A Framework for Characterizing the Security Posture of Cyber Systems

Abstract

Modern day applications can be spread across multiple virtual or physical systems, and be accessed or attacked by pretty much any one any where. Cybersecurity is used to mitigate these cyber threats but there are limited resources that can be dedicated to security. As result, trade-offs and decisions must be made around what is prioritized and what isn’t. Cyber risk management provides methodologies for identifying threats, evaluating risks and making decisions, however, it can be difficult to determine whether the system is actually secure enough and the risk is actually within an acceptable parameters. This thesis provides a framework for managing threats and quantifying the security posture, in the form of risk desirability, of cyber systems.