free simple web templates


TBSE (Threat-Based Security Engineering) is a scientific method I have developed for analysing stochastically the dynamics and interactions that lead to security risk. TBSE gives us a way to quantify security risks, and the components that are involved in the creation of security risk, in absolute terms rather than purely relatively (£, $ and € rather than High/Medium/Low).

A scientific method such as TBSE can transform the way Cyber Security is practised. Risk managers could:

  • Set measurable security targets based on the business' need for protection.
  • Measure security performance objectively against those targets and make appropriate adjustments to their company’s security posture.
  • Calculate the level of security risk their business is carrying, and forecast the expected burden future security incidents will cause to the business given threat projections and their current security posture.
  • Based on the full picture, judge whether they are spending enough or should be spending more to address their security protection needs.
  • Calculate the expected financial benefits of proposed security controls and make informed security risk management decisions.
  • Demonstrate to stakeholders and regulators that the company’s security programmes are appropriate for keeping risks within stated risk appetites.

Some people, when looking at TBSE for the first time, commented that it reminded them of the Lockheed Martin Cyber Kill Chain (CKC). TBSE is nothing like the CKC. The CKC is a framework for organising security defences, TBSE is a set of methods for quantifying security risk. Any similarity between TBSE’s Threat Pathway and the CKC 7-step attack chain is only superficial, and TBSE provides the defender with a far wider range of capabilities than the CKC tries to do.

I wrote a short comment-piece on the differences between the LM CKC and TBSE.  You can take a look by clicking on the adjacent image.


TBSE has been reviewed by Imperial College London as part of their work for the NCSC so they can understand its underlying paradigm and concepts, and form a view of its suitability for a range of security risk quantification purposes. Following their review, I am in the process of developing a technical paper describing TBSE in full detail that I will publish in a peer-reviewed journal in due course. It is still in draft so I can’t make it available here yet. 

In the meantime, though, I have written a short 'slightly technical' description of TBSE as an introduction for people.  I describe the benefits of treating cyber security as a science, explain what that would look like and how TBSE enables us to do that today, and suggest three easy ways people could give it a try to see what it can do for them. It can help you get more meaningful results from compliance assessment schemes, augment continuous controls monitoring by matching it up with appropriate threat modelling, and build up step-by-step a set of metrics that show you how much security protection you are getting from your security controls not just how far they have been implemented.  All part and parcel of answering the perennial question “How much security is good enough and am I there yet?”

You can read that description online here or download it as a pdf document here.

I would be happy to discuss any aspect of TBSE with you if you are interested to know more. Please get in touch. Email me at or call 07734 311567 (+44 7734 311567).

© Copyright 2020 JLIS Ltd