TBSE (Threat-Based Security Engineering) is a methodology I have developed for addressing security risk quantification questions. Many, if not most, of the security risk questions management want answered require the quantification of one or other aspect of security risk or of the things that go into the creation of security risk. For example, questions such as:
I don’t like the term ‘Science of Cyber Security’. I don’t think there is a ‘Science of Cyber Security’ any more than there is a ‘Science of Baking Bread’. But just as one can be a Master Baker and not understand anything about the chemistry that underpins baking, just which recipes appear to work well, one can be a Master Security Practitioner and not understand anything about the ‘chemistry’ that underpins security, just which recipes (a.k.a. Best Practices) appear to work well. But if one can understand the chemistry, one can go far beyond current recipes and ‘trial-and-error’ ways of learning and improving.
And that is what TBSE does. TBSE takes the form of a paradigm (a way of looking at how attacks engage with targets) and the analytical methods needed to go with that paradigm. It enables me to analyse the dynamics behind risk, to model those dynamics, and to calculate absolute numerical values for risk-relevant variables. It gives me a way to quantify security risk and the components that go into the creation of security risk, objectively and in absolute terms rather than purely subjectively in relative terms (risk expressed in £, $ and € rather than as 'finger in the air' High/Medium/Low estimates).
An analytical method such as TBSE can transform the way Cyber Security is practised. Risk managers could:
Some people, when looking at TBSE for the first time, commented that it reminded them of the Lockheed Martin Cyber Kill Chain (CKC). I hadn't paid particular attention to the CKC before getting those comments, so I took a look. From my reading of Lockheed Martin’s website and the various documents provided there, the CKC looks to me to be a framework for organising one’s defences but not for quantifying one’s risk. Any similarity between TBSE’s Threat Pathway and the CKC 7-step attack chain is only superficial. TBSE provides the defender with a range of capabilities that the CKC does not.
TBSE is currently being reviewed by Imperial College (University of London) so they can understand its underlying paradigm and concepts, assess its analytical strengths and weaknesses, form a view of its capabilities, and determine its suitability for a range of security risk quantification purposes. To support that review, I have written a 40pp TBSE Technical Description that explains how TBSE works 'under the covers'. That document is available on request, under cover of a signed NDA. I have also created an introductory extract from the Technical Description that serves to explain to interested readers what TBSE is about. That Introductory Extract is available freely here.
If, while the current review is underway, you would like to get a head start and take advantage of what TBSE can do for you, please get in touch.
Email me at email@example.com or call 07734 311567 (+44 7734 311567).