Weighted attack graphs and behavioral cyber game theory for cyber risk quantification

Operating and engineering secure systems is challenging yet a necessary prerequisite for modern life as we know it, flourishing economic systems and society as a whole. This is as digitalization penetrated broad aspects of every facet of life realizing many opportunities. However, digital transformation also leads to increasing vulnerability to cyber threats. Cyber risk quantification thereby has a crucial role as anything that “is not measured cannot be improved. [And] what is not improved will always degrade” (Thomas Kelvin). However, quantifying cyber risks respectively as an inverse quantifying cyber security is still in its infancy and a largely unsolved problem.

We propose a novel methodology for cyber risk quantification based on weighted attack graphs. By doing so, we introduce a multi-layered attack ontology which is the basis of the attack graph. The attack graph is developed relying on cyber threat intelligence. We weight each attack path using computational models of motivation. The attack graph is the basis of a defender-attacker game. We analyze and solve the game for deriving quantitative measures describing the risk of getting attacked.