TBSE (Threat-Based Security Engineering) is a methodology I have developed that enables people to work with security risk in a fully analytically manner. It gives us a way to understand, model, calculate and measure the underlying dynamics that go on between threats, vulnerabilities and controls when security risk is generated. It enables us to quantify security risks, and the various things that go into creating security risk, objectively (calculated on the basis of measurable inputs) rather than subjectively (pulling a 'feels like' number out of the air) and in absolute terms (percentages, rates and £, $ and €) rather than in relative terms (High/Medium/Low, or on a scale of 1 to 10).
An analytical method like TBSE can transform the way Cyber Security is practised. Risk managers could:
Some people, when looking at TBSE for the first time, have commented that it reminds them of the Lockheed Martin Cyber Kill Chain (CKC). I was remiss at not paying particular attention to the CKC before that, and those comments induced me to take a look. From my reading of Lockheed Martin’s website and the various documents provided there, the CKC looks to me to be a framework for organising one’s defences but not for quantifying one’s risk. It describes where controls work in the chain but not how they work. Any similarity between TBSE’s Threat Pathway and the CKC 7-step attack chain is only superficial. TBSE provides the defender with a whole range of capabilities that the CKC doesn't even try to provide.
Starting in late 2016, I asked the Institute for Security Science and Technology at Imperial College London to take a look at TBSE. I wrote a 40-page TBSE Technical Description that described TBSE's underlying paradigm and concepts, and explained in full how TBSE works 'under the covers'. I asked Imperial to consider whether TBSE had any analytical weaknesses, form a view of its capabilities, and determine if it might be suitable as a way to quantify security risk.
Imperial has completed its review and has suggested I move on to the next step which is publication in a peer-reviewed journal. As a result, I have used that Technical Description document as the basis for a paper I have submitted for publication in the Journal of Cybersecurity.
In lieu of that paper getting published (hopefully sometime in 2019), I have extracted the introduction from the original Technical Description document to explain to interested readers broadly and generally what TBSE is about. That four-page introduction is available freely (and with no requirement for you to register and give me your contact details) here.
As part of preparing a paper for publication, I have also written a more academically precise description of what TBSE is about. That is available on the next page here.
If you don't want to have to wait until my TBSE paper gets published and would like to get a head start taking advantage of what TBSE can do for you, please get in touch using the contact details at the top of this page.