In this paper, a general model for cyber-physical systems (CPSs), that captures the diffusion of attacks from the cyber layer to the physical system, is studied. In particular, a game-theoretic approach is proposed to analyze the interactions between one defender and one attacker over a CPS. In this game, the attacker launches cyber attacks on a number of cyber components of the CPS to maximize the potential harm to the physical system while the system operator chooses to defend a number of cyber nodes to thwart the attacks and minimize potential damage to the physical side. The proposed game explicitly accounts for the fact that both attacker and defender can have different computational capabilities and disparate levels of knowledge of the system. To capture such bounded rationality of attacker and defender, a novel approach inspired from the behavioral framework of cognitive hierarchy theory is developed. In this framework, the defender is assumed to be faced with an attacker that can have different possible thinking levels reflecting its knowledge of the system and computational capabilities. To solve the game, the optimal strategies of each attacker type are characterized and the optimal response of the defender facing these different types is computed. This general approach is applied to smart grid security considering wide area protection with energy markets implications. Numerical results show that a deviation from the Nash equilibrium strategy is beneficial when the bounded rationality of the attacker is considered. Moreover, the results show that the defender's incentive to deviate from the Nash equilibrium decreases when faced with an attacker that has high computational ability.