Today, the elusiveness of targeted attacks (TAs) and the number of evasion tactics exploited by the ongoing cyberattacks are so significant that monolithic defence strategies are not efficient anymore. Successful attacks are built to stay under the detection threshold on all the layers of the security (from network to the human layer): e.g., network scanning is usually today a feeble activity, systems’ compromising happens with ad-hoc copies of unique malware, and phishing campaigns are tailored around single humans. Cybercrime is increasingly going in the direction of sophisticated “low-and-slow” attacks [1]. The low-and-slow approach involves attackers remaining invisible for as long as possible, while stealthily moving from one compromised host to the next without generating regular or predictable network traffic patterns or data exfiltration purposes as they hunt for specific data or system targets. The rapidity of the single attack steps is one crucial element of being stealthy.

The defence paradigms, therefore, must adapt to this increasingly flexible and feeble scenario, where the usual defence systems based on pattern recognition are not useful anymore. As an example, a recent report from FireEye cites “the average time from an email phishing breach to detection is 146 days globally, and a colossal 469 days for the EMEA region. According to the report, “At a basic level, the notion that hackers are rooting around in companies’ networks undetected for 15 months is sobering, as it allows ample opportunity for lateral movement within IT environments.

The early detection of the weak signals of an ongoing attack is probably the most important challenge in today’s security market. Within this context, one of the most interesting innovative approaches is the ability to analyse an increasing amount of data, also with the assistance of Artificial Intelligence (AI), with the objective to capture an emerging and unnoticed trend. Cyber Threat Intelligence (CTI) tools are facing this challenge. However, the most problematic issues of CTIs is not only the complexity of the evaluation models but also the potentially uncontrollable divergence of their forecasts. The model is strongly based on the preciseness of the Indicator of Compromise (IoC), whose collection is nowadays regulated through different bodies (mainly European bodies such as the ISACs or crowd-based efforts such as VERIS CDB) and supporting (usually de-facto) standard technologies (STIX being the reference serialization language). CTIs are also affected by the intrinsic instability of the forecast models, which require efforts to collect the IoCs, elaborate the models and distribute the early alerts. This fact implies a cost model that goes beyond the possibilities of an organisation with low-budget security programs such as an SME.


The current approaches to IT security and risk management tend to underestimate the following key aspects:

  • The human factor (covering subjective, organisational, societal and economic aspects) in the identification of vulnerabilities to cyber-attacks. This aspect is often ignored despite the fact that, as recently demonstrated, Social Engineering 2.0 (SE) attacks generate the highest costs in terms of both consequences of and protection against attacks.
  • The strategy of the attacker in the identification of vulnerabilities and assets at risk. Modern attacks follow the same business logic as that followed by big companies that involve multidisciplinary competences in the definition process of their strategies and business plans [2]. The same multidisciplinary approach combining engineering, risk assessment, economic, cognitive, behavioural, societal and legal knowledge is needed to properly address the strategy of professional IT attackers.
  • The role of intangible assets in the quantification of the consequences of cyber-attacks. As reported in the Insurance Journal, “More than half the value of companies worldwide is in intangible assets, such as intellectual property, much of which is stored on computers and could therefore be vulnerable to hackers. That figure could be as high as $37.5 trillion of the $71 trillion in enterprise value of 58,000 companies, according to Brand Finance, a consultancy specializing in valuation of intangible assets”. Moreover, more than 70% of attacks target small businesses, and as much as 60% of hacked small and medium-sized businesses go out of business after six months.

Given the described scenario, HERMENEUT aims to create an inclusive approach to cyber-security cost-benefit analysis. It starts (i) from an integrated assessment of vulnerabilities and their likelihoods and, (ii) exploiting an innovative macro- and microeconomic model for intangible costs,  ends (iii) with an estimation of the cyber-risks for an organisation or business sector followed by guidelines (iv) on investments, to mitigate the loss of an enterprise’s integrity.

The likelihood of success of a cyber-attack

In the HERMENEUT approach, the risk is equal to the product of likelihood, vulnerability and impact [3]. From a general point of view, the likelihood of success of a cyber-attack is composed of five relevant elements: business plan, commoditisation level, operational security, exposure of the target and human factor. These four elements can be used, together with a proper economic model, to estimate the tangible and intangible risks for an enterprise.

  • The business plan of the attacker is typically tied to the ease of monetising the stolen assets. Putting aside a few more specific cyber-attacks conducted for different motivations, the ease of monetisation of a stolen asset is the main driver used in the black market – and thus a motive for performing cyber-attacks. Thus, understanding the attacker’s business plan usually requires monitoring the dynamics of the black market’s selling fluctuations and its interest in specific assets. This monitoring function is already provided by big players in IT security and integrated into current risk estimation approaches [4]. Moreover, this element is correlated with the remaining four factorscommoditisation level, operational security, exposure of target and human factor). Black-market dynamics are driven by the evolution of attacking tools (e.g., the recent evolution of Shark Ransomware as a Service), as well as by the difficulty of stealing valuable assets (e.g. see [5] for a discussion about price fluctuations of Gmail fake accounts in the black market, as a consequence of the hardenings released by Google). HERMENEUT does not concentrate on the exploration and evaluation of black market dynamics; instead, it concentrates on the evaluation of the less explored commoditisation level, exposure of target and human factor.
  • The commoditisation level is an approximate measure of how easy it is to launch a cyber-attack against an organisation. This can only really be assessed by simulating a cyber-attack against the IT systems from the viewpoint of an attacker. The assumption is that the effort undertaken by a penetration tester to break into a system in a simulated environment is proportional to the effort of a real cyber-attack. The higher the effort of the cyber-attack (e.g. regarding applied competences, instruments), the higher, in general, its price on the black market. With the evolution of TA, the exploits have become more subtle, and the strategies used less universal (and thus less identifiable by statistical methods) and more easily adaptable to single victims. A recent example of how the business models of cybercrime evolves, impacting both the commoditization level and the economic cost models, has been reported: a new Ransomware-as-a-Service project has sprung up, and the “service providers” are allowing others to use it for free, but take a 20 percent cut out of every ransom that gets paid by the victims. This change in the threat landscape implied a modification of the techniques used to simulate the cyber-attacks, to become more adjusted to the reported exploits. HERMENEUT uses a novel vulnerability assessment methodology to evaluate the commoditization level of the cyber-attacks.
  • The Operational security, from the attackers’ point of view, refers to the ability to exfiltrate an asset or complete an attack business plan and remain unnoticed or uncaught. This element is connected to the commoditization level of the black markets mentioned before. The underground economy is a loose federation of specialists selling capabilities, services, and resources explicitly tailored to abuse ecosystem, among which services used to safely re-sell the stolen services.
  • The exposure of the target is a measure of how exposed the target is in terms of cyber-attacks. This is essentially the amount and relevance of the information exposed by the victim or other parties on the internet or in general to the outer world (e.g. in social media or unmonitored assets, like open resources or uncontrolled metadata of public documents) that can be directly (ab)used by the attacker to craft more successful cyber-attacks. This not only refers to unleashed assets but more generally to information used to improve the effectiveness of the cyber-attacks (e.g., roles of personnel in the organisation, information about activities, locations visited during work hours, ), according to the logic and trends of the TA tactics. HERMENEUT measures the exposure of the target through the indirect estimation of the digital shadow of an institution [6]. That is the portion of the enterprise’s data space which is unintentionally leaked on the Internet by its employees (e.g., employees speaking of work on the social media) or directly through digital channels not monitored by the enterprise (e.g., the presence of unofficial support pages in some social media). The extension of the digital shadow is proportional to the exposure of the enterprise.
  • The human factor is the measure of how the behaviour of individuals, as well as social and organisational problems, indirectly affect the success rate of real-world cyber-attacks, for instance, due to lack of respect for existing policies, or other potentially detrimental behaviour of employees. This also includes user-motivated security incidents, threats of human error by insiders, and the role of human vulnerabilities in successful cyber-attacks. The human factor is another rough measure of the softness of the target, but in contrast to the commoditisation level, it links to an internal point of view. This is evaluated using an internally run assessment, performed using a “grey-box” approach [7], and the vulnerabilities detected are not necessarily all known and abused by real attackers. However, they are a proactive indicator for the enterprise of which cyber-attacks could potentially occur.

Among these elements, only the quantification of the commoditisation level, of the exposure of the target and the human factor can be partially automated and integrated into the HERMENEUT cost-benefit framework. They also represent the most challenging and less explored elements – and therefore lead to key innovations delivered by HERMENEUT.

[1] M. Johnson, Cyber crime, security and digital intelligence, London: Routledge, 2016.

[2] K. Thomas, D. Yuxing Huang, D. Wang, E. Bursztein, C. Grier, T. J. Holt, C. Kruegel, D. McCoy, S. Savage and G. Vigna, “Framing Dependencies Introduced by Underground Commoditization,” in Workshop on the Economics of Information Security (2015), 2015.

[3] FRONTEX, “CIRAM Common Integrated Risk Analysis Model,” Warsaw, 2012.

[4] For example, refer to HavocScope,

[5] R. K. a. S. Jessop, “Asset Managers Urged to Make Cyber Risk Top Priority,” Insurance Journal, September 2015.

[6] Digital shadow is defined asA digital shadow, a subset of a digital footprint, consists of exposed personal, technical or organisational information that is often highly confidential, sensitive or proprietary. As well as damaging the brand, a digital shadow can leave your organisation vulnerable to corporate espionage and competitive intelligence. Worse still, criminals and hostile groups can exploit a digital shadow to find your organisation’s vulnerabilities and launch targeted cyber-attacks against them”.

[7] Grey-box is a typical way of performing security tests where some insight of the tested systems are known by the testers.

[8] E. Frumento, C. Lucchiari and G. Pravettoni, “Cognitive approach for social engineering,” in DeepSec, Wien, 2010.