<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div class="">There has been a lot of discussion in this list regarding the need to assess and include the attacker’s ROI as a way to properly measure cyber attack risk. I had always strongly believed that this could be modeled mathematically by combining game theory and complex network theory, and that this would allow for a far more comprehensive approach than the industry’s subjective probability x impact assessments. </div><div class=""><br class=""></div><div class="">We have written a book "<a href="http://www.amazon.com/gp/product/3319264214/ref=as_li_tl?ie=UTF8&camp=1789&creative=9325&creativeASIN=3319264214&linkCode=as2&tag=sm4rt-20&linkId=E7YMQRIJUA64GQKX" class="">Intentional Risk Management through Complex Networks Analysis (SpringerBriefs in Optimization)</a>” with the results of several years of work trying to create a mathematical model for this. I was lucky to partner up with my good friend Dr. Santiago Moral and a leading information security authority, as well as with two distinguished mathematicians, Dr. Regino Criado and Dr. Miguel Romance with whom we worked in developing a mathematical model around these concepts. This is still work in progress and I believe there is room for improvement and enhancement. This is precisely why we chose to share it with the world by publishing our findings. </div><div class=""><br class=""></div><div class="">Our main intention was to produce something similar to a page-rank algorithm for calculating relative and absolute risk for every node in a network. This risk could be from an employee with authorized access (we called this static risk) or from a hacker that would be able to move through the network more freely (we called this dynamic risk). This methodology allows us to consider the attackers perceived risk/reward at each node and through each path. We were trying to model how an attacker would rationally assess each potential target. Even though for individual hackers there is still a lot of serendipity it averages out when you consider all potential attacks and this should allow us to determine risk for each node or path. </div><div class=""><br class=""></div><div class="">I hope it proves useful,</div><div class="">Victor</div></body></html>
<br>
<div style="font-size:1.3em"><img src="http://www.ghosteam.com/M4il/GhosTeam.jpg"></div><font face="Arial" size="1" color="#808080">El contenido de este correo electrónico, así como los archivos adjuntos al mismo, son de carácter confidencial mismos que son dirigidos para uso exclusivo del destinatario. La distribución y difusión tanto impresa, verbal o electrónica del presente mensaje de datos y sus archivos adjuntos está prohibida, salvo que exista previa autorización del remitente. Si usted no es el destinatario o recibe este correo por error, se le prohíbe su utilización total o parcial para cualquier fin, se le agradece que lo notifique al remitente y después, lo elimine de su sistema. De acuerdo a la Ley Federal de Protección de Datos Personales en Posesión de Particulares (México), se le informa que los datos que nos ha facilitado y nos facilite en un futuro, pueden ser incorporados en nuestros archivos y/o bases de datos y utilizados para el cumplimiento de los productos y/o servicios ofrecidos. Fuera de los casos legalmente previstos y/o en defensa de sus intereses, dichos datos no serán cedidos a terceros sin su autorización.</font><div><font face="Arial" size="1" color="#808080">Consulte nuestro aviso de privacidad en </font><font face="Arial" size="1" color="#0000ff"><a href="http://www.sm4rt.com/#PrivacyPolicy" target="_blank">http://www.sm4rt.com/#<WBR>PrivacyPolicy</a></font></div>