Modern organizations need effective ways to assess cybersecurity risk. Successful cyber attacks can result in data breaches, which may inflict significant loss of money, time, and public trust. Small businesses and non-profit organizations have limited resources to invest in cybersecurity controls and often do not have the in-house expertise to assess their risk. Cyber threat actors also vary in sophistication, motivation, and effectiveness. This paper builds on the previous work of Lerums et al., who presented an AnyLogic model for simulating aspects of a cyber attack and the efficacy of controls in a generic enterprise network. This paper argues that their model is an effective quantitative means of measuring the probability of success of a threat actor and implements two primary changes to increase the model's accuracy. First, the authors modified the model's inputs, allowing users to select threat actors based on the organization's specific threat model. Threat actor effectiveness is evaluated based on publicly available breach data (in addition to security control efficacy), resulting in further refined attack success probabilities. Second, all three elements - threat effectiveness, control efficacy, and model variance - are computed and evaluated at each node to increase the estimation fidelity in place of pooled variance calculations. Visualization graphs, multiple simulation runs (up to 1 million), attack path customization, and code efficiency changes are also implemented. The result is a simulation tool that provides valuable insight to decision-makers and practitioners about where to most efficiently invest resources in their computing environment to increase cybersecurity posture. AttackSimulation and its source code are freely available on GitHub.
budgeting, computer simulation, cybersecurity, data breaches, evaluation research, probability, risk management, threat modeling
Date of this Version