New cybersecurity model uses exposure, not statistics, to predict attacks

With rapid technological evolution and increasingly sophisticated threats, traditional risk assessment methods are quickly losing their edge. Current approaches to measuring cybersecurity risk still rely heavily on outdated statistical methods and historical data sets - resources that are often incomplete, inconsistent, or simply unavailable in today’s dynamic threat environment. A new research study titled “Measuring Likelihood in Cybersecurity”, published on arXiv, introduces a revolutionary data science-driven model designed to calculate cybersecurity risk based on real-time exposure, rather than retrospective probabilities.

The research, led by Pablo Corona-Fraga and a multidisciplinary team of cybersecurity experts, proposes a model centered on a "cyber exposure profile." This profile, informed by the ATT&CK and D3FEND frameworks, quantifies organizational risk through four core variables: exposure, traceability, attacker motivation, and system update readiness. The goal is to enable decision-makers to measure likelihood indirectly, without depending on sparse or unreliable historical incident data, and use this insight to inform actionable cybersecurity strategies.

How Can Cybersecurity Risk Be Measured Without Historical Data?

In cybersecurity, events such as 0-day attacks often have no prior record, rendering traditional probabilistic models ineffective. The study challenges this reliance on historical probability, instead introducing a conceptual and mathematical shift from “probability” to “likelihood.” Likelihood, in this framework, is defined not by frequency of past events, but by the congruence between a proposed model and current organizational and threat indicators.

The researchers build upon foundational ideas from prospect theory and Bayesian inference to create a dynamic, responsive risk measurement formula. This model factors in the asymmetric nature of cyber risk: while the benefits of adopting a new technology are immediate and visible, the threats it exposes the organization to may remain dormant until triggered by malicious actors.

The study identifies two critical asymmetries in cybersecurity risk. First, time asymmetry—where risks manifest well after technological gains are realized. Second, gain/loss asymmetry—where the potential fallout from a single cyberattack can vastly outweigh the benefits that technology originally offered. These asymmetries mean that waiting for statistical patterns to emerge before acting is not only risky but also potentially disastrous. The proposed likelihood model accounts for this by assigning values to organizational behaviors and environmental factors that correlate with risk, rather than assuming recurrence patterns.

What Are the Practical Components of the Cyber Exposure Model?

The model introduced in the study quantifies risk likelihood using four measurable variables:

1. Exposure: This includes the number of devices, public IP addresses, open ports, and privileged users. Higher exposure increases the likelihood of being targeted and breached.

2. Traceability: Measures the organization’s ability to monitor and trace user behavior, log events, and assess access controls. Improved traceability reduces the chance of a successful undetected attack.

3. Motivation: Reflects the potential payoff an attacker might gain from breaching the system—such as access to valuable data, business disruption leverage, or reputational damage. Motivation increases risk if the assets are highly desirable and poorly defended.

4. System Updates: Evaluates how up-to-date the systems are and how quickly vulnerabilities are patched. Frequent and timely updates lower risk, while outdated systems contribute significantly to vulnerability.

The researchers implement a weighted formula: Likelihood = (E^α × M^β) / (T^γ × U^δ) Where E = Exposure, M = Motivation, T = Traceability, U = System Updates, and α, β, γ, δ are context-dependent weight parameters. Each input is normalized between 0 and 1, making the model flexible and comparable across different organizations and industries.

To populate these variables, the model incorporates real-time data from API-accessible sources such as VirusTotal, Shodan.io, Google Safe Browsing, GreyNoise, and PhishTank. This integration enables the system to continuously update risk scores as network configurations, user behaviors, and threat landscapes evolve.

In addition to providing a static risk score, the model generates actionable controls mapped to ATT&CK and D3FEND taxonomies. This turns the output into a living cybersecurity strategy, where each data point corresponds to a specific action—such as reducing unnecessary privileges, closing unused ports, or deploying behavioral monitoring.

Does the Model Deliver Results in Real-World Environments?

To validate the proposed framework, the researchers implemented the model in three Mexican organizations from different sectors. The process included mapping each organization's infrastructure into a machine-readable format using Infrastructure as Code (IaC), assessing baseline cybersecurity posture, applying the model, and re-evaluating after implementing recommended controls.

The results were substantial:

• Incident reduction ranged from 35% to 47% across all three organizations.
• Logging coverage improved from below 50% to over 80–90%.
• Privileged user counts were significantly reduced, enhancing access control hygiene.
• Detection and response times dropped by as much as 26%.

More importantly, the model proved effective in shaping long-term strategy. Rather than just offering a snapshot of current vulnerabilities, it created a feedback loop. Controls were classified and aligned with ISO/IEC 27002 and NIST standards, enabling better audit readiness and regulatory compliance. One organization met PCI-DSS compliance, and another significantly improved alignment with ISO/IEC 27001 requirements.

In practice, the model’s strength lies not just in calculating abstract risk metrics, but in translating those metrics into resource allocation decisions. For example, if system update scores are low, the model might suggest critical patch management initiatives. If exposure is high due to excessive privileged accounts, it may call for identity access management reforms. In this way, risk metrics become a direct catalyst for cyber defense implementation.