Risk assessment can be used to measure the security posture of an organization. A metric can then summarize the results of an assessment with multiple byproducts. This project is aimed to address new approaches in calculating information security metrics from an attacker's perspective. We want to produce security metrics that are not expensive to compute allow us to anticipate threats (e.g., a non-reactive approach) and provide information that is actionable in the risk management cycle (e.g., help to prioritize threats).
We show how to model the tools of an attacker, how to model the attacker's objectives, and use this to derive what threats he may exercise. Our approach considers at the same time a wide variety of possibilities and uses statistical sampling to derive a security metric that anticipates attackers based on vulnerabilities and one that anticipates attackers based on their tools and objectives.