Attack graphs deduce the attack paths based on the identified vulnerabilities, the existing network topology, and the applied network access controls. The exploitation likelihood of the paths derived from the Common Vulnerability Scoring System (CVSS) values of the vulnerabilities provides an important input to risk assessments. This paper focuses on the identification of attacker skill levels required for exploiting the attack paths. First, we elicited expert knowledge for the determination of skill level categories and their detailed descriptions. Second, we systematically applied the elicited knowledge to the attack graphs. This skill level categorization method can provide a significant contribution to the design of hands-on offensive cyber games as it enables to balance the skills of participants and difficulty of game tasks. It also improves the threat analysis capability of organizations by demonstrating the possible infiltration ways of threat actors depending on their skill levels.
[2]
D M Faissol,et al.
Taxonomies of Cyber Adversaries and Attacks: A Survey of Incidents and Approaches
,
2009
.
[3]
Anoop Singhal,et al.
Security Risk Analysis of Enterprise Networks Using Probabilistic Attack Graphs
,
2011
.
[4]
Ahmad Akbari,et al.
CVSS-based security metrics for quantitative analysis of attack graphs
,
2013,
ICCKE 2013.
[5]
Karen Scarfone,et al.
Common Vulnerability Scoring System
,
2006,
IEEE Security & Privacy.
[6]
David H. Tobey,et al.
An Argument for Game Balance: Improving Student Engagement by Matching Difficulty Level with Learner Readiness
,
2014,
3GSE.
[7]
John T. Michalski,et al.
Cyber Threat Metrics
,
2012
.