Measuring Return on Attack: Combining Exploit Market Data with Attack Trees (CEMDAT)

Information security economics asks is this secure enough?, rather than the traditional question of is this secure? To address the economic question, security investment models have, over the past 20 years or so, been introduced at the Workshop on the Economics of Information Security and related venues.

Nevertheless, it is generally accepted that a significant gap remains between abstract models such as the Gordon–Loeb model and the data that could ultimately parameterize such models to support those responsible for deciding how and where to invest in security solutions.

This project will proceed in a bottom-up manner by beginning with a data source, namely publicly available exploit prices, and building a modelling framework around it.
The resulting insights have the potential to quantify how the cost to the adversary (who we might imagine intends to compromise a software system) might vary, based on existing capabilities.
These cost estimates can be fed into Return on Attack (ROA) models to support real-world decisions.
Defenders can then invest in security solutions until the Return on Attack is no longer profitable for the attacker. (Non-rational attackers complicate this.)