Home > Research > Publications & Outputs > "Talking a different Language"

Research

Associated organisational units

Links

Text available via DOI:

Keywords

View graph of relations

"Talking a different Language": Anticipating adversary attack cost for cyber risk assessment

Research output: Contribution to Journal/MagazineJournal articlepeer-review

Published

Standard

"Talking a different Language": Anticipating adversary attack cost for cyber risk assessment. / Derbyshire, Ric; Green, Benjamin; Hutchison, David.
In: Computers and Security, Vol. 103, 102163, 01.04.2021.

Research output: Contribution to Journal/MagazineJournal articlepeer-review

Harvard

Derbyshire, R, Green, B & Hutchison, D 2021, '"Talking a different Language": Anticipating adversary attack cost for cyber risk assessment', Computers and Security, vol. 103, 102163. https://doi.org/10.1016/j.cose.2020.102163

APA

Derbyshire, R., Green, B., & Hutchison, D. (2021). "Talking a different Language": Anticipating adversary attack cost for cyber risk assessment. Computers and Security, 103, Article 102163. https://doi.org/10.1016/j.cose.2020.102163

Vancouver

Derbyshire R, Green B, Hutchison D. "Talking a different Language": Anticipating adversary attack cost for cyber risk assessment. Computers and Security. 2021 Apr 1;103:102163. Epub 2021 Jan 2. doi: 10.1016/j.cose.2020.102163

Author

Derbyshire, Ric ; Green, Benjamin ; Hutchison, David. / "Talking a different Language" : Anticipating adversary attack cost for cyber risk assessment. In: Computers and Security. 2021 ; Vol. 103.

Bibtex

@article{cfc58666da294a4396438c0f9c4461f9,
title = "{"}Talking a different Language{"}: Anticipating adversary attack cost for cyber risk assessment",
abstract = "Typical cyber security risk assessment methods focus on the system under consideration, its vulnerabilities, and the resulting impact in the event of a system compromise. Cyber security, however, increasingly requires anticipating the moves of intelligent adversaries, who make decisions based on a range of factors including the cost of their attacks. A study of current risk assessment literature and industry practice shows that consideration of this cost is a notable gap in the understanding of adversaries. The factors of cost experienced by an adversary are established in this paper as Time, Finance, and Risk, supported by a practical study undertaken with relevant security practitioners. Using these factors as a base, a framework is proposed and developed to support the probabilistic determination of cost incurred by an adversary. This framework is an important extension to existing cyber security risk assessments, and is demonstrated in the paper through the use of a case study.",
keywords = "cyber attack, adversary, cost, risk assessment, threat actor, threat assessment",
author = "Ric Derbyshire and Benjamin Green and David Hutchison",
year = "2021",
month = apr,
day = "1",
doi = "10.1016/j.cose.2020.102163",
language = "English",
volume = "103",
journal = "Computers and Security",
issn = "0167-4048",
publisher = "Elsevier Ltd",

}

RIS

TY - JOUR

T1 - "Talking a different Language"

T2 - Anticipating adversary attack cost for cyber risk assessment

AU - Derbyshire, Ric

AU - Green, Benjamin

AU - Hutchison, David

PY - 2021/4/1

Y1 - 2021/4/1

N2 - Typical cyber security risk assessment methods focus on the system under consideration, its vulnerabilities, and the resulting impact in the event of a system compromise. Cyber security, however, increasingly requires anticipating the moves of intelligent adversaries, who make decisions based on a range of factors including the cost of their attacks. A study of current risk assessment literature and industry practice shows that consideration of this cost is a notable gap in the understanding of adversaries. The factors of cost experienced by an adversary are established in this paper as Time, Finance, and Risk, supported by a practical study undertaken with relevant security practitioners. Using these factors as a base, a framework is proposed and developed to support the probabilistic determination of cost incurred by an adversary. This framework is an important extension to existing cyber security risk assessments, and is demonstrated in the paper through the use of a case study.

AB - Typical cyber security risk assessment methods focus on the system under consideration, its vulnerabilities, and the resulting impact in the event of a system compromise. Cyber security, however, increasingly requires anticipating the moves of intelligent adversaries, who make decisions based on a range of factors including the cost of their attacks. A study of current risk assessment literature and industry practice shows that consideration of this cost is a notable gap in the understanding of adversaries. The factors of cost experienced by an adversary are established in this paper as Time, Finance, and Risk, supported by a practical study undertaken with relevant security practitioners. Using these factors as a base, a framework is proposed and developed to support the probabilistic determination of cost incurred by an adversary. This framework is an important extension to existing cyber security risk assessments, and is demonstrated in the paper through the use of a case study.

KW - cyber attack

KW - adversary

KW - cost

KW - risk assessment

KW - threat actor

KW - threat assessment

U2 - 10.1016/j.cose.2020.102163

DO - 10.1016/j.cose.2020.102163

M3 - Journal article

VL - 103

JO - Computers and Security

JF - Computers and Security

SN - 0167-4048

M1 - 102163

ER -