Threat-Informed Cyber Resilience Index: A Probabilistic Quantitative Approach to Measure Defence Effectiveness Against Cyber Attacks

TL;DR

This paper presents a probabilistic, threat-informed Cyber Resilience Index (CRI) that quantifies an organization's defense effectiveness against cyber-attacks, aiding strategic decision-making under uncertainty.

Contribution

It introduces a novel mathematical model based on POMDPs that translates complex threat intelligence into an actionable, unified resilience metric for organizations.

Findings

The CRI provides a dynamic measure of cyber resilience.

The model incorporates real-world attacker tactics and uncertainties.

It enables data-driven resource allocation and strategic planning.

Abstract

In the dynamic cyber threat landscape, effective decision-making under uncertainty is crucial for maintaining robust information security. This paper introduces the Cyber Resilience Index (CRI), a threat-informed probabilistic approach to quantifying an organisation's defence effectiveness against cyber-attacks (campaigns). Building upon the Threat-Intelligence Based Security Assessment (TIBSA) methodology, we present a mathematical model that translates complex threat intelligence into an actionable, unified metric similar to a stock market index, that executives can understand and interact with while teams can act upon. Our method leverages Partially Observable Markov Decision Processes (POMDPs) to simulate attacker behaviour considering real-world uncertainties and the latest threat actor tactics, techniques, and procedures (TTPs). This allows for dynamic, context-aware evaluation of an organization's security posture, moving beyond static compliance-based assessments. As a result, decision-makers are equipped with a single metric of cyber resilience that bridges the gap between quantitative and qualitative assessments, enabling data-driven resource allocation and strategic planning. This can ultimately lead to more informed decision-making, mitigate under or overspending, and assist in resource allocation.