An approach based on hexagram model for quantifying security risks with Performance Key Indicators (PKI)

Abstract

As organizations grapple with an ever-evolving threat landscape, the need for effective security risk quantification methodologies becomes paramount. This research paper introduces and explores a novel approach to security risk quantification through the application of a hexagram model. Drawing inspiration from the I Ching, an ancient Chinese divination text, this hexagram model encompasses six key elements: Threat Landscape, Vulnerability Analysis, Asset Criticality, Control Effectiveness, Incident Response Capability, and Business Impact. By dividing these elements into two trigrams, a comprehensive view of external and internal factors influencing security risk emerges. The literature review examines existing security risk quantification methods, highlighting their strengths and limitations. The hexagram model's uniqueness lies in its holistic representation, integrating technical and organizational facets. The paper details the methodology, providing a clear framework for application. A practical case study demonstrates the model's implementation, showcasing its efficacy in real-world security assessments. Results and analysis reveal valuable insights into the security risk landscape, with comparisons to traditional quantification methods illustrating the hexagram model's added depth. The discussion interprets findings in the context of the security domain, addressing implications and areas for improvement. The paper concludes by summarizing key contributions, emphasizing the significance of the hexagram model in providing a nuanced understanding of security risk. Recommendations for future research underscore the potential for further refinement and broader adoption of this innovative approach.