Derbyshire, Ric and Hutchison, David and Rouncefield, Mark (2022) Anticipating Adversary Cost: Bridging the Threat-Vulnerability Gap in Cyber Risk Assessment. PhD thesis, Lancaster University.
![[thumbnail of 2022derbyshirephd]](https://eprints.lancs.ac.uk/style/images/fileicons/text.png)
Abstract
Digital computers have become commonly used in the workplace, with many organisations connecting them to the Internet to address the challenges of an increasingly globalised economy. Although this connectivity allows for a greater reach, it also brings with it a growing attack surface by way of cyber attacks. Cyber security, the discipline of combatting cyber attacks, relies on cyber risk assessment as a mechanism for understanding such attacks, decomposing the complexities into the components - threat, vulnerability, and impact. These components are considered and combined in various ways to derive some notion of cyber risk posed by a threat, that may exploit a vulnerability within an asset, and cause an impact to the victim organisation. However, focus is often put onto the latter two components of cyber risk, vulnerability and impact, due to the assessor being able to gather data about them reliably. Therefore, due to the scarcity of data and resultant lack of focus, threat is often considered in isolation and is based upon speculation using weak or no data. The effect of this is that cyber risk assessment recipients do not fully gain the context of a threat in relation to their systems, leading to suboptimally informed decision making. Furthermore, many cyber risk assessment outputs are delivered in a qualitative or semi-quantitative format, incongruous with the output of other business functions, particularly at board level. Through an empirical study with expert industry practitioners, this thesis first confirms the gap identified within the literature and validates adversary cost as an appropriate area of research to address it. A study of cyber security attack taxonomies is conducted to develop an understanding a cyber attack’s composition, before selecting the MITRE ATT&CK® framework as a foundational structure on which to base the concept of adversary cost. Another empirical study, using a practical ethnographic approach with expert offensive cyber security professionals, decomposes adversary cost into its three constituent factors considered by adversaries - time, finance, and risk. The adversary cost framework is then proposed, drawing on pragmatic methods of quantification from existing literature to guide a cyber risk assessment practitioner to utilise their existing data to quantify the time and finance costs an adversary may experience for a given cyber attack narrative. A final empirical study with expert cyber risk assessment practitioners is conducted to evaluate the adversary cost framework’s validity and utility.