best web creation software


TBSE (Threat-Based Security Engineering) is a methodology I have developed for addressing security risk quantification questions. Many, if not most, of the security risk questions management want answered require the quantification of one or other aspect of security risk or of the things that go into the creation of security risk. For example, questions such as: 

  • How big or important is this threat, not just in terms of how prevalent is it but how potent is it?
  • How good is this security control at interceding in the progress of that threat, either at blocking the threat, at containing the operational impact of the threat, or at containing its cost impact?
  • Risk is caused by what remains after a control has done whatever it does, not by how much the control blocks. So, how much of the threat is still active after this control has done its stuff?
  • And by how much could I reduce that remaining threat activity if I were to change this or that aspect of the way the control is implemented and operated?
  • How much has that particular threat cost me each quarter in increased costs and lost productivity? And is the variation in my quarterly losses the result of a variation in the threat, a variation in the effectiveness of my controls, or just a variation in my luck?
  • If I were to spend £100,000 of effort on improving this security control, how much could I expect to save in improved productivity or reduced breach losses? What is the pay-back period?
  • Would I be better off putting my effort into improving this control or improving that control?
  • Do I need this security product AND that security product? How much extra risk reduction do I get by having both products in place? To what extent is the second product almost redundant given what the first one does?
  • Given how this particular threat I am under seems to have changed in the past three months, how much has my risk changed as a result? If that trend in how the threat has changed continues, what will my risk look like in one, two, three quarter’s time?
  • How good are my security controls at reducing what my risk could be? Am I under-protected or over-protected? Should I award myself an A* or an F?
  • Given the nature of my business and the way my productivity relies on my use of technology, how good do I need my security controls to be?
  • Which controls are critical to my success and which are secondary? Which of my controls are stretched to their limits and which have spare capability I am not making full use of?

I don’t like the term ‘Science of Cyber Security’.  I don’t think there is a ‘Science of Cyber Security’ any more than there is a ‘Science of Baking Bread’.  But just as one can be a Master Baker and not understand anything about the chemistry that underpins baking, just which recipes appear to work well, one can be a Master Security Practitioner and not understand anything about the ‘chemistry’ that underpins security, just which recipes (a.k.a. Best Practices) appear to work well.  But if one can understand the chemistry, one can go far beyond current recipes and ‘trial-and-error’ ways of learning and improving.

And that is what TBSE does.  TBSE takes the form of a paradigm (a way of looking at how attacks engage with targets) and the analytical methods needed to go with that paradigm.  It enables me to analyse the dynamics behind risk, to model those dynamics, and to calculate absolute numerical values for risk-relevant variables.  It gives me a way to quantify security risk and the components that go into the creation of security risk, objectively and in absolute terms rather than purely subjectively in relative terms (risk expressed in £, $ and € rather than as 'finger in the air' High/Medium/Low estimates).

An analytical method such as TBSE can transform the way Cyber Security is practised. Risk managers could:

  • Set measurable security targets based on the business' need for protection.
  • Measure security performance objectively against those targets and make appropriate adjustments to their company’s security posture.
  • Calculate the level of security risk their business is carrying, and forecast the expected burden future security incidents will cause to the business given threat projections and their current security posture.
  • Based on the full picture, judge whether they are spending enough or should be spending more to address their security protection needs.
  • Calculate the expected financial benefits of proposed security controls and make informed security risk management decisions.
  • Demonstrate to stakeholders and regulators that the company’s security programmes are appropriate for keeping risks within stated risk appetites.

Some people, when looking at TBSE for the first time, commented that it reminded them of the Lockheed Martin Cyber Kill Chain (CKC). I hadn't paid particular attention to the CKC before getting those comments, so I took a look. From my reading of Lockheed Martin’s website and the various documents provided there, the CKC looks to me to be a framework for organising one’s defences but not for quantifying one’s risk. Any similarity between TBSE’s Threat Pathway and the CKC 7-step attack chain is only superficial. TBSE provides the defender with a range of capabilities that the CKC does not.

I wrote a short comment-piece on the differences between the CKC and TBSE.  You can take a look by clicking on the adjacent image.


TBSE is currently being reviewed by Imperial College (University of London) so they can understand its underlying paradigm and concepts, assess its analytical strengths and weaknesses, form a view of its capabilities, and determine its suitability for a range of security risk quantification purposes. To support that review, I have written a 40pp TBSE Technical Description that explains how TBSE works 'under the covers'.  That document is available on request, under cover of a signed NDA. I have also created an introductory extract from the Technical Description that serves to explain to interested readers what TBSE is about.  That Introductory Extract is available freely here.

If, while the current review is underway, you would like to get a head start and take advantage of what TBSE can do for you, please get in touch.

Email me at or call 07734 311567 (+44 7734 311567).

© Copyright 2017 - 2018 JLIS Ltd - All Rights Reserved