TBSE

TBSE (Threat-Based Security Engineering) is a scientific method I have developed for analysing stochastically the dynamics and interactions that lead to security risk. TBSE enables me to quantify security risks, and the components that are involved in the creation of security risk, in absolute terms rather than purely relatively (£, $ and € rather than High/Medium/Low).

A scientific method such as TBSE can transform the way Cyber Security is practised. Risk managers could:

Set measurable security targets based on the business' need for protection.
Measure security performance objectively against those targets and make appropriate adjustments to their company’s security posture.
Calculate the level of security risk their business is carrying, and forecast the expected burden future security incidents will cause to the business given threat projections and their current security posture.
Based on the full picture, judge whether they are spending enough or should be spending more to address their security protection needs.
Calculate the expected financial benefits of proposed security controls and make informed security risk management decisions.
Demonstrate to stakeholders and regulators that the company’s security programmes are appropriate for keeping risks within stated risk appetites.

Some people, when looking at TBSE for the first time, commented that it reminded them of the Lockheed Martin Cyber Kill Chain (CKC). TBSE is nothing like the CKC. The CKC is a framework for organising security defences, TBSE is a set of methods for quantifying security risk. Any similarity between TBSE’s Threat Pathway and the CKC 7-step attack chain is only superficial, and TBSE provides the defender with a far wider range of capabilities than the CKC tries to do.

I wrote a short comment-piece on the differences between the LM CKC and TBSE. You can take a look by clicking on the adjacent image.

TBSE has been reviewed by Imperial College London as part of their work for the NCSC so they can understand its underlying paradigm and concepts, assess its analytical strengths and weaknesses, form a view of its capabilities, and determine its suitability for a range of security risk quantification purposes. If you would like to know more about that review and to take advantage of what TBSE can do for you, please get in touch. Email me at john.leach@jlis.co.uk or call 07734 311567 (+44 7734 311567).