Interested in a Cyber Attack Path Risk Model?

Introduction

KPMG’s 2020 cyber risk quantification paper provides us with valuable concepts on cyber risk quantification. I have adopted their core attack path concept for ransomware and built a Monte Carlo simulation. The model works on three interlinked components:

1. Threat Quantification (Contact Rate × Learning)

  • Annual attack attempts (base rate of 190)
  • Learning effect multiplier (2x) capturing attacker improvement This gives us ~380 effective attacks per year to feed into our path calculations.

2. Attack Path Success Rate

  • Initial Compromise: MAX(phishing, watering hole, USB) ≈ 10%
  • Malware Deployment: AND(deploy, command & control) ≈ 13%
  • Lateral Movement: MAX(exploit, discover, connect) ≈ 20%
  • Evasion: MAX(response, logging, detection) ≈ 40%
  • Action: AND(compromise, ransomware) ≈ 70%

The use of MAX for OR nodes and multiplication for AND nodes lets us model real attack paths while keeping calculations manageable.

3. Foundation Controls

Model uses a 1.2x multiplier to represent how basic security controls enhance overall effectiveness.

Making It Real

I implemented this as a Monte Carlo simulation using:

  • Parameters capturing base capabilities
  • Assessments providing realistic ranges
  • Expressions handling Boolean logic

The results (37%) closely match KPMG’s predicted 33% likelihood while providing equal insight into contributing factors.

When Theory Meets Reality

Key lessons from this implementation:

  1. Assessment honesty matters more than mathematical precision
  2. AND/OR logic drastically affects which controls matter most
  3. Foundation multipliers capture often-overlooked basics
  4. Monte Carlo helps understand probability ranges, not just point estimates

Next Steps

This model demonstrates what’s possible with:

  • Clear attack path definition
  • Boolean probability logic
  • Foundation control effects
  • Practical assessment ranges

The challenge now is tuning it for specific environments while maintaining its simplicity and usability.