This paper addresses the optimal allocation of preventive and reactive cybersecurity defense resources under sensor signal uncertainty. We formulate a game-theoretic model with incomplete information, integrating sensor signal quality modeling and utility-based quantitative analysis to characterize strategic investment decisions of both attacker and defender. Our key contribution is the identification of a nonlinear influence mechanism: sensor quality significantly enhances the marginal security return of preventive investment—particularly when baseline attack success probability is low. Compared to a no-sensor baseline, our optimized resource allocation yields substantial improvements in overall security performance. The results provide a theoretical foundation and quantitative decision support for dynamic, sensing-aware defense investment strategies.

Cyber attacks continue to be a cause of concern despite advances in cyber defense techniques. Although cyber attacks cannot be fully prevented, standard decision-making frameworks typically focus on how to prevent them from succeeding, without considering the cost of cleaning up the damages incurred by successful attacks. This motivates us to investigate a new resource allocation problem formulated in this paper: The defender must decide how to split its investment between preventive defenses, which aim to harden nodes from attacks, and reactive defenses, which aim to quickly clean up the compromised nodes. This encounters a challenge imposed by the uncertainty associated with the observation, or sensor signal, whether a node is truly compromised or not; this uncertainty is real because attack detectors are not perfect. We investigate how the quality of sensor signals impacts the defender's strategic investment in the two types of defense, and ultimately the level of security that can be achieved. In particular, we show that the optimal investment in preventive resources increases, and thus reactive resource investment decreases, with higher sensor quality. We also show that the defender's performance improvement, relative to a baseline of no sensors employed, is maximal when the attacker can only achieve low attack success probabilities.