Existing cybersecurity game-theoretic models largely overlook critical uncertainties—including attacker intent, system state, and information asymmetry—leading to fragile and impractical solutions. Method: We systematically review 80 relevant studies and propose a “requirements–capabilities–feasibility” three-dimensional evaluation framework. Based on this, we introduce an application-oriented uncertainty taxonomy and modeling guidelines covering probabilistic, fuzzy, and epistemic uncertainty. We further design actionable integration pathways for incorporating uncertainty into game models. Contribution/Results: Our analysis reveals that over 90% of current models exhibit blind spots in uncertainty modeling. The proposed framework and guidelines are empirically validated across representative scenarios—including intrusion detection, defensive resource allocation, and APT mitigation—demonstrating improved robustness and deployability. This work bridges the gap between game-theoretic formalism and operational cybersecurity practice, providing a methodological foundation for developing resilient, real-world deployable security games.

Given the scale of consequences attributable to cyber attacks, the field of cybersecurity has long outgrown ad-hoc decision-making. A popular choice to provide disciplined decision-making in cybersecurity is Game Theory, which seeks to mathematically understand strategic interaction. In practice though, game-theoretic approaches are scarcely utilized (to our knowledge), highlighting the need to understand the deficit between the existing state-of-the-art and the needs of cybersecurity practitioners. Therefore, we develop a framework to characterize the function and assumptions of existing works as applied to cybersecurity and leverage it to characterize 80 unique technical papers. Then, we leverage this information to analyze the capabilities of the proposed models in comparison to the application-specific needs they are meant to serve, as well as the practicality of implementing the proposed solution. Our main finding is that Game Theory largely fails to incorporate notions of uncertainty critical to the application being considered. To remedy this, we provide guidance in terms of how to incorporate uncertainty in a model, what forms of uncertainty are critical to consider in each application area, and how to model the information that is available in each application area.