Cybersecurity: causality and ontological parsimony
Cybersecurity: causality and ontological parsimony
Cybersecurity risk assessment using standards like ISO 27005 is hard, especially for complex target systems. The main challenges are to identify threats, estimate their likelihood, and determine their consequences. One source of difficulty is the presence of (system-specific) dependencies, whereby a threat to one system component can lead indirectly to consequences in other system components via (system-specific) attack paths and secondary-effect cascades. This paper postulates that part of the problem is that threat paths require an analysis of causes and effects in the context of a specific system, but tools and knowledge bases used for this are not based on causal models. Existing cybersecurity knowledge bases may help identify threats but do not allow the likelihood of adverse outcomes including indirect effects to be found in a target system. This paper proposes to address some of these challenges by using a simple causal model. Such a model provides at least three attractive benefits for knowledge capture and reuse: parsimony (the number of distinct concepts is small compared to existing knowledge bases), generality (it is feasible to capture these concepts in a way that does not require assumptions about target systems), and utility (it is easy to create simulations of cybersecurity threats in target systems and determine the presence and likelihood of attack paths and secondary effects). This has implications for the development of current and future cybersecurity knowledge bases. For example, the high cost of analysing new vulnerabilities in the NVD catalogue seems related to the fact that CVSS (in its current form) hides some causal relationships. This suggests that aligning CVSS with a causal model would reduce the cost of NVD and make it more useful in risk assessment. Mapping CVSS and other cybersecurity knowledge bases to a simple causal model would also make it easier to integrate them in a way that supports application in practical risk assessments.
Cybersecurity, Risk Assessment, Semantics
Surridge, Mike
3bd360fa-1962-4992-bb16-12fc4dd7d9a9
Senior, Samuel M.
d35c4a4d-0dc1-4d84-aed6-358e235e5a3f
Guthrie, Duncan
af1663e6-11cf-4d68-a587-01ff7d8b9de6
Surridge, Mike
3bd360fa-1962-4992-bb16-12fc4dd7d9a9
Senior, Samuel M.
d35c4a4d-0dc1-4d84-aed6-358e235e5a3f
Guthrie, Duncan
af1663e6-11cf-4d68-a587-01ff7d8b9de6
Surridge, Mike, Senior, Samuel M. and Guthrie, Duncan
(2025)
Cybersecurity: causality and ontological parsimony.
Computers & Security.
(Submitted)
Abstract
Cybersecurity risk assessment using standards like ISO 27005 is hard, especially for complex target systems. The main challenges are to identify threats, estimate their likelihood, and determine their consequences. One source of difficulty is the presence of (system-specific) dependencies, whereby a threat to one system component can lead indirectly to consequences in other system components via (system-specific) attack paths and secondary-effect cascades. This paper postulates that part of the problem is that threat paths require an analysis of causes and effects in the context of a specific system, but tools and knowledge bases used for this are not based on causal models. Existing cybersecurity knowledge bases may help identify threats but do not allow the likelihood of adverse outcomes including indirect effects to be found in a target system. This paper proposes to address some of these challenges by using a simple causal model. Such a model provides at least three attractive benefits for knowledge capture and reuse: parsimony (the number of distinct concepts is small compared to existing knowledge bases), generality (it is feasible to capture these concepts in a way that does not require assumptions about target systems), and utility (it is easy to create simulations of cybersecurity threats in target systems and determine the presence and likelihood of attack paths and secondary effects). This has implications for the development of current and future cybersecurity knowledge bases. For example, the high cost of analysing new vulnerabilities in the NVD catalogue seems related to the fact that CVSS (in its current form) hides some causal relationships. This suggests that aligning CVSS with a causal model would reduce the cost of NVD and make it more useful in risk assessment. Mapping CVSS and other cybersecurity knowledge bases to a simple causal model would also make it easier to integrate them in a way that supports application in practical risk assessments.
Text
CausalityAndParsimony-Submitted-2025-08-14
- Author's Original
More information
Submitted date: 14 August 2025
Keywords:
Cybersecurity, Risk Assessment, Semantics
Identifiers
Local EPrints ID: 505286
URI: http://eprints.soton.ac.uk/id/eprint/505286
ISSN: 0167-4048
PURE UUID: 71c41878-fad0-468d-8004-c0220250b5f4
Catalogue record
Date deposited: 06 Oct 2025 16:42
Last modified: 07 Oct 2025 02:03
Export record
Contributors
Author:
Mike Surridge
Author:
Samuel M. Senior
Author:
Duncan Guthrie
Download statistics
Downloads from ePrints over the past year. Other digital versions may also be available to download e.g. from the publisher's website.
View more statistics