There has been a lot of discussion in this list regarding the need to assess and include the attacker’s ROI as a way to properly measure cyber attack risk. I had always strongly believed that this could be modeled mathematically by combining game theory and complex network theory, and that this would allow for a far more comprehensive approach than the industry’s subjective probability x impact assessments.
We have written a book "Intentional Risk Management through Complex Networks Analysis (SpringerBriefs in Optimization) <http://www.amazon.com/gp/product/3319264214/ref=as_li_tl?ie=UTF8&camp=1789&creative=9325&creativeASIN=3319264214&linkCode=as2&tag=sm4rt-20&linkId=E7YMQRIJUA64GQKX>” with the results of several years of work trying to create a mathematical model for this. I was lucky to partner up with my good friend Dr. Santiago Moral and a leading information security authority, as well as with two distinguished mathematicians, Dr. Regino Criado and Dr. Miguel Romance with whom we worked in developing a mathematical model around these concepts. This is still work in progress and I believe there is room for improvement and enhancement. This is precisely why we chose to share it with the world by publishing our findings. Our main intention was to produce something similar to a page-rank algorithm for calculating relative and absolute risk for every node in a network. This risk could be from an employee with authorized access (we called this static risk) or from a hacker that would be able to move through the network more freely (we called this dynamic risk). This methodology allows us to consider the attackers perceived risk/reward at each node and through each path. We were trying to model how an attacker would rationally assess each potential target. Even though for individual hackers there is still a lot of serendipity it averages out when you consider all potential attacks and this should allow us to determine risk for each node or path. I hope it proves useful, Victor -- El contenido de este correo electrónico, así como los archivos adjuntos al mismo, son de carácter confidencial mismos que son dirigidos para uso exclusivo del destinatario. La distribución y difusión tanto impresa, verbal o electrónica del presente mensaje de datos y sus archivos adjuntos está prohibida, salvo que exista previa autorización del remitente. Si usted no es el destinatario o recibe este correo por error, se le prohíbe su utilización total o parcial para cualquier fin, se le agradece que lo notifique al remitente y después, lo elimine de su sistema. De acuerdo a la Ley Federal de Protección de Datos Personales en Posesión de Particulares (México), se le informa que los datos que nos ha facilitado y nos facilite en un futuro, pueden ser incorporados en nuestros archivos y/o bases de datos y utilizados para el cumplimiento de los productos y/o servicios ofrecidos. Fuera de los casos legalmente previstos y/o en defensa de sus intereses, dichos datos no serán cedidos a terceros sin su autorización. Consulte nuestro aviso de privacidad en http://www.sm4rt.com/#PrivacyPolicy
_______________________________________________ Dailydave mailing list [email protected] https://lists.immunityinc.com/mailman/listinfo/dailydave
