Full Program
Summary:
In this paper, we present a dynamic and proactive cyber risk assessment model that leverages the Exploit Prediction Scoring System (EPSS) to quantify short-term (30-day) exploit likelihoods. Our framework integrates Bayesian networks to account for both vulnerabilities and network topologies, then constructs absorbing Markov chains for each enumerated attack path using a Depth-First Search (DFS) of the environment. This combination provides (i) day-by-day exploitation probability distributions for individual assets, (ii) time-to-compromise estimates indicating how soon an attacker might reach high-value targets, and (iii) a continuous risk metric derived from threat likelihoods and asset impact. We apply the method to a representative Industrial Control System (ICS) environment, demonstrating the effectivness of the proposed approach.Author(s):
Pavlos Cheimonidis
Democritus University of Thrace
Greece
Konstantinos Rantos
Democritus University of Thrace
Greece