bootstrap builder


TBSE (Threat-Based Security Engineering) is a scientific method I have developed for analysing security risk stochastically. TBSE gives me a way to understand, model, calculate and measure the dynamics behind security risk. It enables me to quantify security risks, and the components that are involved in the creation of security risk, in absolute terms rather than purely relatively (£, $ and € rather than High/Medium/Low).

A scientific method such as TBSE can transform the way Cyber Security is practised. Risk managers could:

  • Set measurable security targets based on the business' need for protection.
  • Measure security performance objectively against those targets and make appropriate adjustments to their company’s security posture.
  • Calculate the level of security risk their business is carrying, and forecast the expected burden future security incidents will cause to the business given threat projections and their current security posture.
  • Based on the full picture, judge whether they are spending enough or should be spending more to address their security protection needs.
  • Calculate the expected financial benefits of proposed security controls and make informed security risk management decisions.
  • Demonstrate to stakeholders and regulators that the company’s security programmes are appropriate for keeping risks within stated risk appetites.

Some people, when looking at TBSE for the first time, commented that it reminded them of the Lockheed Martin Cyber Kill Chain (CKC). I had been remiss at not paying particular attention to the CKC before that, and their comments gave me cause to take a look. From my reading of Lockheed Martin’s website and the various documents provided there, the CKC looks to me to be a framework for organising one’s defences but not for quantifying one’s risk. Any similarity between TBSE’s Threat Pathway and the CKC 7-step attack chain is only superficial, and TBSE provides the defender with a range of capabilities that the CKC does not.

I wrote a short comment-piece on the differences between the LM CKC and TBSE.  You can take a look by clicking on the adjacent image.


TBSE is currently being reviewed by Imperial College (University of London) on behalf of the NCSC so they can understand its underlying paradigm and concepts, assess its analytical strengths and weaknesses, form a view of its capabilities, and determine its suitability for a range of security risk quantification purposes. If, while that review is underway, you would like to get a head start and take advantage of what TBSE can do for you, please get in touch.

Email me at or call 07734 311567 (+44 7734 311567).

© Copyright 2017 JLIS Ltd - All Rights Reserved