Defining threats across organizational boundaries

Threats against systems are continually changing and evolving. The ability to secure systems against them is an ongoing battle. One of the most difficult responsibilities that security experts face is the need to take the intangible threats and complex security information and explain it to stakeholders with enough clarity as to allow for decision making. There are typically, multiple levels of stakeholders, needing various levels of brevity or insight in order to react to the information. The Chief Executive Officer (CEO) needs brevity, the lead security engineer needs enough information in order to make technical trade-offs.Both Bayesian networks and concept mapping are based on patterns. They both look to provide insight into information based on pattern relations. Bayesian networks provide a method to look at the probabilities associated with events occurring. Concept maps show perceived regularities in events or objects by the use of labels. The use of concept maps has been shown to provide a means of describing complex ideas in a simple manner, such as is necessary when dealing with higher levels of management. Bayesian networks can be used to describe the detailed probabilities of something occurring, as is useful when working with engineers. The purpose of this paper is to show how the hybrid use of concept maps and Bayesian networks to outline the same information can be useful for providing threat information across organizational boundaries.