The ?-Time-to-Compromise Metric for Practical Cyber Security Risk Estimation

Abstract

To manage cyber security risks in practice, a simple yet effective method to assess such risks for individual systems is needed. With time-to-compromise (TTC), McQueen et al. (2005) introduced such a metric that measures the expected time that a system remains uncompromised given a specific threat landscape. TTC combines simplicity with expressiveness and therefore has evolved into one of the most successful cybersecurity metrics in practice. We revisit TTC and identify several mathematical and methodological shortcomings which we address by embedding all aspects of the metric into the continuous domain and the possibility to incorporate information about vulnerability characteristics and other cyber threat intelligence into the model. We propose ?-TTC, a formal extension of TTC which includes information from CVSS vectors as well as a continuous attacker skill based on a ?-distribution. We show that our new metric remains simple enough for practical use and gives more realistic predictions than the original TTC by using data from a modern and productively used vulnerability database of a national CERT.