TBSE (Threat-Based Security Engineering) is a scientific method I have developed for analysing security risk stochastically. TBSE gives me a way to understand, model, calculate and measure the dynamics behind security risk. It enables me to quantify security risks, and the components that are involved in the creation of security risk, in absolute terms rather than purely relatively (£, $ and € rather than High/Medium/Low).
A scientific method such as TBSE can transform the way Cyber Security is practised. Risk managers could:
Some people, when looking at TBSE for the first time, commented that it reminded them of the Lockheed Martin Cyber Kill Chain (CKC). I had been remiss at not paying particular attention to the CKC before that, and their comments gave me cause to take a look. From my reading of Lockheed Martin’s website and the various documents provided there, the CKC looks to me to be a framework for organising one’s defences but not for quantifying one’s risk. Any similarity between TBSE’s Threat Pathway and the CKC 7-step attack chain is only superficial, and TBSE provides the defender with a range of capabilities that the CKC does not.
TBSE is currently being reviewed by Imperial College (University of London) on behalf of the NCSC so they can understand its underlying paradigm and concepts, assess its analytical strengths and weaknesses, form a view of its capabilities, and determine its suitability for a range of security risk quantification purposes. If, while that review is underway, you would like to get a head start and take advantage of what TBSE can do for you, please get in touch.
Email me at firstname.lastname@example.org or call 07734 311567 (+44 7734 311567).