QBER: Quantifying Cyber Risks for Strategic Decisions
Muriel Figueredo Franco, Aiatur Rahaman Mullick, Santosh Jha
TL;DR
The paper introduces QBER, a TEL-aware CRQ framework that quantifies cyber risk with metrics such as $Impacts_w = Impact_{Operational} * Impact_{Financial}$, $RS_{Economic} = avg(RCVaR_{Factors}) * avg(CIA)$, and $Seg_{Risk} = Seg_{Impact} * (Impact_w * Risk_w)$ to quantify losses. It fuses OSINT, MITRE ATT&CK-based threat modeling, and economic analysis through three modules—Business Analysis, Risk Analysis, and Cost Analysis—interacting via a shared Data Layer. Key contributions include a domain-prioritization rule $D_{priority} = T_w * (alpha + Impact_{Weight})$ and a ROSI-based cost analysis, including the expression $Z_ROSI = ((ALE * Control_Efficacy) - (Control_Cost * Cost_Rate)) / (Control_Cost * Cost_Rate)$, to guide cost-effective controls. Compared with established CRQ models (e.g., FAIR, NIST SP 800-30, ISO 27005), QBER emphasizes TEL integration and explainability, while outlining validation plans and future benchmarking against Monte Carlo simulations and Gordon-Loeb analyses.
Abstract
Quantifying cyber risks is essential for organizations to grasp their vulnerability to threats and make informed decisions. However, current approaches still need to work on blending economic viewpoints to provide insightful analysis. To bridge this gap, we introduce QBER approach to offer decision-makers measurable risk metrics. The QBER evaluates losses from cyberattacks, performs detailed risk analyses based on existing cybersecurity measures, and provides thorough cost assessments. Our contributions involve outlining cyberattack probabilities and risks, identifying Technical, Economic, and Legal (TEL) impacts, creating a model to gauge impacts, suggesting risk mitigation strategies, and examining trends and challenges in implementing widespread Cyber Risk Quantification (CRQ). The QBER approach serves as a guided approach for organizations to assess risks and strategically invest in cybersecurity.