Simulation Modeling Cyber Threats, Risks, and Prevention Costs

Abstract

Money spent on cybersecurity doesn't easily translate into an increase in an organization's operational success or increase in revenues and profitability. However, an organization suffering from a cyber-attack could incur significant additional costs which can detrimentally impact an organization trivially or catastrophically. This paper introduces a simulation model for analyzing the effectiveness versus cost of cyber security options. The outcomes of this study is a simulation model using state charts capable of running a configurable attack scenario several times for a specified enterprise network and threat. Given publicly available information our findings after running a phishing attack on a departmental workstation with the internal network's domain controller as the final target revealed that the overall success rate of a phishing attack reaching any node in a “generic enterprise” architecture is 20%, with less than 0% of the attacks reaching the intended target.