A Threat-Intelligence Driven Methodology to Incorporate Uncertainty in Cyber Risk Analysis and Enhance Decision Making

The predictability and understandability of the world around us is limited, and many events are uncertain. It can be difficult to make decisions in these uncertain circumstances, as demonstrated by the changing measures taken to contain the COVID-19 pandemic. These decisions are not necessarily incorrect, but rather a reflection of the difficulty of decision making under uncertainty, where the probability and impact of events and measures are unknown. Information security is rapidly positioning itself around making decisions in uncertain situations. Which means that, it is not just about preventing or managing probable risks, but rather about dealing with unpredictable probabilities and effects. To contend with, information security leaders should therefore include strategies that reduce uncertainty and hence improve the quality of decision making. Risk assessment is a principal element of evidence-based decision making, especially in an ever-changing cyber threat landscape that constantly introduces uncertainties. Thus, it is essential to recognize that addressing uncertainty requires a new methodology and risk analysis approach that considers both known unknowns and unknown unknowns. To address this challenge, we propose the threat-intelligence based security assessment, and discuss a decision-making strategy under uncertainty, both of which support decision makers in this complex undertaking.