Towards Robust Security Risk Metrics for Networked Systems: Work in Progress

Security risk quantification is a necessary step in protecting critical resources in today’s networked systems. Conventional security risk measures are based on the point estimates of the likelihoods of potential multi-step attacks that combine multiple vulnerabilities. Drawbacks of these measures are due to disregard for the tail risk, inherent inaccuracy of estimates of low probabilities, and reliance on the specific attacker(s) model. The recently proposed measure of cybersecurity risk - Cyber security Value at Risk (CyVaR), which is based on the VaR measure of financial risk, accounts for the tail risk. However, CyVaR still suffers from reliance on the specific attack model, and moreover has its own problems, e.g., it is not a coherent risk measure, which is currently considered to be a necessary trait of a risk measure. Following the recent trend of replacing VaR with the robust and coherent Entropic VaR (EVaR) as a financial risk measure, we suggest replacing CyVaR with CyEVaR. Using an example of a networked system and a highly motivated and capable attacker, we demonstrate that conventional risk measures may significantly underestimate the actual cybersecurity risk. Finally, we outline directions of future research.