develop own website


TBSE (Threat-Based Security Engineering) is a methodology I have developed that enables people to work with security risk in a fully analytically manner.  It gives us a way to understand, model, calculate and measure the underlying dynamics that go on between threats, vulnerabilities and controls.  It enables us to quantify security risks, and the various things that go into creating security risk, objectively (calculated on the basis of measurable inputs) and in absolute terms  (percentages, rates and £, $ and €) rather than relatively (High/Medium/Low, or on a scale of 1 to 10) and subjectively (pulling a 'feels like' number out of the air).

An analytical method like TBSE can transform the way Cyber Security is practised. Risk managers could:

  • Set measurable security targets based on the business' need for protection.
  • Measure security performance objectively against those targets and make appropriate adjustments to their company’s security posture.
  • Calculate the level of security risk their business is carrying, and forecast the expected burden future security incidents will cause to the business given threat projections and their current security posture.
  • Based on the full picture, judge whether they are spending enough or should be spending more to address their security protection needs.
  • Calculate the expected financial benefits of proposed security controls and make informed security risk management decisions.
  • Demonstrate to stakeholders and regulators that the company’s security programmes are appropriate for keeping risks within stated risk appetites.

Some people, when looking at TBSE for the first time, have commented that it reminds them of the Lockheed Martin Cyber Kill Chain (CKC). I was remiss at not paying particular attention to the CKC before that, and those comments induced me to take a look. From my reading of Lockheed Martin’s website and the various documents provided there, the CKC looks to me to be a framework for organising one’s defences but not for quantifying one’s risk. It describes where controls work in the chain but not how they work.  Any similarity between TBSE’s Threat Pathway and the CKC 7-step attack chain is only superficial. TBSE provides the defender with a whole range of capabilities that the CKC doesn't even try to provide.

I wrote a short comment-piece on the differences between the CKC and TBSE.  You can take a look by clicking on the adjacent image.


Starting in late 2016, I asked the Institute for Security Science and Technology at Imperial College London to review TBSE.  I wrote a 40-page TBSE Technical Description that described TBSE's underlying paradigm and concepts, and explained in full how TBSE works 'under the covers'.  I asked Imperial to assess TBSE's analytical strengths and weaknesses, form a view of its capabilities, and determine its suitability for a range of security risk quantification purposes.  Imperial has completed its review and I have gone on to use that Technical Description document as the basis for a paper I have submitted for publication in the Journal of Cybersecurity.  In lieu of that paper getting published (hopefully later this year, 2018), I have extracted the introduction from the original Technical Description document to explain to interested readers broadly what TBSE is about.  That introduction is available freely (and with no requirement for you to register and give me your contact details) here.

If you don't want to have to wait until my TBSE paper gets published and would like to get a head start taking advantage of what TBSE can do for you, please get in touch using the contact details at the top of this page.

© Copyright 2018 JLIS Ltd - All Rights Reserved