TBSE provides a holistic way to conceptualise the dynamics that give rise to security risk so the magnitude and characteristics of the security risk generated by a threat can be calculated directly.
TBSE starts with a paradigm. This paradigm describes the evolution of a threat as it engages with a target system. The threat evolves through a series of engagement steps, with the different engagement steps combining to form a ‘threat pathway’ that has a specific structure and characteristics. The concept of a threat pathway is an abstraction in that the actual threat pathway followed by any specific threat is, of course, context-dependent. It depends on the nature of the threat and on the logical structure of the particular system being analysed (i.e. the technologies used, the security controls and vulnerabilities in place, the policy decisions made by the system manager, the behaviours of other actors such as relevant staff).
The threat evolves as it moves, step by step, along the threat pathway. The evolution of the threat at each step is determined by the engagement between the threat and the target system at that step. Each engagement is modelled and analysed stochastically. The state of the threat as it enters an engagement is described by a multi-variate number distribution. The state of the threat as it exits that engagement is, similarly, described by a multi-variate number distribution. The exit state is derived from the entering state by means of the engagement model that is built to express the logical structure of the security controls or vulnerabilities the threat encounters at that step.
By connecting a number of engagements into a series, the evolution of the threat from the beginning of that series to its end can be calculated in a step-wise manner. The backbone that connects each engagement in the series to the next is the evolving threat distribution.
In this way, the dynamical state of the threat at any point within its threat pathway can be calculated based on knowledge of the dynamical state of the threat at any upstream point in the pathway plus knowledge of the relevant parts of the target system (the system’s technologies, controls and vulnerabilities) that lie between those two points.
The evolution of the threat can be calculated for any intermediate sequence within the threat pathway and for the threat pathway as a whole. In this latter case, the pathway starts with the originating threat (the magnitude and characteristics of which are either measured or postulated) and ends with the threat in its terminal state.
The TBSE paradigm is such that the terminal state of the threat is a direct expression of the residual security risk that is generated by the originating threat.
Hence, the security risk generated by any threat can be calculated directly (in the form of a multi-variate number distribution describing the expected rate of occurrence of mitigated adverse outcomes) as a function of the originating threat, the structure of the target system, the system’s controls, and the security manager’s policy decisions.
The effect on the evolution of the threat, and hence on the residual security risk, of variations in the incoming threat, any of the controls’ configurations, or any policy decisions, can be calculated by direct comparison.