Hybrid Security Risk Assessment Model

Abstract

Current cybersecurity risk models are inadequate for assessing next-generation technologies. Current models often use experience-based data to quantify the potential risks of new security technologies based on their exploitability and impact. However, use of such data may be limited and is rarely reusable because it often contains confidential or proprietary information. I propose an improved risk model constructed from public data and represented as a set of probabilistic models. The proposed Hybrid Security Risk Assessment Model uses the Department of Homeland Security's public National Vulnerability Database (NVD) for information on known vulnerabilities, and MITRE’s public Common Attack Pattern Enumeration and Classification (CAPEC™) tools as the basis of a risk scoring system. I developed Bayesian Belief Networks (BBN) to generate probabilities within this risk management system to assess new technologies for critical infrastructure use cases. The Hybrid Security Risk Assessment Model enables a more accurate and trustworthy way of quantitatively estimating the vulnerability and weakness-based risk of new technologies using publicly available data.