QuantTM: Business-Centric Threat Quantification for Risk Management and Cyber Resilience
CoRR(2024)
摘要
Threat modeling has emerged as a key process for understanding relevant
threats within businesses. However, understanding the importance of threat
events is rarely driven by the business incorporating the system. Furthermore,
prioritization of threat events often occurs based on abstract and qualitative
scoring. While such scores enable prioritization, they do not allow the results
to be easily interpreted by decision-makers. This can hinder downstream
activities, such as discussing security investments and a security control's
economic applicability. This article introduces QuantTM, an approach that
incorporates views from operational and strategic business representatives to
collect threat information during the threat modeling process to measure
potential financial loss incurred by a specific threat event. It empowers the
analysis of threats' impacts and the applicability of security controls, thus
supporting the threat analysis and prioritization from an economic perspective.
QuantTM comprises an overarching process for data collection and aggregation
and a method for business impact analysis. The performance and feasibility of
the QuantTM approach are demonstrated in a real-world case study conducted in a
Swiss SME to analyze the impacts of threats and economic benefits of security
controls. Secondly, it is shown that employing business impact analysis is
feasible and that the supporting prototype exhibits great usability.
更多查看译文
AI 理解论文
溯源树
样例
生成溯源树,研究论文发展脉络
Chat Paper
正在生成论文摘要