ABSTRACT
The practice of threat modeling to identify and mitigate, or eliminate, vulnerabilities, has a long history in military operations research. More recently, these practices are applied to the cyber domain to give a defender an increased advantage. Most cybersecurity research, however, is performed in the computer science and network infrastructure fields where the focus is on theory and infrastructure management. Consequently, the work is lacking traditional operations research perspectives in risk analysis, assessment, and decision support that may lead to a greater overall defensive posture. This chapter outlines several operations research techniques used in modeling cybersecurity threats and proposes a value model framework for security metrics and best practices that is supported by data and interviews with subject matter experts. The value model, which includes a framework that can be customized for any organization, is illustrated using notional data. Finally, through a survey of cyber professionals with both military and corporate industry experience, an inventory of valued attributes for a secure cyber system is provided, along with potential differences in values based on an organization’s history of attacks and/or breaches. This model, grounded in the principles of military operations research, will enable organizations to assess the performance of their respective cyber systems, manage risk, and continuously improve their processes.
