Visible to the public The β-Time-to-Compromise Metric for Practical Cyber Security Risk Estimation

TitleThe β-Time-to-Compromise Metric for Practical Cyber Security Risk Estimation
Publication TypeConference Paper
Year of Publication2018
AuthorsZieger, A., Freiling, F., Kossakowski, K.
Conference Name2018 11th International Conference on IT Security Incident Management IT Forensics (IMF)
ISBN Number978-1-5386-6632-6
Keywordscomplex system modeling, complex systems, Complexity theory, Computer science, continuous attacker skill, CVSS vectors, cyber threat intelligence, cyber-security, cybersecurity metrics, Estimation, individual systems, IT-security, Large-scale systems, mathematical shortcomings, Measurement, methodological shortcomings, Metrics, national CERT, original TTC, practical cyber security risk estimation, pubcrawl, risk management, Risk-Estimation, Risk-Metric, security metrics, security of data, Security-Metric, Threat Landscape, time-to-compromise metric, vulnerability database, β-distribution

To manage cybersecurity risks in practice, a simple yet effective method to assess suchs risks for individual systems is needed. With time-to-compromise (TTC), McQueen et al. (2005) introduced such a metric that measures the expected time that a system remains uncompromised given a specific threat landscape. Unlike other approaches that require complex system modeling to proceed, TTC combines simplicity with expressiveness and therefore has evolved into one of the most successful cybersecurity metrics in practice. We revisit TTC and identify several mathematical and methodological shortcomings which we address by embedding all aspects of the metric into the continuous domain and the possibility to incorporate information about vulnerability characteristics and other cyber threat intelligence into the model. We propose v-TTC, a formal extension of TTC which includes information from CVSS vectors as well as a continuous attacker skill based on a v-distribution. We show that our new metric (1) remains simple enough for practical use and (2) gives more realistic predictions than the original TTC by using data from a modern and productively used vulnerability database of a national CERT.

Citation Keyzieger_-time–compromise_2018