Incorporating attacker capabilities in risk estimation and mitigation

The risk exposure of a given threat to an information system is a function of the likelihood of the threat and the severity of its impacts. Existing methods for estimating threat likelihood assume that the attacker is able to cause a given threat, that exploits existing vulnerabilities, if s/he has the required opportunities (e.g., sufficient attack time) and means (e.g., tools and skills), which is not true; often, s/he can perform an attack and cause the related threat only if s/he has the ability to access related resources (objects) of the system that allow to do so. This paper proposes a risk estimation method that incorporates attacker capabilities in estimating the likelihood of threats as conditions for using the means and opportunities, demonstrates the use of the proposed risk estimation method through two examples: video conferencing systems and connected vehicles, shows that changing attacker capabilities changes the risks of the threats, and compares the uncertainty of experts in evaluating the likelihood of threats considering and not considering attacker capabilities for two experiments. The results of the experiments suggest that experts are less uncertain about their estimations of threat likelihoods when they consider attacker capabilities.