The model assumes accuracy of vendor estimates of control pricing and efficacy.Incident reports are verified by the VCDB maintainers, but the majority are self-reported or submitted by the security community. Any data bias (underreporting, skew towards particular industries, etc) on threat actor effectiveness and frequency is inherited from Verizon's corpus of breach data. The model assumes incident reports in the VCDB are accurate.Some customization of nodes and services (and their ordering) is possible from the main page menu. The model will be more accurate for networks which more closely resemble the one used in the model. Assumptions are made about the user's network which the creators believe are representative of many small businesses.The model makes several assumptions and compromises in the name of data availability and ease of use. The model was expanded and enhanced to include control pricing, budget allocation, and ROI in the thesis available. The initial model was published in the proceedings of the 2022 IEEE International Symposium on Technologies for Homeland Security (HST). User selection of threat actors they anticipate facing, as well as security controls to implement, accordingly impact attack success predictions.
The model can quickly run hundreds or thousands of iterations using minimal resources, and visually displays attack success likelihoods. Simulation modeling allows us to represent the data in a meaningful way, and to make reasonable estimations of outcomes based on observed samples. This corpus of incident reports is used to create the annual Verizon Breach Investigations Report (DBIR).ĭata related to monetary costs of breaches are based on the IBM Cost of a Data Breach Report. Box Data Sourcesĭata related to security control costs and efficacy come primarily from vendors.ĭata related to threat actor effectiveness and frequency come from the VERIS Community Database maintained by the Verizon Security Research Team. "All models are wrong, but some are useful." -George E.P. The model will not represent every organization with pinpoint accuracy it is meant to provide a useful tool accurate enough to improve decision making. This model is intended for small businesses/organizations without dedicated cybersecurity teams, or anyone trying to make more informed risk decisions while allocating a limited cybersecurity budget. Stand-alone, cross-platform releases may be downloaded under Releases. An AnyLogic simulation model allowing users to quantitatively estimate the risk of cyber attacks to their organization, as well as the efficacy and total cost of security controls.
0 kommentar(er)
