Abstract
Modern organizations need effective ways to assess cybersecurity risk. Successful cyber attacks can result in data breaches, which may inflict significant loss of money, time, and public trust. Small businesses and non-profit organizations have limited resources to invest in cybersecurity controls and often do not have the in-house expertise to assess their risk. Cyber threat actors also vary in sophistication, motivation, and effectiveness. This paper builds on the previous work of Lerums et al., who presented an AnyLogic model for simulating aspects of a cyber attack and the efficacy of controls in a generic enterprise network. This paper argues that their model is an effective quantitative means of measuring the probability of success of a threat actor and implements two primary changes to increase the model's accuracy. First, the authors modified the model's inputs, allowing users to select threat actors based on the organization's specific threat model. Threat actor effectiveness is evaluated based on publicly available breach data (in addition to security control efficacy), resulting in further refined attack success probabilities. Second, all three elements - threat effectiveness, control efficacy, and model variance - are computed and evaluated at each node to increase the estimation fidelity in place of pooled variance calculations. Visualization graphs, multiple simulation runs (up to 1 million), attack path customization, and code efficiency changes are also implemented. The result is a simulation tool that provides valuable insight to decision-makers and practitioners about where to most efficiently invest resources in their computing environment to increase cybersecurity posture. AttackSimulation and its source code are freely available on GitHub.
Keywords
budgeting, computer simulation, cybersecurity, data breaches, evaluation research, probability, risk management, threat modeling
Date of this Version
11-2022
Included in
Defense and Security Studies Commons, Information Security Commons, Management Sciences and Quantitative Methods Commons
Comments
Published in the proceedings of the 2022 IEEE International Symposium on Technologies for Homeland Security (HST). DOI: 10.1109/HST56032.2022.10024984
(c) 2022 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other users, including reprinting/ republishing this material for advertising or promotional purposes, creating new collective works for resale or redistribution to servers or lists, or reuse of any copyrighted components of this work in other works.