Modeling Interdependent Cybersecurity Threats Using Bayesian Networks: A Case Study on In-Vehicle Infotainment Systems

TL;DR

This paper demonstrates how Bayesian Networks can model interdependent cybersecurity threats in automotive systems, enabling probabilistic reasoning, causal analysis, and vulnerability identification to improve risk assessment.

Contribution

It presents a novel approach of transforming attack trees into Bayesian Networks for dynamic cybersecurity risk modeling in in-vehicle systems.

Findings

Bayesian Networks effectively model threat dependencies and uncertainties.

The model supports probabilistic inference and causal analysis.

Insights into high-impact vulnerabilities guide mitigation strategies.

Abstract

Cybersecurity threats are increasingly marked by interdependence, uncertainty, and evolving complexity challenges that traditional assessment methods such as CVSS, STRIDE, and attack trees fail to adequately capture. This paper reviews the application of Bayesian Networks (BNs) in cybersecurity risk modeling, highlighting their capacity to represent probabilistic dependencies, integrate diverse threat indicators, and support reasoning under uncertainty. A structured case study is presented in which a STRIDE-based attack tree for an automotive In-Vehicle Infotainment (IVI) system is transformed into a Bayesian Network. Logical relationships are encoded using Conditional Probability Tables (CPTs), and threat likelihoods are derived from normalized DREAD scores. The model enables not only probabilistic inference of system compromise likelihood but also supports causal analysis using do-calculus and local sensitivity analysis to identify high-impact vulnerabilities. These analyses provide insight into the most influential nodes within the threat propagation chain, informing targeted mitigation strategies. While demonstrating the potential of BNs for dynamic and context-aware risk assessment, the study also outlines limitations related to scalability, reliance on expert input, static structure assumptions, and limited temporal modeling. The paper concludes by advocating for future enhancements through Dynamic Bayesian Networks, structure learning, and adaptive inference to better support real-time cybersecurity decision-making in complex environments.