect its national interests and deter and defend against hybrid attacks. Agent B, the defender, chooses a counter-hybrid posture to deter or dissuade agent A from carrying out a hybrid operation. For this reason, the strategy is referred to as a counter-hybrid measure. To this purpose, agent B explores available counter-hybrid measures to dissuade the adversary from carrying out hybrid attacks by altering the cost-benefit calculus.²⁴ The defender may also adopt measures—such as the enhancement of detection and/or attribution capabilities²⁵—that would boost resilience and mitigate the potential impact of hybrid conducts.²⁶

Both the counter-hybrid measure and the hybrid attack bear direct costs. Such costs represent not only the resource costs but also costs involving for instance political capital to rally domestic and international support as well as potential costs associated with escalation. The interaction between agents A and B is of a zero-sum nature. Probabilities are used to reflect the considerable degree of uncertainty over the value of key variables that lead to different outcomes. Examples are uncertainty associated with the impact of counter-hybrid measures on the strategic calculus of agent A, as well as with detection, attribution, and the mitigatory impact of the counter-hybrid measure.

First, a causal influence diagram approach is introduced, enabling the optimization of counter-hybrid deterrence strategies when the adversary’s responsiveness is estimated probabilistically. This approach is then extended into a multi-agent influence diagram by modeling both agents as players within a game-theoretical framework, allowing for the analysis of game equilibria.

3.1. Optimizing counter-hybrid strategy

A Bayesian Network modeling technique is often used to account for the combination of probabilistic and deterministic relationships.^1,27–30 This allows for the factorization of the joint distribution as the product of the conditional probabilities according to the structure of the graph.³¹ Bayesian networks can be extended to causal influence diagrams to further dissect the nodes of the graph into random variables, utility nodes, and decision nodes²² and allow for causal interventions. In the first proposed modeling approach, the defender preemptively commits to a selected counter-hybrid posture to deter or dissuade agent A from conducting a hybrid operation, represented by a decision node. The adversary’s response is driven by the estimated probability of successful dissuasion.

More formally, let $D$ be the decision variable describing the counter-hybrid measure, which is followed by $C$ , the random variable for the hybrid conduct. The available strategies and state spaces for $D$ and $C$ are $Ω_{D} = {d_{1}, \dots, d_{n}}$ and $Ω_{C} = {c_{1}, \dots, c_{m}}$ respectively. Each combination of counter-hybrid measure and hybrid operation variables leads to a discrete pay-off random variable $Θ$ with state space $Ω_{θ} = {θ_{1}, \dots, θ_{k}}$ representing the interaction pay-off structure excluding direct costs. Because we separate the pay-off structure from hybrid and counter-hybrid interaction from the direct cost of hybrid operation and counter-hybrid measure, we assume the pay-off structure has a zero-sum game component, meaning a positive value $θ \in Θ$ corresponds to the gain of agent B and the loss of agent A, while a negative value for $θ \in Θ$ represents a gain for agent A and the loss for agent B. The direct costs for the counter-hybrid measure and the hybrid attack are drawn from a cost probability function and denoted by $Γ$ and $H$ respectively, where the costs for the counter-hybrid measure has state space $Ω_{Γ} = {γ_{1}, \dots, γ_{n}}$ with $γ_{i} \geq 0$ for $i = 1, \dots, n$ and the costs for the hybrid attack has state space $Ω_{H} = {η_{1}, \dots, η_{m}}$ with $η_{i} \geq 0$ for $i = 1, \dots, m$ . The total pay-off can finally be calculated by $DP = Θ - Γ$ for agent B and $CP = - Θ - H$ for agent A. The causal influence diagram that corresponds with these relations is depicted in Figure 2 (While the cost variables are priorly drawn from probability distributions, they become deterministic in the influence diagram, as only one cost value corresponds to a (counter-) hybrid measure per experiment). Note that factorizing the direct costs in the initial pay-off node could have made the influence diagram purely probabilistic. However, for clarification purposes, direct costs have been separated from interaction costs. All probability distributions in the influence diagram are typically assumed to be categorical, which makes the conditional probabilities expressible via conditional probability tables (CPTs). According to the influence diagram structure, the joint probability can be factorized via

\begin{matrix} P (d, c, θ, γ, η, dp, cp) = P (d) P (c ∣ d) P (θ ∣ d, c) P (γ ∣ d) \\ P (η ∣ c) P (dp ∣ γ, θ) P (cp ∣ θ, η) . \end{matrix}

Figure 2.

(Multi-Agent) Causal Influence Diagram encoding hybrid threat modeling. While the bottom background layer groups the deterministic variables, the top layer represents the probabilistic variables. Probabilistic relations are displayed by black arrows and deterministic relations by gray arrows.

3.2. Optimizing counter-hybrid strategy

In order to calculate the probability of the total pay-off for agent B, we have to marginalize out all other variables (we can ignore the deterministic variables in other parts of the network³²)

\begin{matrix} P (dp) = \sum_{d} \sum_{c} \sum_{θ} \sum_{γ} P (d, c, θ, γ, dp) \\ = \sum_{d} \sum_{c} \sum_{θ} \sum_{γ} P (d) P (c ∣ d) P (θ ∣ d, c) \\ P (γ ∣ d) P (dp ∣ γ, θ) . \end{matrix}

Suppose that agent B has access to the potential costs of counter-hybrid measures $Ω_{Γ} = {γ_{1}, \dots, γ_{n}}$ , their deterrence capacity and their ability to mitigate potential damages $P (θ ∣ d, c)$ . Agent B’s objective is to compute the counter-hybrid measure that maximizes its total pay-off under the assumed probability distributions.³³ Specifically, we want to find the intervention $do (D = d)$ that maximizes agent B’s expected total pay-off. Since the counter-hybrid measure node has no incoming arrows (see Figure 2), intervening on a variable is the same as conditioning on this variable³¹

\begin{matrix} \max_{d_{1}, \dots, d_{n}} E (dp ∣ do (D = d)) \\ = \max_{d_{1}, \dots, d_{n}} \sum_{c} \sum_{θ} \sum_{γ} dpP (c, θ, γ, dp, ∣ do (D = d)) \\ = \max_{d_{1}, \dots, d_{n}} \sum_{c} \sum_{θ} \sum_{γ} dpP (c ∣ d) P (θ ∣ d, c) \\ P (γ ∣ d) P (dp ∣ γ, θ) . \end{matrix}

This can be formulated as an integer linear program (ILP)

\begin{matrix} \max \sum_{h = 1}^{k} \sum_{j = 1}^{m} \sum_{i = 1}^{n} θ_{h} w_{ijh} q_{ij} p_{i} + \sum_{i = 1}^{n} γ_{i} p_{i} \\ subject to \sum_{i = 1}^{n} p_{i} = 1 \\ p_{i} \in {0, 1} i = 1, \dots, n \end{matrix}

3.3. Subgame perfect equilibrium

In optimizing the counter-hybrid strategy, probabilities are used to estimate the likelihood of successfully deterring the adversary after each measure. These probabilities are determined ex-ante, meaning they are drawn before a counter-hybrid measure is chosen. As a result, they do not account for any short-term pay-off adjustments that occur during the interaction that eventually set the outcome in equilibrium. To this end, we extend the causal influence diagram approach to multi-agent influence diagrams (MAIDS)^23,34 to account for these strategic considerations and address the notion of equilibrium.

Formally, the hybrid conduct node $C$ of Figure 2 is no longer modeled probabilistically but is instead represented as a decision node. In addition, the distinction between the two agents, $A$ and $B$ , is made explicit by assigning decision and utility nodes to each respective player. Specifically, decision node $D$ and utility node $DP$ are assigned to agent $B$ , while decision node $C$ and utility node $CP$ are associated with agent $A$ .

We seek a solution concept that pinpoints a subset of possible outcomes when agents act rationally. While the Nash equilibrium (NE) is a widely used solution concept in non-cooperative games, where no agent can gain by changing their strategy unilaterally,³⁵ it may lead to non-credible threats. These are decisions made by an agent that would not be in their best interest to execute if the situation were to arise.³⁶ In the context of the hybrid threat game, non-credible threat equilibria emerge when the attacker threatens to conduct a hybrid operation despite it not being in their best interest in terms of pay-off.

To address this, we adopt the concept of subgame perfect equilibrium (SPE).³⁴ A subgame perfect equilibrium is defined as a refinement of Nash equilibrium in which the Nash equilibrium conditions are satisfied not only for the overall game but also for every subgame within it. Therefore, the SPE eliminates the existence of non-credible threats and ensures that decisions regarding counter-hybrid measures or hybrid operations remain rational and optimal at every stage of the interaction. Subgame perfect equilibria can be determined by applying backward induction across all identified subgames.

3.4. Probability distributions & elicitation

Filling the influence diagram with accurate conditional probabilities is widely recognized as a challenging task²⁹ and a rigorous elicitation process should be developed to ensure the highest degree of accuracy in the inputs. To maintain a realistic perspective in our estimates, we have attempted to estimate the cost, potential deterrence capacity, (either denial or punishment), and resilience-enhancing ability of each counter-hybrid measure on the basis of an in-depth literature review complemented with a mini-Delphi approach with seven (junior) analysts with a background in strategic studies. This resulted in probability distributions from which samples were drawn to conduct the experiments. Initially, the parameters of these distributions were inspired by a literature review. Subsequently, analysts made a one-time adjustment to the parameters, informed by visualizations of the resulting distributions. The specifics of these probability distributions per variable are summarized in Table 1 while the exact parameters are available in the appendix. Values that are likely to be drawn from these probability distributions indicate that they align closely with consensus in the literature and the outcomes of the mini-Delphi survey, while values unlikely to be drawn correspond to values that are less in alignment. By repeatedly sampling input variables from these distributions independently, we generated a total of 1000 experimental scenarios. These experiments can be considered semi-synthetic due to the absence of a rigorous, standardized method for constructing the prior distributions for these estimates,³⁷ requiring us to rely on the constructed probabilistic representations.

Table 1.

Values drawn from probability distributions. Costs of counter-hybrid measures and damaging impacts of hybrid attacks are expressed in US million dollars. While the costs of counter-hybrid measures and damaging impacts of hybrid attacks are drawn from variants of the normal distribution, the probability values for the ability to deter and the ability to mitigate damaging impacts are drawn from their corresponding conjugate priors (Beta and Dirichlet, respectively).

Value	Meaning	Probability distribution
$θ_{h}$	Potential damage of a hybrid attack	Drawn from different truncated normal distributions for each category of damaging impacts.³⁸
$γ_{i}$	Cost for conducting counter-hybrid measure $d_{i}$	Drawn from different truncated normal distributions for each counter-hybrid measure $d_{i}$ .³⁸
$q_{ij}$	Probability of the adversary conducting hybrid operation $c_{j}$ after counter-hybrid measure $d_{i}$	Drawn from different Beta distributions for each counter-hybrid measure.
$w_{ijh}$	Probability of potential damage $θ_{h}$ after the adversary conducts hybrid conduct $c_{j}$ and defender counter-hybrid measure $d_{i}$	Drawn from different Dirichlet distributions for each counter-hybrid measure and hybrid operation combination.³⁹

Despite the semi-synthetic nature of the experiments, all the counter-hybrid measures considered in this paper have been derived from real-world examples and their impacts have been scored by experts, ensuring reflection of real-world variability and available empirical evidence. As the modeling approach enables the exploration of dynamics that cannot be empirically tested in the real world, the semi-synthetic nature of the data is a necessary instrument to conduct this analysis. Furthermore, the flexibility of the proposed framework ensures its applicability to other domains and hybrid threat types, as the underlying principles and interactions are generalizable beyond the specific scenarios tested. This adaptability enhances its utility in addressing a broad spectrum of hybrid threat challenges.

4. Experimental design

We consider a scenario in which the defending agent B fears that revisionist agent A attempts to destabilize and harm agent B through hybrid attacks. In particular, the defender is aware of agent A’s offensive capabilities in the cyber and information domains and is concerned that the latter will carry out a high-scale cyber-attack against its critical infrastructures, such as power plants, and grids, water management facilities, ports, the healthcare system and/or other essential services. Offensive cyber operations constitute a clear example of a hybrid threat below the threshold of large-scale armed conflict. Indeed, cyber operations have become more prevalent in recent years due to the technical, physical and logical layers of cyberspace and the pervasive use of networks and technologies in our daily life (Council of Foreign Relations, “Cyber Operations Tracker,” accessed December 1, 2022, https://www.cfr.org/cyber-operations/).¹⁰ Furthermore, offensive cyber operations may well produce material consequences resulting in considerable physical damage such as for instance in the case of Stuxnet in Iran (2009), Shamoon in Saudi Arabia (2012) or NotPetya in over 60 countries around the world (2017).

An anonymized list of plausible hybrid actions was constructed based on a series of real-world malicious cyber operations drawn from the updated datasets compiled by Valeriano and Maness⁴⁰ and Roth et al.⁴¹ and by the Council of Foreign Relations, (Council of Foreign Relations, “Cyber Operations Tracker,” accessed 1 December 2022, https://www.cfr.org/cyber-operations/) as well as on a review of the relevant literature. In addition, given the exponential development of new technologies and the evolving dynamics in current conflicts, this was complemented with expert imagination, in an effort to anticipate potential courses of action (and response), and key variables in the cyber domain were distilled. This resulted in a realistic cyber threat scenario that is specified in the appendix. Plausible counter-hybrid responses are similarly drawn and the experts have selected the top five cross-domain measures to counter malicious cyberattacks, which are summarized in Table 2.

Table 2.

Five Counter-Hybrid Measures.

Domain	Title	Capability	Rationale
Cyber	Boost cyber resilience at the wider societal level	Introduce legislation or collaboration that requires individuals and companies to adopt sufficient levels of cyber resilience, based on the specific risk exposure of the subject.	Boosting cyber resilience at the broader societal level is one of the core tenets of a whole-of-society approach to hybrid/cyber threats.
Cyber	Employ offensive cyber capabilities	Use offensive cyber operations in order to undermine the target.	It is often the case that cyberattacks are not directly attributable. In the short term, it provides a covert way to influence the target. The effect of an offensive cyberattack is scalable.
Legal	Market restrictions	Introduce legislation to restrict an opponent from accessing your market in a specific sector (such as ICT).	Such measure reduces the possibilities for an adversary to exploit vulnerabilities but it may also clash with other legal commitments (see international trade commitments against market restrictions based on nationality).
Diplomatic	Open deterrence messaging through strategic communications	Communicate one’s strategic posture in order to convince a target to comply with one’s strategic aims.	Being transparent with the hostile actor regarding one’s own strategic strengths and possible actions. This increases the possibility of a better-informed decision by the hostile actor.

While it is generally difficult to determine the exact costs and damages resulting from a cyberattack on critical infrastructures,⁴² experts recognize that a defender’s ability to timely detect an attack, and recover from it, significantly affects the overall impact of malicious conduct.^43,44 Therefore, we consider three categories of impact resulting from cyberattacks, based on the impact that such attacks may produce on critical infrastructures:

$θ_{1}$ Impact from cyberattacks on critical infrastructure leading to a massive disruption of essential services due to the absence of effective detection capabilities and the lack of adequate recovery capabilities.

$θ_{2}$ Impact from cyberattacks on critical infrastructure leading to substantial losses due to the defender’s ability to partially, or at least eventually, detect the attack or mitigate its consequence

$θ_{3}$ Impact from cyberattacks on critical infrastructure leading to limited or negligible effects by reason of the defender’s ability to preventively detect and/or recover from the attack.

Since entities targeted by malicious cyberattacks are reluctant to share information about their precise impact, we have constructed heavy-tailed half-normal distributions based on the research of Lis and Mendel⁴⁵ to sample the potential impact, $θ_{1}, θ_{2}, θ_{3}$ for each of the three classes of malicious cyberattacks. Drawing from distributions with high variance, which are specified in the appendix, helps to account for the variability and lack of consensus on the potential impact of a cyberattack.

4.1. Counter-cyber measures

When parsing available responses to cyberattacks, the focus is placed on in-domain responses (measures in cyberspace), as well as out-domain (measures in other domains)—such as law enforcement, norm development, public diplomacy, and economic sanctions. Through the lens of cumulative deterrence, some of these counter-hybrid measures intend to mitigate the potential damage of a hostile cyberattack, while others aim to dissuade adversaries from conducting aggressive behaviors by raising their cost-benefit calculation. The five different counter-cyber measures considered are active intelligence sharing $d_{1}$ , boosting cyber resilience at the wider societal level $d_{2}$ , employing offensive cyber capabilities $d_{3}$ , imposing market restrictions $d_{4}$ and open deterrence messaging through strategic communications $d_{5}$ . These are shown in Table 2. Alternatively, the defender can choose to refrain from engaging in counter-hybrid measures $d_{6}$ . The appendix contains the specifications of the probability distributions that will be used to distill the costs, the probability of successful deterrence and the probability of mitigating damaging effects for each of the different counter-cyber measures.

4.1.1. Active intelligence sharing

Active intelligence sharing entails the sharing of intelligence across allies to help detect and attribute attacks. Intelligence sharing yields several benefits, ranging from the promotion and the improvement of situational awareness⁴⁶ to the development of more refined cyber security strategies.⁴⁷ These benefits contribute to mitigating the damages stemming from cyberattacks. However, there are also costs associated with intelligence sharing, such as the cost of accidentally trusting malicious stakeholders with confidential information.⁴⁶ When the adversary is not being aware of intelligence sharing, it will not impact its decision to conduct a hybrid operation.

4.1.2. Boosting cyber resilience at the wider societal level

As critical infrastructure can rely heavily on private stakeholders, boosting cyber resilience at a wider societal level can decrease the potential impact of a cyberattack on critical infrastructure. This can be achieved through either legislation or public-private partnerships. Partnerships between the public and private sectors are preferred as unilateral legislation might lead to a strong focus on futile compliance efforts.⁴⁸ The measure enhances cyber resilience and therefore decreases the probability of damaging impacts. Therefore, the measure also contributes to deterring by denial. However, setting up these partnerships can be costly as it draws heavily on scarce cybersecurity experts.

4.1.3. Employ offensive cyber capabilities

Offensive cyberattacks are targeted at disrupting, degrading or denying adversaries’ offensive capabilities. The offensive cyber operations can be used to infiltrate the networks to temporarily take the adversary offline and prevent it from using such networks to carry out malicious cyber activities. Alternatively, the measure can serve as a threat to further offensive measures. The ability to execute cyber operations bears costs for facilitating a cyber unit and carrying out an attack. There is an aspect of deterrence by denial and deterrence by punishment. The effectiveness of offensive cyber operation as a deterrence measure is debatable as some scholars argue that in order for the offensive operation to be credible, vulnerabilities in the adversaries’ network need to be exploited that, when patched, make the offensive cyber operation less useful.⁴⁹

4.1.4. Market restrictions

In the case of critical infrastructures, a state may decide to ban the use of software, hardware or other ICT products and services produced or supplied by allegedly hostile actors. As a softer version, a state may impose strict due diligence and risk assessment obligations with regard to the procurement of ICT services and products. Market restrictions inevitably bear substantial costs.⁵⁰ However, only allowing trusted parties to run critical infrastructure limits a hostile actor’s capacity to take control of the critical infrastructure and therefore enhances resilience. At the same time, the measure can contribute significantly to deterrence by denial efforts as it becomes increasingly hard for the adversary to conduct hybrid operations on systems the hostile actor is not familiar with. In this way, it denies the adversary the ability to carry out attacks.

4.1.5. Open deterrence messaging through strategic communication

A defending state can publish national security doctrinal documents stating responses to particular threats. These responses can be actively communicated through strategic communication channels. From a deterrence-by-punishment perspective, it is clear that the effectiveness of the measure relies heavily on the level of detail and the language used (i.e., the level of retaliatory threats it mentions).

5. Results

In this section, we discuss the results based on the experimental setup of the previous section. First, we present the results of optimizing for the counter-hybrid measure using estimated deterrence probabilities. This is followed by an analysis of the subgame perfect equilibria, where the decision to conduct the hybrid attack is modeled as the agent’s strategic choice (The modeling effort is publicly available at https://github.com/HCSS-Data-Lab/Hybrid-Threat-Implementation).

For each of the 1000 experiments, we rank the effectiveness of the counter-hybrid measure in terms of total pay-off for defending agent B from least optimal to most optimal. A count plot of the rank of the counter-hybrid measures for all experiments is displayed in Figure 3.

Figure 3.

The count of the specific rank that each of the counter-hybrid measures is computed to attain.

In summary, despite the high cost of imposing market restrictions ( $d_{4}$ ), they are often deemed the most optimal counter-hybrid measure due to the potential to mitigate damages and to deny the adversary’s ability to carry out attacks. Intelligence sharing ( $d_{1}$ ), valued for its cost-effectiveness, plays a crucial role in mitigating attack damage by enabling timely defensive actions and fostering political support for collective responses. While offensive cyber operations ( $d_{3}$ ) could disrupt enemy capabilities, they carry high risks of escalation and have variable success rates. Boosting cyber resilience ( $d_{2}$ ), though costly, is consistently rated effective for both damage mitigation and deterrence. Open deterrence communication ( $d_{5}$ ) hinges on the adversary’s responsiveness to threats, requiring detection, attribution, and communication capabilities to be successful. Finally, in very rare draws, abstaining from counter-hybrid measures ( $d_{6}$ ) emerges as the most effective strategy.

To derive more meaningful insights, we now shift our focus from the specific outcomes of individual measures to the broader results that can be drawn from the overarching characteristics of these measures, especially considering that a well-designed elicitation protocol would significantly enhance the interest and reliability of individual results while the same overarching characteristics would prevail.

Overall, the measures vary in several ways: some measures rely on their ability to dissuade the adversary through punishment (open messaging, offensive cyber operations), others count on the ability to mitigate the potential damage when confronted with an attack (intelligence sharing), and there are also measures that are a mixture of both deterrence by denial and enhancing resilience (boosting cyber resilience and imposing market restrictions). While these characteristics are distributed evenly among the optimal measures, the measure designated as optimal in most cases—i.e., imposing market restrictions—is also the most versatile one with respect to both dissuasion as well as resilience enhancement. In addition, the variance of the cost, ability to mitigate the damage and ability to deter are different for each of the measures as their impact is mediated by favoring conditions. For instance, while deterrence by punishment measures (open messaging and offensive cyber operation) can be very effective counter-hybrid measures, they are also among the most ineffective measures for some experiments as illustrated by Figure 3. This is because they rely heavily on their effect on the adversary’s strategic calculus. When dissuasion is not successful, they do not contribute to mitigating the damaging impact of hybrid conduct, leaving the defender exposed.

In order to test how variations in input parameters influence the output of the model, we conducted sensitivity analyses using the state-of-the-art tool of van Stein et al.⁵¹ for each of the counter-hybrid measures. While full sensitivity reports for each of the counter-hybrid measures are available (Full sensitivity reports are available at https://github.com/HCSS-Data-Lab/Hybrid-Threat-Implementation) and the top three contributing features per counter-hybrid measure are summarized in Table 3, Figure 4 presents the SHAP summary plot for imposing market restrictions, which serves as a representative example of the broader sensitivity analysis conducted. As can be observed from the figure, the probability of successfully deterring the adversary $q_{14}$ , as well as the costs of the measure $γ_{4}$ are the most influential factors for the effectiveness of the counter-hybrid measure. While the measure’s ability to mitigate the negative impact is comparatively less influential overall, its role in increasing the probability of a negligible impact ( $ω_{413}$ ) or reducing the likelihood of a severe impact ( $ω_{411}$ ) remains a significantly important factor in evaluating its effectiveness. As the effectiveness of the measure is strongly influenced by its ability to dissuade the adversary, there is a need to consider this factor not only probabilistically but also within a game-theoretic framework. By doing so, we computed the subgame perfect equilibria detailed in the previous section, providing a more comprehensive evaluation of the measures in a strategic context.

Table 3.

Top 3 Most Importance Features of the SHAP Plots for each Counter-Hybrid Measure.

Counter-hybrid Measures	Top Features
	#1	#2	#3
D1 Intelligence Sharing	$q_{11}$	$ω_{111}$	$ω_{113}$
D2 Boosting Cyber Resilience	$γ_{2}$	$q_{12}$	$ω_{213}$
D3 Offensive Cyber Operation	$q_{13}$	$ω_{311}$	$ω_{313}$
D4 Market Restrictions	$q_{14}$	$γ_{4}$	$ω_{411}$
D5 Open Messaging	$q_{15}$	$γ_{5}$	$θ_{1}$
D6 No Deterrence Measure	$q_{16}$	$ω_{611}$	$θ_{1}$

Figure 4.

SHAP summary plot for counter-hybrid measure imposing market restrictions: The y-axis represents the features ranked by their importance to the model output. The x-axis shows the SHAP value, indicating the magnitude and direction of each feature’s impact on the model output. The color gradient reflects the feature values.

These subgame perfect equilibria for the same 1000 experiments are displayed in Table 4, reflecting outcomes where agents seek to optimize their pay-off rationally. The low occurrence of hybrid attacks indicates that the chosen counter-hybrid measures focus on deterring the adversary rather than mitigating the consequences of a hybrid attack. Given that the adversary’s strategic calculus is assumed to be known, the defending agent can strategically select the most cost-effective counter-hybrid measure that successfully deters the adversary from launching an attack. This explains why intelligence sharing is preferred over market restrictions when both measures suffice to deter the adversary. Moreover, when the strategic calculus is such that the adversary is likely to proceed with a hybrid operation regardless of the counter-hybrid measure, the subgame perfect equilibria suggest that the defending agent should commit to cost-efficient counter-hybrid measures, such as intelligence sharing, to mitigate the impact of the attack.

Table 4.

Subgame Perfect Equilibria Outcome Occurrences.

Counter-hybrid Measures	Hybrid Operation
	Attack	No Attack
D1 Intelligence Sharing	15	697
D2 Boosting Cyber Resilience	1	98
D3 Offensive Cyber Operation	3	76
D4 Market Restrictions	0	110
D5 Open Messaging	0	0
D6 No Deterrence Measure	0	0

5.1. Validation of the results

While general validation of the results remains challenging due to the ambiguous nature of hybrid threats and the reluctance of targeted parties to disclose information, contextualizing our findings within established models and prior studies provides valuable insights. First, our findings align with other model implications that hybrid threats are effective in economically exhausting the defending agent,² as the most effective counter-hybrid measure in our analysis is also the most costly. This underscores the need for a prioritized allocation of scarce resources and the strategic construction of cross-domain deterrence measures. The findings of our multi-agent model further corroborate prior research emphasizing the need for defensive strategies that balance the effectiveness of counter-hybrid measures with resource constraints,²⁰ highlighting the importance of selecting cost-efficient options under varying adversarial strategies.

Moreover, our analysis supports existing studies on democratic deterrence, which advocate for a whole-of-society approach coordinated by the state.⁵² In particular, our findings highlight the effectiveness of measures such as market restrictions and intelligence sharing, which align with the use of non-military, soft power, and asymmetrical strategies to counter-hybrid threats.⁵³ Finally, our sensitivity analysis reinforces the findings on existing modeling efforts on deterrence in the cyber realm,⁵⁴ emphasizing that the effectiveness of such threats is heavily contingent upon the adversary’s susceptibility to countermeasures.

6. Discussion

This paper introduced new approaches to evaluating the effectiveness of cross-domain counter-hybrid measures by balancing the cost, deterrence ability and damage mitigation ability of each of the measures in the context of uncertainty about the deterrent and defensive effects of these measures, which were therefore modeled probabilistically or game-theoretically. Experiments with these approaches included 1000 different scenarios involving malicious cyber operations and contained various counter-hybrid measures inspired by an extensive literature review complemented with a mini-Delphi survey.

While game-theoretic approaches have gained traction in the hybrid domain² and the cyber domain,²⁰ game theory alone fails to capture the subtleties arising from uncertainties inherent in the hybrid threat dynamic. Alternatively, probabilistic graphical models can be inadequate in the hybrid threat domain,¹ as they require ex-ante specifications and do not account for strategic interactions. Our work is the first to unify game-theoretic and probabilistic graphical approaches, encoding uncertainties specific to the hybrid domain as probabilistic relations and modeling the different actors as agents. The results of our modeling effort highlight how distinct characteristics of counter-hybrid measures influence their effectiveness across various simulations and illustrate game outcomes shaped by rational, optimal decision-making through game equilibria.

The policy implications are therefore twofold. First, our analysis shows that the effect of different counter-hybrid measures ranging from punishment, denial to resilience can be systematically estimated under conditions of deep uncertainty drawing on insights from the literature and through expert elicitation. The outcome of the multi-agent approach even reveals the changing optimal measure in the case of a strategic-acting adversary. Our model provides a prototype for this process, a model that can be emulated, expanded, and refined to test and design counter-hybrid policies in order to help policy-makers in the formulation and prioritization of counter-hybrid policies.

Second, our extensive simulations grounded in elicited data highlight the importance of favoring conditions. These conditions mediate the effect of measures, suggesting that effective counter-hybrid strategies need to target these favoring conditions. Deterrence by punishment measures, for instance, are contingent on the receptiveness of the adversary, as these counter-hybrid strategies only work well when the adversary is responsive to such measures.⁵⁵ The modeling exercise indicates that even a small enhancement in understanding the aggressor’s plausible receptiveness to counter-hybrid measures could lead to a significant enhancement in the assessment of the effectiveness of measures. This implies that resources spent on anticipating the adversary’s reaction to possible counter-hybrid measures are conditional on the effect of the counter-hybrid measures. Because the responsiveness of the adversary also depends on communication, the results emphasize that a meticulous communication strategy is essential when implementing a counter-hybrid measure.¹⁴

We propose two future research areas. First, recently developed methods have focused on the elicitation of conditional probability tables.^56,57 Implementation of these methods and confronting policy-makers would increase the precision of the input data for the model. Second, experiments should be run on scenarios that involve hybrid threats of a cross-domain nature beyond just the cyber domain. This injects additional complexity but will reflect more closely the contemporary nature of hybrid threats.

More fundamentally, our modeling effort seeks to develop the knowledge base including the methods, data, and techniques, that can be applied to real-world security problems characterized by uncertainty. By showing that such a modeling effort yields insights that have real-world policy value, we hope our effort will receive a wider following.

Footnotes

Appendix 1 Declaration of conflicting interests

The author(s) declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.

Funding

The author(s) disclosed receipt of the following financial support for the research, authorship, and/or publication of this article: This work was financially supported by the Dutch Ministry of Foreign Affairs and the Dutch Ministry of Defence within the PROGRESS research framework agreement. Responsibility for the contents and for the opinions expressed rests solely with the authors and does not constitute, nor should be construed as, an endorsement by the Dutch Government.

ORCID iD

Maarten C Vonk

Author biographies

Maarten C Vonk is a Data Scientist at the Hague Center for Strategic Studies and is currently pursuing a PhD degree in Computer Science at the Leiden Institute of Advanced Computer Science (LIACS). His research explores how causal modeling can be applied to policymaking, with the aim of improving decision-making outcomes.

Anna V Kononova is an Assistant Professor of Efficient Heuristic Optimisation at Leiden Institute of Advanced Computer Science, Leiden University, the Netherlands. Previously, she worked as an engineer and a mathematician in industry.

Thomas Bäck (Fellow, IEEE) received the Diploma degree in Computer Science in 1990 and the PhD degree in Computer Science in 1994, both from the University of Dortmund, Germany. Since 2002, he is Professor of Computer Science with the Leiden Institute of Advanced Computer Science (LIACS), Leiden University, Netherlands. His research interests include evolutionary computation, machine learning, and their real-world applications, especially in sustainable smart industry and health.

Tim Sweijs is the director of research at The Hague Center for Strategic Studies and a senior research fellow at the War Studies Research Center. Dr Sweijs’s work spans strategic foresight, interstate coercion, the evolution of warfare, emerging technologies, international norms, alliances, and defense planning for smaller nations, solidifying his position as a key voice in the field of strategic studies.

References

Balaban

Mielniczek

Hybrid conflict modeling. In: 2018 Winter Simulation Conference, Gothenburg, 9–12 December, pp. 3709–3720. New York: IEEE.

Balcaen

Bois

Buts

A game-theoretic analysis of hybrid threats. Defence Peace Econ 2022; 33: 26–41.

Berejikian

JD.

A cognitive theory of deterrence. J Peace Res 2002; 39: 165–183.

Paul

. Confessions of a hybrid warfare skeptic. Small Wars J 2016

Morris

Mazarr

Hornung

, et al. Gaining competitive advantage in the gray zone: response options for coercive aggression below the threshold of major war. Technical Report, RAND National Defense Research Institute, Santa Monica, CA, 27 June 2019.

Mallory

New challenges in cross-domain deterrence. Technical Report, JSTOR, 2018, https://www.rand.org/content/dam/rand/pubs/perspectives/PE200/PE259/RAND_PE259.pdf

Mazarr

. Understanding deterrence. The Hague: Asser Press, pp. 13–28.

Wilner

Wenger

Morgan

, et al. Deterrence by denial: theory and practice. Amherst, NY: Cambria Press, 2021.

Lupovici

Deterrence through inflicting costs: between deterrence by punishment and deterrence by denial. Int Stud Rev 2023; 25: viad036.

10.

Arce

Cybersecurity for defense economists. Defence Peace Econ 2023; 34: 705–725.

11.

Freedman

LD.

Deterrence. Cambridge: Polity Press, 2004.

12.

George

Smoke

Deterrence in American foreign policy: Theory and practice. New York: Columbia University Press, 1974.

13.

Nyemann

Sørensen

Going beyond resilience: a revitalized approach to countering hybrid threats. Hybrid Coe Strategic Analysis, 2018, https://research.fak.dk/esploro/outputs/other/Going-Beyond-Resilience-A-revitalized-approach/991815945303741

14.

Sweijs

Zilincik

The essence of cross-domain deterrence. In: Sweijs

Zilincik

(eds) NLARMS Netherlands Annual Review of Military Studies 2020: Deterrence in the 21St Century—insights from Theory and Practice. New York: Springer, 2021, pp. 129–158.

15.

Gartzke

Lindsay

. Cross-domain deterrence: Strategy in an era of complexity. Oxford: Oxford University Press, 2019.

16.

Sweijs

Zilincik

Cross domain deterrence and hybrid conflict. The Hague: Centre for Strategic Studies, 2019.

17.

Tor

“Cumulative deterrence” as a new paradigm for cyber deterrence. J Strategic Stud 2017; 40: 92–117.

18.

Nye Jr

. Deterrence and dissuasion in cyberspace. Int Secur 2016; 41: 44–71.

19.

Kilcullen

The evolution of unconventional warfare. Scandinavian J Milit Stud 2019; 2: 61–71.

20.

Attiah

Chatterjee

Zou

CC.

A game theoretic approach to model cyber attack and defense strategies. In: 2018 IEEE international conference on communications, Kansas City, MO, 20–24 May 2018, pp. 1–7. New York: IEEE.

21.

Davis

O’Mahony

Curriden

, et al. Influencing adversary states: quelling perfect storm. Technical Report, Rand Corp, Santa Monica, CA, 2021, https://apps.dtic.mil/sti/trecms/pdf/AD1123253.pdf

22.

Howard

Matheson

JE.

Influence diagrams. Decision Analysis 2005; 2: 127–143.

23.

Koller

Milch

Multi-agent influence diagrams for representing and solving games. Games Econ Behav 2003; 45: 181–221.

24.

Brantly

. The cyber deterrence problem. In: 2018 10th International Conference on Cyber Conflict Cycon, Tallinn, 29 May–1 June 2018, pp. 31–54. New York: IEEE.

25.

Schneider

Deterrence in and through cyberspace. In: Gartzke

Lindsay

(eds) Cross-domain Deterrence: Strategy in an Era of Complexity. Oxford: Oxford University Press, 2019, pp. 95–120.

26.

Gilad

Tishler

Mitigating the risk of advanced cyber attacks: the role of quality, covertness and intensity of use of cyber weapons. Def Peace Econ 2023; 34: 726–746.

27.

Zhu

Peng

Wang

Dual-domain-based adversarial defense with conditional VAE and bayesian network. IEEE Trans Ind Inform 2020; 17: 596–605.

28.

Yan

Lee

Kent

, et al. Towards a bayesian network game framework for evaluating DDoS attacks and defense. In: Proceedings of the 2012 ACM conference on Computer and communications security, Raleigh, NC, 16–18 October 2012, pp. 553–566. New York: ACM.

29.

Johansson

Falkman

. A bayesian network approach to threat evaluation with application to an air defense scenario. In: 2008 11th International conference on information fusion, Cologne, 30 June–3 July 2008, pp. 1–7. New York: IEEE.

30.

Wang

Sun

, et al. Air defense threat assessment based on dynamic bayesian network. In: 2012 International Conference on Systems and Informatics (ICSAI2012), Yantai, China, 19–20 May 2012.

31.

Pearl

Causality. Cambridge: Cambridge University Press, 2009.

32.

Koller

Friedman

Probabilistic graphical models: principles and techniques. Cambridge, MA: MIT press, 2009.

33.

Andrew

Spillard

Collyer

, et al. Developing optimal causal cyber-defence agents via cyber security simulation. arXiv Preprint 2207.12355, 2022.

34.

Hammond

Fox

Everitt

, et al. Equilibrium refinements for multi-agent influence diagrams: theory and practice. arXiv Preprint 2102.05008, 2021.

35.

Nash

Jr.

Equilibrium points in n-person games. Proc Natl Acad Sci 1950; 36: 48–49.

36.

Selten

Bielefeld

RS.

Reexamination of the perfectness concept for equilibrium points in extensive games. New York: Springer, 1988.

37.

Mikkola

Martin

Chandramouli

, et al. Prior knowledge elicitation: the past, present, and future. Bayesian Anal 2023; 19: 1129–1161.

38.

Norgaard

Killeen

Expected utility and the truncated normal distribution. Manag Sci 1980; 26: 901–909.

39.

Spiegelhalter

Lauritzen

SL.

Sequential updating of conditional probabilities on directed graphical structures. Networks 1990; 20: 579–605.

40.

Valeriano

Maness

RC.

The dynamics of cyber conflict between rival antagonists, 2001–11 (dataset updated 2022). J Peace Res 2022; 51: 347–360.

41.

Roth

Stirparo

Bizeul

, et al. Apt groups and operations, 2019.

42.

Greenberg

Sandworm: a new era of cyberwar and the hunt for the Kremlin’s most dangerous hackers. New York, Doubleday, 2019.

43.

Morato

Berrueta

Magaña

, et al. Ransomware early detection by the analysis of file sharing traffic. J Netw Comput Appl 2018; 124: 14–32.

44.

Sullivan

Kamensky

How cyber-attacks in Ukraine show the vulnerability of the US power grid. Electr J 2017; 30: 30–35.

45.

Lis

Mendel

Cyberattacks on critical infrastructure: an economic perspective 1. Econ Bus Rev 2019; 5: 24–47.

46.

Wagner

Mahbub

Palomar

, et al. Cyber threat intelligence sharing: survey and research directions. Comput Secur 2019; 87: 101589.

47.

Feledi

Fenz

Lechner

Toward web-based information security knowledge sharing. Inform Secur Tech Rep 2013; 17: 199–209.

48.

Tiirmaa-Klaar

Building national cyber resilience and protecting critical information infrastructure. J Cyber Policy 2016; 1: 94–106.

49.

McKenzie

TM.

Is cyber deterrence possible, 2017. Available at: https://media.defense.gov/2017/Nov/20/2001846608/-1/-1/0/CPP_0004_MCKENZIE_CYBER_DETERRENCE.PDF

50.

Krolikowski

Hall

TH.

Non-decision decisions in the Huawei 5G dilemma: policy in Japan, the United Kingdom, and Germany. Japan J Polit Sci 2023; 24: 1–19.

51.

van Stein

Raponi

Sadeghi

, et al. A comparison of global sensitivity analysis methods for explainable ai with an application in genomic prediction. IEEE Access 2022; 10: 103364–103381.

52.

Treverton

Thvedt

Chen

, et al. Addressing hybrid threats, 2018, https://www.hybridcoe.fi/wp-content/uploads/2020/07/Treverton-AddressingHybridThreats.pdf

53.

Wigell

Democratic deterrence: how to dissuade hybrid interference. Washington Quart 2021; 44: 49–67.

54.

Kostyuk

Deterrence in the cyber realm: public versus private cyber capacity. Int Stud Quart 2021; 65: 1151–1162.

55.

Mazarr

Chan

Demus

, et al. What Deters and Why: Exploring Requirements for Effective Deterrence of Interstate Aggression. Santa Monica, CA: RAND, 2018.

56.

Hassall

Dailey

Zawadzka

, et al. Facilitating the elicitation of beliefs for use in bayesian belief modelling. Environ Model Softw 2019; 122: 104539.

57.

Barons

Mascaro

Hanea

AM.

Balancing the elicitation burden and the richness of expert input when quantifying discrete bayesian networks. Risk Anal 2022; 42: 1196–1234.