Time-Aware Bayesian Attack Graphs for Dynamic Cyber Risk Assessment Incorporating Attacker Behavior and Cost–Benefit Analysis

With the increasing complexity of organizational and cloud-based networks, effective cyber risk and vulnerability assessment has become a critical challenge in modern network security. Conventional vulnerability analysis and attack graph–based approaches often overlook attacker behavior, economic incentives, and dynamic system evolution, leading to limited decision-making capability. This paper proposes a novel behavioral and cost–benefit driven Bayesian attack graph (BAG) framework for dynamic risk assessment in complex networks. The proposed approach integrates Bayesian belief networks with attack graph structures while explicitly incorporating attacker behavioral characteristics, including skill level, attack capability, and persistence, together with a cost–benefit analysis of attack actions. A new probabilistic formulation is introduced to quantify atomic attack success by jointly considering vulnerability exploitability, attacker behavior, and economic motivation. In addition, a time-aware path scoring mechanism is developed to identify critical attack paths by combining attack reachability probability and expected attack duration. The framework supports dynamic Bayesian updating in the presence of new evidence, enabling adaptive risk assessment in evolving environments such as cloud infrastructures. Theoretical analysis confirms that the proposed model is bounded, continuous, and guarantees the existence of an optimal attack path follows from finiteness of the attack graph. Empirical results demonstrate that the proposed framework fundamentally alters attack path prioritization compared with classical BAG-based methods, revealing economically attractive and time-efficient attack paths that are overlooked by vulnerability-centric approaches. By integrating attacker behavior, cost–benefit reasoning, and temporal dynamics, the proposed model provides a more realistic, operationally meaningful, and decision-oriented basis for proactive cyber risk management.