TBSE (Threat-Based Security Engineering) is a methodology I have developed that enables people to work with security risk in a fully analytically manner. It gives us a way to understand, model, calculate and measure the underlying dynamics that go on between threats, vulnerabilities and controls. It enables us to quantify security risks, and the various things that go into creating security risk, objectively (calculated on the basis of measurable inputs) and in absolute terms (percentages, rates and £, $ and €) rather than relatively (High/Medium/Low, or on a scale of 1 to 10) and subjectively (pulling a 'feels like' number out of the air).
An analytical method like TBSE can transform the way Cyber Security is practised. Risk managers could:
Some people, when looking at TBSE for the first time, have commented that it reminds them of the Lockheed Martin Cyber Kill Chain (CKC). I was remiss at not paying particular attention to the CKC before that, and those comments induced me to take a look. From my reading of Lockheed Martin’s website and the various documents provided there, the CKC looks to me to be a framework for organising one’s defences but not for quantifying one’s risk. It describes where controls work in the chain but not how they work. Any similarity between TBSE’s Threat Pathway and the CKC 7-step attack chain is only superficial. TBSE provides the defender with a whole range of capabilities that the CKC doesn't even try to provide.
Starting in late 2016, I asked the Institute for Security Science and Technology at Imperial College London to review TBSE. I wrote a 40-page TBSE Technical Description that described TBSE's underlying paradigm and concepts, and explained in full how TBSE works 'under the covers'. I asked Imperial to assess TBSE's analytical strengths and weaknesses, form a view of its capabilities, and determine its suitability for a range of security risk quantification purposes. Imperial has completed its review and I have gone on to use that Technical Description document as the basis for a paper I have submitted for publication in the Journal of Cybersecurity. In lieu of that paper getting published (hopefully later this year, 2018), I have extracted the introduction from the original Technical Description document to explain to interested readers broadly what TBSE is about. That introduction is available freely (and with no requirement for you to register and give me your contact details) here.
If you don't want to have to wait until my TBSE paper gets published and would like to get a head start taking advantage of what TBSE can do for you, please get in touch using the contact details at the top of this page.