Urgency in Cybersecurity Risk Management: Toward a Solid Theory

IT systems are exposed to a rapidly changing landscape of serious security risks. Given the limited resources available to an organization, it is becoming more and more important to properly prioritize security risks, so that the organization can focus its efforts on the most critical risks. Traditionally, risks are assessed in terms of two aspects: occurrence probability and caused damage. However, for real-time risk prioritization, a third aspect is also of critical importance: urgency. Urgency stems from time-related considerations, such as the time needed by adversaries to exploit a vulnerability or the time needed for system administrators to put a countermeasure in place. These time-related considerations are orthogonal to the traditional aspects of occurrence probability and caused damage, and are largely ignored by existing risk management approaches. This paper proposes a way for introducing the notion of urgency into risk assessment. Our aim is to devise an intuitive approach for assessing risks, taking urgency into account, based on a solid theoretical underpinning. We establish a mathematical model using probability theory, and derive formulas for time-aware risk assessment in different settings.