Typical cyber security risk assessment methods focus on the system under consideration, its vulnerabilities, and the resulting impact in the event of a system compromise. Cyber security, however, increasingly requires anticipating the moves of intelligent adversaries, who make decisions based on a range of factors including the cost of their attacks. A study of current risk assessment literature and industry practice shows that consideration of this cost is a notable gap in the understanding of adversaries. The factors of cost experienced by an adversary are established in this paper as Time, Finance, and Risk, supported by a practical study undertaken with relevant security practitioners. Using these factors as a base, a framework is proposed and developed to support the probabilistic determination of cost incurred by an adversary. This framework is an important extension to existing cyber security risk assessments, and is demonstrated in the paper through the use of a case study.

典型的网络安全风险评估方法着眼于所考虑的系统，其漏洞以及在系统受到破坏时产生的影响。但是，网络安全越来越需要预测智能对手的行动，他们会根据一系列因素（包括攻击成本）做出决定。对当前风险评估文献和行业实践的研究表明，考虑此成本是在了解对手方面的显着差距。在与相关安全从业人员进行的实际研究的支持下，本文将对手所经历的成本因素确定为时间，财务和风险。以这些因素为基础，提出并开发了一个框架，以支持概率确定敌方造成的费用。