Methodology of Quantitative Assessment of Network Cyber Threats Using a Risk-Based Approach

Abstract

The methodology of a quantitative assessment of organ- isation’s network cyber threats was developed in order to quanti- tatively assess and compare the cybersecurity threat landscape in conditions of limited data while applying the risk-oriented approach. It can be used either for assessing the level of network cyber threats of a particular organisation (as a quantitative measure of the criti- cality of cyber threats that are detected within the organisation’s network) or for comparing the level of network cyber threats of several organisations during the same or different time periods, giving grounds for supporting the process of making manage- rial decisions regarding the organisation’s cybersecurity strategy. The proposed scheme of the algorithm can be used to automate the calculation process. The assessment of network cyber threats that are considered in the article is not a full-fledged measure of the cyber risk because the methodology was developed consider- ing the common circumstances of the deficiency of the risk context data. Nevertheless, the results of the methodology implementation partially reflect the overall level of the organisation’s cyber risk and are expected to be used in the case when the full-featured proper cyber threats assessment can’t be organised for some reason.