Authors: Phillip King-Wilson
Addresses: Department of Information Systems and Decision Sciences, University of South Florida, 4202 E. Fowler Avenue, BSN 3403, Tampa, FL 33620, USA
Abstract: Cyber threat assessment requires threat identification and quantification for critical tasks such as risk management, underwriting and regulatory compliance. Traditional risk assessment models are used to determine threats, business impact and probability of a successful attack. However, analysis models exist, external to the IT security sector that can provide input to risk models to improve cloud computing applicability and error rate reduction in threat identification technologies for enhanced accuracy. Cloud computing and virtualisation have changed the cyber threat vector environment. Cloud utilisation options have new risk implications and their architectures require an alternative form of loss modelling to account for the various levels, location and utilisation at which an attack may take place. This paper proposes a combinatorial modelling and systems approach to assessing and valuing cyber threats, based upon the need to satisfy regulatory bodies to financially quantify such threats in an empirical and transparent manner. Epidemiological models for assessing error rates are combined within an extrapolation algorithm for cyber threats, increasing assessment accuracy. A cascading threat multiplier is used to reformulate traditional single loss expectancy risk models.
Keywords: network threat assessment; process interdependency; risk management; combinatorial models; systems; cyber threat valuation; business continuity; epidemiology; cascading threat multiplier; CTM; cloud computing; IT security; cyber threat prediction; regulation; compliance.
International Journal of Business Continuity and Risk Management, 2017 Vol.7 No.2, pp.151 - 178
Received: 13 Dec 2016
Accepted: 06 Jun 2017
Published online: 17 Aug 2017 *