Purpose The purpose of this paper is to develop a quantitative framework that translates cyber attribution uncertainty into defensive control priorities. Organizations lack systematic methods to convert sector-specific attribution probabilities into differentiated security investments. This study introduces a probability-weighted tactic-scoring function that converts estimated public attribution status into ranked defensive priorities for both known and unknown attackers, providing a defensible basis for resource allocation decisions. Design/methodology/approach This study analyzes 14,096 cyber incidents (2016–2023) using a two-stage framework. Stage 1 uses logistic models with sector-by-attack-class interactions to estimate attribution probabilities. Stage 2 integrates these with MITRE ATT40%), while Discovery (TA0007) dominates when attribution is likely (70%). This pattern, whether reflecting adversary strategy or differential observability, provides actionable guidance for resource allocation. Patterns remain stable under parameter variation and resampling. Practical implications Organizations can map predicted attribution to control priorities. Low-attribution sectors benefit from emphasizing persistence detection; high attribution sectors benefit from discovery-focused controls. This study illustrates how tactic priorities translate to NIST SP 800–53 control families. Originality/value The probability-weighted scoring functional generalizes to any context with estimable class distributions, behavioral frequencies and uncertainty gates. This framework bridges attribution research and defensive strategy by quantitatively linking empirical attribution patterns to sector-specific control priorities, moving organizations beyond generic best practices toward attribution-aware security investment.
Sandeep Suntwal (Mon,) studied this question.