Probability Analysis of Cyber Attack Paths against Business and Commercial Enterprise Systems

Abstract

The level of risk of attack from new cyber-crime related malware is difficult to quantify as standard risk analysis models often take an incomplete view of the overall system. In order to understand the full malware risk faced by organisations any model developed to support the analysis must be able to address a statistical combination of all feasible attack scenarios. Moreover, since all parametric aspects of a sophisticated cyber attack cannot be quantified, a degree of expert judgement needs to be applied. We develop a modeling approach that will facilitate risk assessment of common cyber attack scenarios together with likely probabilities of successful attack for each scenario. The paper demonstrates through use cases how a combined attack can be assessed.