Threat-Based Security Engineering
TBSE is a ground-breaking technique I developed in the summer of 2003. TBSE solves the long-standing problem of how to model security risk analytically, allowing security professionals to make objective, scientifically-sound, numerical forecasts of risk. Anyone can now use this approach to calculate in a proper numerical form how their security risk will rise or fall with the threats and according to how they vary their security countermeasures.
TBSE takes an entirely new and different approach to modelling security risk. It draws on a type of modelling which has been used for many years in other fields, is well understood and well proven, but which has not been tried before on security risk problems. It is based on the type of techniques people use, for example, when modelling complex economic systems such as national economies. Using TBSE, companies can now forecast their security risk in the same way economists forecast inflation. They can predict how their risk will be affected by changes in threat levels or adjustments to their security deployments just as economists predict how inflation will change in response to commodity prices or adjustments in interest rates.
TBSE models security risk analytically, allowing risk managers to quantify the benefits provided by their security measures and, hence, to show the Return on Investment the company can get from their current or proposed security expenditures. It allows risk managers to optimise their security programmes, demonstrate the value of security to their Board, and assure management, shareholders and regulators that they are addressing the company's security needs effectively, sufficiently and cost-efficiently.
To go straight to the detail about what TBSE is and what it can achieve, please click here.
For an introduction first before you delve into the detail, please click here.
To see a number of papers or talks describing aspects of TBSE, please click here.