Mathematical Model for assessing Intentional Attacks

[Victor Chapela <victor () sm4rt com>]

There has been a lot of discussion in this list regarding the need to assess and include the attacker’s ROI as a way to 
properly measure cyber attack risk. I had always strongly believed that this could be modeled mathematically by 
combining game theory and complex network theory, and that this would allow for a far more comprehensive approach than 
the industry’s subjective probability x impact assessments. 

We have written a book "Intentional Risk Management through Complex Networks Analysis (SpringerBriefs in Optimization) 
<http://www.amazon.com/gp/product/3319264214/ref=as_li_tl?ie=UTF8&camp=1789&creative=9325&creativeASIN=3319264214&linkCode=as2&tag=sm4rt-20&linkId=E7YMQRIJUA64GQKX>”
 with the results of several years of work trying to create a mathematical model for this. I was lucky to partner up 
with my good friend Dr. Santiago Moral and a leading information security authority, as well as with two distinguished 
mathematicians, Dr. Regino Criado and Dr. Miguel Romance with whom we worked in developing a mathematical model around 
these concepts. This is still work in progress and I believe there is room for improvement and enhancement. This is 
precisely why we chose to share it with the world by publishing our findings. 

Our main intention was to produce something similar to a page-rank algorithm for calculating relative and absolute risk 
for every node in a network. This risk could be from an employee with authorized access (we called this static risk) or 
from a hacker that would be able to move through the network more freely (we called this dynamic risk). This 
methodology allows us to consider the attackers perceived risk/reward at each node and through each path. We were 
trying to model how an attacker would rationally assess each potential target. Even though for individual hackers there 
is still a lot of serendipity it averages out when you consider all potential attacks and this should allow us to 
determine risk for each node or path. 

I hope it proves useful,
Victor
-- 

El contenido de este correo electrónico, así como los archivos adjuntos al 
mismo, son de carácter confidencial mismos que son dirigidos para uso 
exclusivo del destinatario. La distribución y difusión tanto impresa, 
verbal o electrónica del presente mensaje de datos y sus archivos adjuntos 
está prohibida, salvo que exista previa autorización del remitente. Si 
usted no es el destinatario o recibe este correo por error, se le prohíbe 
su utilización total o parcial para cualquier fin, se le agradece que lo 
notifique al remitente y después, lo elimine de su sistema. De acuerdo a la 
Ley Federal de Protección de Datos Personales en Posesión de Particulares 
(México), se le informa que los datos que nos ha facilitado y nos facilite 
en un futuro, pueden ser incorporados en nuestros archivos y/o bases de 
datos y utilizados para el cumplimiento de los productos y/o servicios 
ofrecidos. Fuera de los casos legalmente previstos y/o en defensa de sus 
intereses, dichos datos no serán cedidos a terceros sin su autorización.
Consulte nuestro aviso de privacidad en http://www.sm4rt.com/#PrivacyPolicy

_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave