Methodology for Probabilistic Assessment of Attack Vectorfor Cyber Threat Scenario

Abstract

Background/Objectives: This paper propose to establish a comprehensive attack vector evaluation scale for cyber threat scenarios and to suggest a method for calculating probability values for deriving standardized results.
Methods/Statistical analysis: In general, the qualitative method of threat assessment is expressed by technical variables rather than numerical values due to the qualitative nature of the elements analyzed in the evaluation. Quantitative methods can compare the effect of threat levels and countermeasures through objective figures, which helps in decision making when establishing security measures. It is difficult to have statistical data on past cybersecurity-related cases because of the work required.
Findings: In this paper, we study a method to derive the quantitative level of qualitative attributes by matching the evaluation elements in the physical environment with those in the cybersecurity environment. Through detailed analysis of the attack route included in the attack base of the threat scenario, the evaluation scale of the essential elements constituting the established attack vector was established. Applying the proposed evaluation scale, we derive a method of calculating probability values for standardized results.
Improvements/Applications: The method complements the limitations of the existing quantitative methods by calculating the attack vector level as a probability value for the probability of threat success, and can compare the standardized threat levels through the proposed method. The proposed threat assessment model is expected to be useful for determining security action priorities.