Design and Implementation of a Business-driven Threat Quantification Framework

Nowadays, companies and organizations invest in cybersecurity more and more as they are operating with digital information systems. Cyber risk management presents a welldefined path toward the management of critical assets, threats, and countermeasures. Within cyber risk management, threat modeling is a structured process to identify potential threats, and in this process, it is significant to evaluate each threat and estimate its potential impacts. Although threat modeling methodologies have been developed in depth, most of them focus on threat identification in di↵erent contexts, while how to quantify their impact for further inspection is less discussed. This thesis works on designing a framework to fill in this gap. The main outcome of this thesis is a framework that guides users to evaluate and quantify cyber threats in business contexts. The framework integrates applicable business impacts, calculates and visualizes the impacts of cyber threats, providing users with an intuitive picture of cyber threats analysis in the view of business. The prototype is well developed and properly evaluated, and the usability of the prototype is of satisfaction.