Proactive cyber-risk assessment is gaining momentum due to the wide range of sectors that can benefit from the prevention of cyber-incidents. The increasing connectivity of digital and (cyber-)physical systems requires more attention to cybersecurity to enhance the integrity, confidentiality, and availability of data. We introduce a statistical framework for the prioritisation of cyber-vulnerabilities, using robust and interpretable regression models to support decision-making. Specifically, we take advantage of mid-quantile regression to deal with ordinal risk assessments, and we compare it to current alternatives for cyber-risk ranking and graded responses, identifying a novel accuracy measure suited for rankings with partial knowledge of existing vulnerabilities. Our model is tested on both simulated and real data from selected databases that support the exploitation of cyber-vulnerabilities in real contexts. The variety of information arising from such datasets allows us to compare multiple models based on their predictive performance, showing how accessible information can influence perception and, hence, decision-making in operational scenarios. Applications to threat intelligence are discussed too.
翻译:暂无翻译