Abstract Modern organisations face a cyber threat landscape that evolves faster than traditional qualitative risk scoring can adapt. It is important for organisations to keep pace with adversaries’ tactics and react accordingly. This paper develops a quantitative cyber risk assessment framework that integrates Bayesian statistical analysis with system specific hazard mapping. Drawing on the Cyber Security Body of Knowledge (CyBOK) Risk Management and NIST guidance, the study maps unacceptable and acceptable losses to hazards, links hazards to MITRE ATT and Bayes’ Theorem is applied to update threat probabilities as new cyber threat intelligence (CTI) is ingested. A proof of concept spreadsheet tool was developed - it ingests CTI pulses from publicly available feeds and recalculates hazard probabilities for each system, producing dynamic risk scores and dashboards. Evaluation using a simulated vulnerability set shows that the tool reprioritises hazards based on current exploitation activity: vulnerabilities with recent CTI evidence receive higher posterior probabilities than those with similar CVSS (Common Vulnerability Scoring System) scores but no active threats. The tool’s transparency and its value in bridging technical risk data with organisational decision making, while noting the manual effort hazard mapping process as a candidate for future automation are the key observations. The study concludes that simple Bayesian updating, when combined with system context, provides an accessible yet rigorous approach to threat quantification and lays the foundation for future automation and dependency modelling.
Thevaratnam et al. (Thu,) studied this question.