Traditional risk metrics for organizations often rely on self-reported surveys from security personnel. However, a growing trend among maturing organizations is the integration of quantitative data into risk metrics and prioritization strategies. This paper explores the various data sources and outlines the challenges organizational units face regarding cybersecurity risks. We propose and evaluate different data-driven risk metric formulations, highlighting the most feasible options typically available. Additionally, we delve into the significance of top-tier or “supercritical” vulnerabilities, their evolution over time, and the impact of different types of missing data on risk assessment.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Towards Data-Driven Organizational Cybersecurity Risk Metrics and Optimization

  • Theodore T. Allen,
  • John McCarty,
  • Mohammad Abdallah,
  • Vimal S. Buck

摘要

Traditional risk metrics for organizations often rely on self-reported surveys from security personnel. However, a growing trend among maturing organizations is the integration of quantitative data into risk metrics and prioritization strategies. This paper explores the various data sources and outlines the challenges organizational units face regarding cybersecurity risks. We propose and evaluate different data-driven risk metric formulations, highlighting the most feasible options typically available. Additionally, we delve into the significance of top-tier or “supercritical” vulnerabilities, their evolution over time, and the impact of different types of missing data on risk assessment.