Risk in a network or operational technology infrastructure is usually defined as the probability that an adverse event or action occurs and results in a negative impact or consequence. In the context of cyber security, risk refers to the expected likelihood and consequences of threats or attacks on cyber assets. Risk assessment involves identifying threats and vulnerabilities, computing the occurrence likelihood of threats, and then determining the impact and consequences of exploiting vulnerabilities by threats. The minimal requirement for the risk assessment of any system is to characterize threats, vulnerabilities, effectiveness and operational status of the system's defenses for particular threats.
Risk quantification needs the scoring of vulnerabilities. In this regard, the Security Content Automation Program (SCAP), developed by the National Institute of Standards and Technology (NIST), supports the National Vulnerability Database (NVD) providing a repository for known vulnerabilities and software that contains these vulnerabilities. As part of SCAP, the Common Vulnerability Scoring System (CVSS) provides a score for each new software vulnerability discovered that prioritizes the importance of the vulnerability. In addition to scoring vulnerabilities, risk quantification requires the scoring of exploit likelihood and attack impact, so that the simplest risk score of an individual vulnerability can be obtained by the product of its exploit likelihood and impact.
A major issue with prior methods of assessing risk is that they do not have the ability to dynamically determine risk to any particular region of a network and project that risk to a time in the future. The methods and systems as provided herein address this problem by progressively developing a dynamic representation of cyber vulnerabilities, exploitation, and observations of a network using integrated Bayesian, Markov, and state space models in order to encode dynamically quantitative and qualitative knowledge and measurements of cyber security vulnerabilities, exploits, and attack impacts.