Computational Knightian Uncertainty: Undecidability and the Limits of Cyber Risk Quantification in Software-Intensive Firms
Keywords:
Computational Knightian uncertainty, Knightian uncertainty, Undecidability, Cyber risk, Rice’s theorem, Halting problem, Cyber insurance, Kolmogorov complexityAbstract
Frank Knight’s distinction between measurable risk and unmeasurable uncertainty is central in economics and finance. Contemporary practice often collapses uncertainty into risk by assuming that all material hazards can, in principle, be quantified given sufficient data and computation. This assumption breaks down when the asset in question is large-scale software. This paper argues that undecidability in computability theory, as exemplified by Turing’s halting problem and Rice’s theorem, creates a structural form of uncertainty for software-intensive firms that cannot be reduced to standard probabilistic risk. Many security, safety, and compliance properties of interest to insurers, acquirers, and regulators are non-trivial semantic properties of programs and therefore undecidable in general, even under idealized conditions of perfect code visibility and unlimited classical computation. We call the resulting residual uncertainty computational Knightian uncertainty (CKU): a component of uncertainty that persists even if all observable information is known and arbitrarily robust classical computation is available. We introduce structural opacity the extent to which a codebase resists compression into a small set of regular patterns under a chosen description language [3] and explore approximate Kolmogorov complexity (KC) of codebases as one proxy for this opacity. We develop a conceptual model that links undecidability, structural opacity, and observable outcomes, including cyber incident severity, cyber insurance loss experience, and merger and acquisition (M&A) valuation discounts. In this model, KC and related metrics act as structural covariates that may correlate with CKU, rather than as direct risk measures. Two small synthetic simulations illustrate the empirical logic: first, a crude gzip-based compressibility index sharply separates highly regular from highly irregular synthetic code; second, a KC-like covariate is recoverable in regression when it truly affects incident severity and does not appear systematically when it does not. Our theoretical commitment is modest: computability results guarantee that CKU is non-zero for sufficiently expressive systems. The further claims that CKU is economically material in large, structurally opaque codebases and that structural metrics provide usable proxies are empirical hypotheses to be argued and tested, not consequences of undecidability alone.
References
A. M. Turing, “On computable numbers, with an application to the Entscheidungsproblem,” Proc. London Math. Soc., ser. 2, vol. 42, pp. 230–265, 1937, doi: 10.1112/plms/s2-42.1.230.
H. G. Rice, “Classes of recursively enumerable sets and their decision problems,” Trans. Amer. Math.Soc., vol. 74, no. 2, pp. 358–366, 1953, doi: 10.1090/S0002-9947-1953-0053041-6.
M. Li and P. Vit´anyi, An Introduction to Kolmogorov Complexity and Its Applications, 3rd ed. NewYork, NY, USA: Springer, 2008, doi: 10.1007/978-0-387-49820-1.
T. J. McCabe, “A complexity measure,” IEEE Trans. Softw. Eng., vol. SE-2, no. 4, pp. 308–320, Dec.1976, doi: 10.1109/TSE.1976.233837.
N. E. Fenton, “Software metrics: successes, failures and new directions,” J. Syst. Softw., vol. 47, nos.2–3, pp. 149–157, 1999, doi: 10.1016/S0164-1212(99)00035-7.
N. E. Fenton and M. Neil, “A critique of software defect prediction models,” IEEE Trans. Softw. Eng.,vol. 25, no. 5, pp. 675–689, May 1999, doi: 10.1109/32.815326.
G. Klein et al., “seL4: formal verification of an OS kernel,” in Proc. 22nd ACM Symp. Operating SystemsPrinciples (SOSP), Big Sky, MT, USA, Oct. 2009, pp. 207–220, doi: 10.1145/1629575.1629596.
C. Biener, M. Eling, and J. H. Wirfs, “Insurability of cyber risk: an empirical analysis,” Geneva PapersRisk Insur. – Issues Pract., vol. 40, no. 1, pp. 131–158, 2015, doi: 10.1057/gpp.2014.19.
R. He, Z. Jin, and J. S.-H. Li, “Modeling and management of cyber risk: a cross disciplinary review,”Ann. Actuarial Sci., vol. 18, no. 1, pp. 1–32, 2024, doi: 10.1017/S1748499523000258.
J. Kay and M. King, Radical Uncertainty: Decision Making Beyond the Numbers. New York, NY, USA:W. W. Norton, 2020.
Veracode, Inc., “State of Software Security 2023: Annual Report on the State of Application Security,”Veracode, Burlington, MA, USA, 2023. [Online]. Available: https://info.veracode.com/rs/790-ZKW-291/images/Veracode_State_of_Software_Security_2023.pdf.
F. H. Knight, Risk, Uncertainty, and Profit. Boston, MA, USA: Houghton Mifflin, 1921.
. Ellsberg, “Risk, ambiguity, and the Savage axioms,” Q. J. Econ., vol. 75, no. 4, pp. 643–669, 1961, doi:10.2307/1884324.
I. Gilboa and D. Schmeidler, “Maxmin expected utility with non-unique prior,” J. Math. Econ., vol. 18,no. 2, pp. 141–153, 1989, doi: 10.1016/0304-4068(89)90018-9.
L. P. Hansen and T. J. Sargent, Robustness. Princeton, NJ, USA: Princeton Univ. Press, 2008, doi:10.1515/9781400829385.
R. Cilibrasi and P. M. B. Vit´anyi, “Clustering by compression,” IEEE Trans. Inf. Theory, vol. 51, no. 4,pp. 1523–1545, Apr. 2005, doi: 10.1109/TIT.2005.844059.
R. Anderson and T. Moore, “The economics of information security,” Science, vol. 314, no. 5799, pp.610–613, 2006, doi: 10.1126/science.1130992.
Additional Files
Published
How to Cite
Issue
Section
License
Copyright (c) 2026 Michel Nguyen
This work is licensed under a Creative Commons Attribution 4.0 International License.
