Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
97 tokens/sec
GPT-4o
53 tokens/sec
Gemini 2.5 Pro Pro
44 tokens/sec
o3 Pro
5 tokens/sec
GPT-4.1 Pro
47 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

QuantTM: Business-Centric Threat Quantification for Risk Management and Cyber Resilience (2402.14140v1)

Published 21 Feb 2024 in cs.CR

Abstract: Threat modeling has emerged as a key process for understanding relevant threats within businesses. However, understanding the importance of threat events is rarely driven by the business incorporating the system. Furthermore, prioritization of threat events often occurs based on abstract and qualitative scoring. While such scores enable prioritization, they do not allow the results to be easily interpreted by decision-makers. This can hinder downstream activities, such as discussing security investments and a security control's economic applicability. This article introduces QuantTM, an approach that incorporates views from operational and strategic business representatives to collect threat information during the threat modeling process to measure potential financial loss incurred by a specific threat event. It empowers the analysis of threats' impacts and the applicability of security controls, thus supporting the threat analysis and prioritization from an economic perspective. QuantTM comprises an overarching process for data collection and aggregation and a method for business impact analysis. The performance and feasibility of the QuantTM approach are demonstrated in a real-world case study conducted in a Swiss SME to analyze the impacts of threats and economic benefits of security controls. Secondly, it is shown that employing business impact analysis is feasible and that the supporting prototype exhibits great usability.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (36)
  1. R. L. Baskerville, J. Kim, and C. Stucke, “The cybersecurity risk estimation engine: A tool for possibility based risk analysis,” Computers & Security, vol. 120, 2022.
  2. M. Benz and D. Chatterjee, “Calculated risk? A cybersecurity evaluation tool for SMEs,” Business Horizons, vol. 63, no. 4, pp. 531–540, 2020.
  3. R. Böhme, “Security Metrics and Security Investment Models,” in Advances in Information and Computer Security.   Berlin, Heidelberg: Springer Berlin Heidelberg, 2010, pp. 10–24.
  4. J. Brooke, “Sus: a “quick and dirty’usability,” Usability evaluation in industry, vol. 189, no. 3, pp. 189–194, 1996.
  5. A. Corallo, M. Lazoi, and M. Lezzi, “Cybersecurity in the context of industry 4.0: A structured classification of critical assets and business impacts,” Computers in industry, vol. 114, p. 103165, 2020.
  6. DistriNet Research Group, “Downloads — LINDDUN,” https://www.linddun.org/downloads, Last visit March 2023.
  7. Dmmmmy, “ BIA-prototype ,” 2023, https://github.com/Dmmmmy/BIA-prototype/, Last Visit February 2024.
  8. EC-Councl, “DREAD Threat Modeling: An Introduction to Qualitative Risk Analysis,” 2022, https://www.eccouncil.org/cybersecurity-exchange/threat-intelligence/dread-threat-modeling-intro/, Last visit January 2024.
  9. A. Erola, I. Agrafiotis, J. R. Nurse, L. Axon, M. Goldsmith, and S. Creese, “A system to calculate Cyber Value-at-Risk,” Computers & Security, vol. 113, 2022.
  10. M. Figueredo Franco, “Cybertea: a technical and economic approach for cybersecurity planning and investment,” Ph.D. dissertation, University of Zurich, 2023.
  11. M. F. Franco, L. Z. Granville, and B. Stiller, “CyberTEA: a Technical and Economic Approach for Cybersecurity Planning and Investment,” in 36th IEEE/IFIP Network Operations and Management Symposium (NOMS 2023), Miami, USA, 2023, pp. 1–6.
  12. M. F. Franco, E. Sula, A. Huertas, E. J. Scheid, L. Z. Granville, and B. Stiller, “SecRiskAI: a Machine Learning-Based Approach for Cybersecurity Risk Prediction in Businesses,” in 24th IEEE International Conference on Business Informatics (CBI 2022).   Amsterdan, Netherlands: IEEE, 2022, pp. 1–10.
  13. M. F. Franco, F. Künzler, J. von der Assen, C. Feng, and B. Stiller, “RCVaR: an Economic Approach to Estimate Cyberattacks Costs using Data from Industry Reports,” Computers & Security, p. 103737, 2024.
  14. S. Hussain, A. Kamal, S. Ahmad, G. Rasool, and S. Iqbal, “Threat Modelling Methodologies: A Survey,” Sci. Int.(Lahore), vol. 26, pp. 1607–1609, 01 2014.
  15. L. A. Gordon, M. P. Loeb, L. Zhou, “Information Segmentation and Investing in Cybersecurity,” Journal of Information Security, vol. 12, pp. 115–136, January 2021.
  16. J. Luna, N. Suri, and I. Krontiris, “Privacy-by-design based on quantitative threat modeling,” in 2012 7th International Conference on Risks and Security of Internet and Systems, Cork, Ireland, 2012, pp. 1–8.
  17. Microsoft, “Getting started with the Threat Modeling Tool,” August 2022, https://learn.microsoft.com/en-us/azure/security/develop/threat-modeling-tool-getting-started, Last visit February 2024.
  18. ——, “Microsoft Threat Modeling Tool Threats,” August 2022, https://learn.microsoft.com/en-us/azure/security/develop/threat-modeling-tool-threats/, Last visit March 2023.
  19. E. Mossburg, J. Gelinne, and H. Calzada, “Beneath the surface of a cyberattack: A deeper look at business impacts,” 2016.
  20. R. Oppliger and A. Grünert, “How to Manage Cyber Risks: Lessons Learned From Medical Science,” Computer, vol. 56, no. 1, pp. 117–119, 2023.
  21. OWASP, “Software Assurance Maturity Model,” September 2023, https://owasp.org/www-project-samm/, Last Visit January 2024.
  22. C. Park, C. Kontovas, Z. Yang, and C.-H. Chang, “A BN driven FMEA approach to assess maritime cybersecurity risks,” Ocean & Coastal Management, vol. 235, 2023.
  23. D. Patterson, “A Simple Way to Estimate the Cost of Downtime,” in LISA, Philadelphia, PA, USA, 2002, pp. 185–188.
  24. L. Pavlík, M. Ficek, and J. Rak, “Dynamic Assessment of Cyber Threats in the Field of Insurance,” Risks, vol. 10, no. 12, 2022.
  25. B. Potteiger, G. Martins, and X. Koutsoukos, “Software and Attack Centric Integrated Threat Modeling for Quantitative Risk Assessment,” in Proceedings of the Symposium and Bootcamp on the Science of Security, ser. HotSos ’16.   New York, NY, USA: Association for Computing Machinery, 2016, p. 99–108.
  26. R. A. Powell and H. M. Single, “Methodology matters,” International journal for quality in health care, vol. 5, no. 8, pp. 499–504, 1996.
  27. N. Prat, I. Comyn-Wattiau, and J. Akoka, “A Taxonomy of Evaluation Methods for Information Systems Artifacts,” Journal of Management Information Systems, vol. 32, no. 3, pp. 229–267, 2015.
  28. N. Shevchenko, T. A. Chick, P. O’Riordan, T. P. Scanlon, and C. Woody, “Threat Modeling: a Summary of Available Methods,” Carnegie Mellon University Software Engineering Institute Pittsburgh United …, Tech. Rep., 2018.
  29. State Secretariat for Economic Affairs (SECO), “ Figures on SMEs: Companies and jobs ,” 2021, https://www.kmu.admin.ch/kmu/en/home/concrete-know-how/facts-and-figures/figures-smes/companies-and-jobs.html/, Last Visit February 2024.
  30. The OWASP Foundation, “Threat Modeling,” September 2021, https://owasp.org/www-community/Threat_Modeling, Last visit February 2024.
  31. Threat Modeling Manifesto Working Group, “Threat Modeling Manifesto,” November 2020, https://www.threatmodelingmanifesto.org/, Last visit February 2024.
  32. ThreatModeler Software Inc., “ThreatModeler: Interface Guide,” 2022, https://tm-awsmp.s3.amazonaws.com/ThreatModeler%2BInterface%2BGuide.pdf, Last visit February 2024.
  33. J. Von Der Assen, M. F. Franco, C. Killer, E. J. Scheid, and B. Stiller, “CoReTM: An Approach Enabling Cross-Functional Collaborative Threat Modeling,” in 2022 IEEE International Conference on Cyber Security and Resilience (CSR), Virtual, 2022, pp. 189–196.
  34. P. Voola and A. V. Babu, “Comparison of Requirements Prioritization Techniques Employing Different Scales of Measurement,” SIGSOFT Softw. Eng. Notes, vol. 38, no. 4, p. 1–10, jul 2013.
  35. J. Wang, M. Neil, and N. Fenton, “A Bayesian network approach for cybersecurity risk assessment implementing and extending the FAIR model,” Computers & Security, vol. 89, 2020.
  36. Z. Zeng and E. Zio, “An Integrated Modeling Framework for Quantitative Business Continuity Assessment,” Process Safety and Environmental Protection, vol. 106, pp. 76–88, 2017.
User Edit Pencil Streamline Icon: https://streamlinehq.com
Authors (4)
  1. Jan von der Assen (17 papers)
  2. Muriel F. Franco (2 papers)
  3. Muyao Dong (1 paper)
  4. Burkhard Stiller (39 papers)
Citations (1)
View on Semantic Scholar

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now