Goran Kap, Dana Ali: Statistical analysis of computer network security

In this thesis it is shown how to measure the annual loss expectancy of computer networks due to the risk of cyber attacks. With the development of metrics for measuring the exploitation difficulty of identified software vulnerabilities, it is possible to make a measurement of the annual loss expectancy for computer networks using Bayesian networks. To enable the computations, computer network vulnerability data in the form of vulnerability model descriptions, vulnerable data connectivity relations and intrusion detection system measurements are transformed into vector based numerical form. This data is then used to generate a probabilistic attack graph which is a Bayesian network of an attack graph. The probabilistic attack graph forms the basis for computing the annualized loss expectancy of a computer network. Further, it is shown how to compute an optimized order of vulnerability patching to mitigate the annual loss expectancy. An example of computation of the annual loss expectancy is provided for a small invented example network.