Abstract

Consider the question whether a cyber security investment is cost-effective. The result will depend on the expected frequency of attacks. Contrary to what is referred to as threat event frequencies or hazard rates in safety risk management, frequencies of targeted attacks are not independent from system design, due to the strategic behaviour of attackers. Although there are risk assessment methods that deal with strategic attackers, these do not provide expected frequencies as outputs, making it impossible to integrate those in existing (safety) risk management practices. To overcome this problem, we propose to extend the FAIR (Factor Analysis of Information Risk) framework to support malicious, targeted attacks. Our approach is based on (1) a clear separation of system vulnerability and environmental threat event frequencies, and (2) deriving threat event frequencies from attacker resources and attacker strategies rather than estimating them directly, drawing upon work in adversarial risk analysis. This approach constitutes an innovative way to quantify expected attack frequencies as a component of (information) security metrics for investment decisions.