TBSE (Threat-Based Security Engineering) is a scientific method I have developed for analysing stochastically the dynamics and interactions that lead to security risk. TBSE gives us a way to quantify security risks, and the components that are involved in the creation of security risk, in absolute terms rather than purely relatively (£, $ and € rather than High/Medium/Low).
A scientific method such as TBSE can transform the way Cyber Security is practised. Risk managers could:
Some people, when looking at TBSE for the first time, commented that it reminded them of the Lockheed Martin Cyber Kill Chain (CKC). TBSE is nothing like the CKC. The CKC is a framework for organising security defences, TBSE is a set of methods for quantifying security risk. Any similarity between TBSE’s Threat Pathway and the CKC 7-step attack chain is only superficial, and TBSE provides the defender with a far wider range of capabilities than the CKC tries to do.
TBSE has been reviewed by Imperial College London as part of their work for the NCSC so they can understand its underlying paradigm and concepts, and form a view of its suitability for a range of security risk quantification purposes. Following their review, I am in the process of developing a technical paper describing TBSE in full detail that I will publish in a peer-reviewed journal in due course. It is still in draft so I can’t make it available here yet.
In the meantime, though, I have written a short 'slightly technical' description of TBSE as an introduction for people. I describe the benefits of treating cyber security as a science, explain what that would look like and how TBSE enables us to do that today, and suggest three easy ways people could give it a try to see what it can do for them. It can help you get more meaningful results from compliance assessment schemes, augment continuous controls monitoring by matching it up with appropriate threat modelling, and build up step-by-step a set of metrics that show you how much security protection you are getting from your security controls not just how far they have been implemented. All part and parcel of answering the perennial question “How much security is good enough and am I there yet?”
I would be happy to discuss any aspect of TBSE with you if you are interested to know more. Please get in touch. Email me at email@example.com or call 07734 311567 (+44 7734 311567).