Measuring likelihood in cybersecurity
Abstract
Cybersecurity risk is commonly expressed through impact and likelihood, yet likelihood remains difficult to estimate because cyber incidents are underreported, heterogeneous datasets are weakly comparable, and attacker behaviour changes faster than conventional probability baselines. This article proposes a pipeline for operationalizing likelihood through a cyber exposure profile that integrates external cyber knowledge and organization specific telemetry into a graph based representation. The contribution is a formally specified artifact chain, from unified data model through organization specific profiling, metric registry, likelihood scoring, and control prioritization, that operationalizes four constructs grounded in incident evidence: Exposure, Traceability, Motivation, and Systems Update. The pipeline provides a pathway from heterogeneous source evidence to a bounded likelihood indicator comparable across organizations and observation periods. An evaluation in 15 real organizations shows that those implementing the cyber exposure profile were associated with reduced incident frequency and faster detection and response times, providing preliminary empirical support for the framework directional claims.
Cite
@article{arxiv.2504.15395,
title = {Measuring likelihood in cybersecurity},
author = {Pablo Corona-Fraga and Vanessa Diaz-Rodriguez and Jesus Manuel Niebla-Zatarain and Gabriel Sanchez-Perez and Edward J. Humphreys},
journal= {arXiv preprint arXiv:2504.15395},
year = {2026}
}