In the rapidly evolving landscape of cybersecurity, measuring risk has traditionally hinged on two critical factors: impact and probability. While impact can be objectively assessed based on the consequences of technology use in achieving business objectives, probability has often relied on historical data—a method that works well in sectors like finance or insurance. However, cybersecurity, being a relatively new discipline, lacks the vast historical data required for such objective measurements. This gap has necessitated the development of innovative approaches to measure the likelihood of cybersecurity events.
A recent study by researchers Pablo Corona-Fraga, Vanessa Diaz-Rodriguez, Jesus Manuel Niebla-Zatarain, and Gabriel Sanchez-Perez addresses this challenge head-on. Their work delves into the current methodologies, frameworks, and incident data to propose a novel data model that provides an indirect but objective measure of likelihood. This model incorporates various sources and metrics, allowing for updates as needed, thereby offering a dynamic tool for cybersecurity risk assessment.
The researchers emphasize the importance of considering tactics, techniques, and procedures (TTPs) used by attackers, as well as indicators of compromise (IOCs) and defence controls. By integrating these elements into their data model, they create a comprehensive cyber exposure profile. This profile not only measures the likelihood of cybersecurity events but also provides a framework for continuously refining cybersecurity strategies.
One of the standout contributions of this research is the proposal of practical, quantifiable metrics for risk assessment. These metrics enable cybersecurity practitioners to evaluate likelihood without relying solely on historical incident data. By combining these metrics with the proposed data model, organizations can gain an actionable framework that enhances their ability to predict and mitigate cyber threats.
The implications of this research are far-reaching. For the defence and security sector, the ability to measure cybersecurity risk more accurately translates into better preparedness and resilience against cyber threats. As cyber attacks become more sophisticated and frequent, having a robust, data-driven approach to risk assessment is crucial. This research provides a significant step forward in that direction, offering a tool that can be adapted and updated to meet the evolving challenges of the cybersecurity landscape.
In summary, the work of Corona-Fraga, Diaz-Rodriguez, Niebla-Zatarain, and Sanchez-Perez represents a pivotal advancement in cybersecurity risk assessment. By proposing a data model that objectively measures the likelihood of cybersecurity events and offering practical metrics for risk assessment, they provide a valuable resource for cybersecurity practitioners. This research not only addresses a critical gap in the field but also sets a new standard for measuring and mitigating cyber risks in an increasingly digital world. Read the original research paper here.