Towards Data-Driven Organizational Cybersecurity Risk Metrics and Optimization
摘要
Traditional risk metrics for organizations often rely on self-reported surveys from security personnel. However, a growing trend among maturing organizations is the integration of quantitative data into risk metrics and prioritization strategies. This paper explores the various data sources and outlines the challenges organizational units face regarding cybersecurity risks. We propose and evaluate different data-driven risk metric formulations, highlighting the most feasible options typically available. Additionally, we delve into the significance of top-tier or “supercritical” vulnerabilities, their evolution over time, and the impact of different types of missing data on risk assessment.