Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

QuantTM: Business-Centric Threat Quantification for Risk Management and Cyber Resilience

Jan von der Assen, Muriel F. Franco, Muyao Dong, Burkhard Stiller

TL;DR

Threat modeling often neglects business relevance and economic interpretation, limiting decision-making about security investments. QuantTM addresses this gap with a three-layer framework (Information Systems, Business Process, Organizational) to collect threat information from technical and business stakeholders and a qualitative-economic model to produce a discounted loss metric for prioritization. The approach is demonstrated through a real Swiss SME case, a client-side prototype, and focus-group and expert evaluations, illustrating feasibility, usability, and added insight beyond traditional risk matrices or DREAD. The results suggest that business-centric threat quantification can improve prioritization, control evaluation, and resilience planning, even for SMEs with limited security resources.

Abstract

Threat modeling has emerged as a key process for understanding relevant threats within businesses. However, understanding the importance of threat events is rarely driven by the business incorporating the system. Furthermore, prioritization of threat events often occurs based on abstract and qualitative scoring. While such scores enable prioritization, they do not allow the results to be easily interpreted by decision-makers. This can hinder downstream activities, such as discussing security investments and a security control's economic applicability. This article introduces QuantTM, an approach that incorporates views from operational and strategic business representatives to collect threat information during the threat modeling process to measure potential financial loss incurred by a specific threat event. It empowers the analysis of threats' impacts and the applicability of security controls, thus supporting the threat analysis and prioritization from an economic perspective. QuantTM comprises an overarching process for data collection and aggregation and a method for business impact analysis. The performance and feasibility of the QuantTM approach are demonstrated in a real-world case study conducted in a Swiss SME to analyze the impacts of threats and economic benefits of security controls. Secondly, it is shown that employing business impact analysis is feasible and that the supporting prototype exhibits great usability.

QuantTM: Business-Centric Threat Quantification for Risk Management and Cyber Resilience

TL;DR

Threat modeling often neglects business relevance and economic interpretation, limiting decision-making about security investments. QuantTM addresses this gap with a three-layer framework (Information Systems, Business Process, Organizational) to collect threat information from technical and business stakeholders and a qualitative-economic model to produce a discounted loss metric for prioritization. The approach is demonstrated through a real Swiss SME case, a client-side prototype, and focus-group and expert evaluations, illustrating feasibility, usability, and added insight beyond traditional risk matrices or DREAD. The results suggest that business-centric threat quantification can improve prioritization, control evaluation, and resilience planning, even for SMEs with limited security resources.

Abstract

Threat modeling has emerged as a key process for understanding relevant threats within businesses. However, understanding the importance of threat events is rarely driven by the business incorporating the system. Furthermore, prioritization of threat events often occurs based on abstract and qualitative scoring. While such scores enable prioritization, they do not allow the results to be easily interpreted by decision-makers. This can hinder downstream activities, such as discussing security investments and a security control's economic applicability. This article introduces QuantTM, an approach that incorporates views from operational and strategic business representatives to collect threat information during the threat modeling process to measure potential financial loss incurred by a specific threat event. It empowers the analysis of threats' impacts and the applicability of security controls, thus supporting the threat analysis and prioritization from an economic perspective. QuantTM comprises an overarching process for data collection and aggregation and a method for business impact analysis. The performance and feasibility of the QuantTM approach are demonstrated in a real-world case study conducted in a Swiss SME to analyze the impacts of threats and economic benefits of security controls. Secondly, it is shown that employing business impact analysis is feasible and that the supporting prototype exhibits great usability.
Paper Structure (28 sections, 6 equations, 5 figures, 10 tables)

This paper contains 28 sections, 6 equations, 5 figures, 10 tables.

Table of Contents

  1. Introduction
  2. Background and Related Work
  3. Threat Modeling Approaches
  4. Risk Management Approaches
  5. The QuantTM Approach
  6. Methodology
  7. Information Systems Layer
  8. Business Process Layer
  9. Organizational Layer
  10. Quantitative Model
  11. Business Impact Analysis
  12. Process
  13. Prototype Implementation
  14. Evaluations
  15. Real-world Case Study
  16. ...and 13 more sections

Figures (5)

  • Figure 1: Key Factors in the NIST Risk Model nistriskassessmentguide
  • Figure 2: Three-layered Threat Quantification Methodology Indicating the Steps (White Boxes) and the Resulting Artifacts (Black Elements)
  • Figure 3: Steps and Resulting Artifacts Involved in the BIA Process
  • Figure 4: Impact Factor Identification for an Attack on Service Availability
  • Figure 5: Threat Analysis using a 3x3 Risk Matrix