Quantitative state-based models can help those responsible for designing, maintaining, or insuring cyber systems make informed decisions. However, there are a number of difficulties that discourage the use of quantitative cybersecurity models in practice. We identify four significant challenges to quantitative security modeling, (1) cybersecurity models are difficult to build by hand, particularly for system architects that are not experts in cybersecurity, (2) it is challenging to model the complex interplay between the cyber system and the many human entities that interact with it with current modeling formalisms, (3) the uncertainty that comes from the model’s input variables should be managed and explored with sensitivity analysis (SA) and uncertainty quantification (UQ), but many models run too slowly to complete traditional SA and UQ analyses, and (4) there is a lack of appropriate frameworks, guidance on metrics, and advice on common modeling issues with regards to quantitative cybersecurity models.
In this dissertation, we address each of the four challenges. To address the first challenge, we present an ontology-assisted automatic cybersecurity model generation approach that modelers can use to make cybersecurity models quickly and easily. Using this approach, a system architect would first create a system diagram of the components of the system and their relationships to one another. Then, a model generation algorithm would convert the system diagram (with the aid of an ontology) into a sophisticated cybersecurity model that can be executed to obtain metrics. We implemented the tool in Mobius and demonstrated its use with an AMI test case. To address the second challenge, we designed a new agent-based modeling formalism called GAMES that allows the modeler to explicitly model the system and all of the human entities that interact with the system in a modular and intuitive fashion, and show its strengths with a worked example. To address the third challenge, we proposed an indirect stacking-based metamodeling approach. Using the metamodeling approach, we are able to accomplish sensitivity analysis and uncertainty quantification hundreds to thousands of times faster than traditional approaches and with better accuracy than current metamodel approaches. We demonstrate the approach’s efficacy with eight worked examples. Finally, to address the fourth challenge, we present a high-level framework to guide the modeling process, give guidance on what metrics to calculate and how to calculate them, and share advice on common issues with cybersecurity modeling.
The theoretical and practical contributions presented in this dissertation will help make quantitative cybersecurity modeling easier to use and more useful, which will, in turn, help protect society’s most critical and valuable infrastructure from cyber threats
