QuantTM: Business-Centric Threat Quantification for Risk Management and Cyber Resilience
Jan von der Assen, Muriel F. Franco, Muyao Dong, Burkhard Stiller
TL;DR
QuantTM is a novel threat quantification approach that integrates business perspectives to assess financial impacts of threats, aiding decision-making in cybersecurity investments.
Contribution
It introduces a business-centric threat quantification method that incorporates operational and strategic views for economic risk assessment.
Findings
Demonstrated feasibility in a Swiss SME case study.
Showed improved interpretability for decision-makers.
Validated usability of the prototype tool.
Abstract
Threat modeling has emerged as a key process for understanding relevant threats within businesses. However, understanding the importance of threat events is rarely driven by the business incorporating the system. Furthermore, prioritization of threat events often occurs based on abstract and qualitative scoring. While such scores enable prioritization, they do not allow the results to be easily interpreted by decision-makers. This can hinder downstream activities, such as discussing security investments and a security control's economic applicability. This article introduces QuantTM, an approach that incorporates views from operational and strategic business representatives to collect threat information during the threat modeling process to measure potential financial loss incurred by a specific threat event. It empowers the analysis of threats' impacts and the applicability of security…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsBig Data and Business Intelligence