Enterprise Cyber Threat Modeling and Simulation of Loss Events for Cyber Risk Quantification

Enterprise Cyber Threat Modeling and Simulation of Loss Events for Cyber Risk Quantification

연구 분야: Safety

학회: CCSW '23: Proceedings of the 2023 on Cloud Computing Security Workshop

In today's enterprise landscape, effective risk management has emerged as a vital cornerstone. This importance has escalated significantly due to the widespread transition from traditional on-premise infrastructures to dynamic cloud environments. Many organizations rely on qualitative approaches for internal IT and cyber risk management; however, these approaches have notable drawbacks, such as a lack of accuracy and comparability. In this paper, we propose a novel approach to address these limitations by using the Factor Analysis of Information Risk (FAIR) methodology in conjunction with MITRE ATT&CK to model realistic cyberattacks on organizations and measure quantitative risk. We describe how this approach can be used to create an enterprise cyber threat model, providing a case study for a cloud scenario to demonstrate its usage and to illustrate its potential benefits. Our model has demonstrated its practical applicability in enterprise settings as we thoroughly evaluated its effectiveness within two prominent German companies. This allowed us to gain valuable insight into how our proposed approach can enhance an organization's risk management strategies. Our research demonstrates the value of using a quantitative approach like FAIR over qualitative risk assessment methods. Overall, our approach provides a more comprehensive understanding of the risks organizations are facing and offers guidance on implementing effective risk management strategies. This research can help organizations improve their risk management practices and reduce the potential negative impact of cyberattacks.