A Bayesian network approach for cybersecurity risk assessment implementing and extending the FAIR model

Abstract

Quantitative risk assessment can play a crucial role in effective decision making about cybersecurity strategies. The Factor Analysis of Information Risk (FAIR) is one of the most popular models for quantitative cybersecurity risk assessment. It provides a taxonomic framework to classify cybersecurity risk into a set of quantifiable risk factors and combines this with quantitative algorithms, in the form of a kind of Monte Carlo (MC) simulation combined with statistical approximation techniques, to estimate cybersecurity risk. However, the FAIR algorithms restrict both the type of statistical distributions that can be used and the expandability of the model structure. Moreover, the applied approximation techniques (including using cached data and interpolation methods) introduce inaccuracy into the FAIR model. To address restrictions of the FAIR model, we develop a more flexible alternative approach, which we call FAIR-BN, to implement the FAIR model using Bayesian Networks (BNs). To evaluate the performance of FAIR and FAIR-BN, we use a MC method (FAIR-MC) to implement calculations of the FAIR model without using any of the approximation techniques adopted by FAIR, thus avoiding the corresponding inaccuracy that can be introduced. We compare the empirical results generated by FAIR and FAIR-BN against a large number of samples generated using FAIR-MC. Both FAIR and FAIR-BN provide consistent results compared with FAIR-MC for general cases. However, the FAIR-BN achieves higher accuracy in several cases that cannot be accurately modelled by the FAIR model. Moreover, we demonstrate that FAIR-BN is more flexible and extensible by showing how it can incorporate process-oriented and game-theoretic methods. We call the resulting combined approach “Extended FAIR-BN” (EFBN) and show that it has the potential to provide an integrated solution for cybersecurity risk assessment and related decision making.