An experimentally verified method to predict & measure all forms of Cyber-Risk
preprintposted on 29.03.2021, 05:16 authored by Riccardo StortiRiccardo Storti
A precise & unambiguous mathematical definition of Cyber-Risk is developed, yielding an experimentally validated solution demonstrating ‘How to Predict & Measure Cyber-Risk’ for any Internet Connected Information System (ICIS) to greater than 98.07% accuracy. Moreover, it is shown that the solution holds for all scales of ICIS, from an Application level to an Enterprise level. In addition, it is shown that Test Effort Estimation (TEE) quantifies Cyber-Confidence, which in turn quantifies Cyber-Risk. Hence, TEE is a Mission Critical Activity (MCA) when formulating Cyber-Risk Management Strategies & may be utilised prior to project commencement, in-flight or post facto as an assessment &/or auditing tool. The TEE Model Construct developed is a statistical based methodology whereby the evaluations/decisions made, result in the contraction or expansion of the ‘z-Score’ associated with an infinite population of database records. The primary advantage of this approach is that very little information is required client-side at the engagement stage in order to produce peer acceptable estimates of the required test effort, & to accurately predict & measure the associated Cyber-Risk. This approach empowers clients & service providers to precisely define whatever level of Cyber-Risk is to be contractually delivered, capable of being absorbed, or prepared to be absorbed by consensus. With the aid of a decision table, estimators are able to articulate & convey to the appropriate authorities, various levels of Cyber-Risk commensurate with the available resources. The TEE Model Construct developed, presents an experimentally verified methodology, cognizant of commercial realities, yielding the following key advantages; (i) it requires minimal inputs, (ii) it has a scientific foundation, (iii) it facilitates operational decision-making, (iv) it quantifies Risk Based Testing (RBT), (v) it is simple, robust, flexible, consistent, reusable & transparent, (vi) it is capable of scaling a projected solution from a known solution, (vii) it embraces Continuous Improvement Processes (CIP’s), (viii) it confines perceptual subjectivity predominantly to three variables & (ix), it commercially exists as an off-the-shelf product.