TBSE (Threat-Based Security Engineering) is a methodology I have developed that enables people to work with security risk in a fully analytically manner.  It gives us a way to understand, model, calculate and measure the underlying dynamics that go on between threats, vulnerabilities and controls when security risk is generated.  It enables us to quantify security risks, and the various things that go into creating security risk, objectively (calculated on the basis of measurable inputs) rather than subjectively (pulling a 'feels like' number out of the air) and in absolute terms  (percentages, rates and £, $ and €) rather than in relative terms (High/Medium/Low, or on a scale of 1 to 10).

An analytical method like TBSE can transform the way Cyber Security is practised. Risk managers could:

  • Set measurable security targets based on the business' need for protection.
  • Measure security performance objectively against those targets and make appropriate adjustments to their company’s security posture.
  • Calculate the level of security risk their business is carrying, and forecast the expected burden future security incidents will cause to the business given threat projections and their current security posture.
  • Based on the full picture, judge whether they are spending enough or should be spending more to address their security protection needs.
  • Calculate the expected financial benefits of proposed security controls and make informed security risk management decisions.
  • Demonstrate to stakeholders and regulators that the company’s security programmes are appropriate for keeping risks within stated risk appetites.

Some people, when looking at TBSE for the first time, have commented that it reminds them of the Lockheed Martin Cyber Kill Chain (CKC). I was remiss at not paying particular attention to the CKC before that, and those comments induced me to take a look. From my reading of Lockheed Martin’s website and the various documents provided there, the CKC looks to me to be a framework for organising one’s defences but not for quantifying one’s risk. It describes where controls work in the chain but not how they work.  Any similarity between TBSE’s Threat Pathway and the CKC 7-step attack chain is only superficial. TBSE provides the defender with a whole range of capabilities that the CKC doesn't even try to provide.

I wrote a short comment-piece on the differences between the CKC and TBSE.  You can take a look by clicking on the adjacent image.


Starting in late 2016, I asked the Institute for Security Science and Technology at Imperial College London to take a look at TBSE.  I wrote a 40-page TBSE Technical Description that described TBSE's underlying paradigm and concepts, and explained in full how TBSE works 'under the covers'.  I asked Imperial to consider whether TBSE had any analytical weaknesses, form a view of its capabilities, and determine if it might be suitable as a way to quantify security risk.

Imperial has completed its review and has suggested I move on to the next step which is publication in a peer-reviewed journal.  As a result, I have used that Technical Description document as the basis for a paper I have submitted for publication in the Journal of Cybersecurity.

In lieu of that paper getting published (hopefully sometime in 2019), I have extracted the introduction from the original Technical Description document to explain to interested readers broadly and generally what TBSE is about.  That four-page introduction is available freely (and with no requirement for you to register and give me your contact details) here.

As part of preparing a paper for publication, I have also written a more academically precise description of what TBSE is about.  That is available on the next page here.

If you don't want to have to wait until my TBSE paper gets published and would like to get a head start taking advantage of what TBSE can do for you, please get in touch using the contact details at the top of this page.

© Copyright 2018 JLIS Ltd - All Rights Reserved