R&D

Defining the Basal Attractiveness Concept for Cybercriminals

DICYME Team | May 06, 2024

Organizations are facing more frequent and diverse cyber incidents that pose significant risks to their operations and reputations. The DICYME team is working on a novel approach to measure the baseline attractiveness of organizations to cyber attackers based on the inherent attributes that define the organization. By leveraging these attributes and integrating machine learning techniques, this methodology aims to provide a more precise assessment of an organization's exposure to cyber incidents.

What is Basal Attractiveness?

Basal Attractiveness is a new cybersecurity risk metric that measures inherent qualities or characteristics that make a company an attractive target for cyber attacks. Unlike models that rely on dynamic or external factors (e.g., current threat landscapes), this approach focuses on static, company-specific attributes that remain relatively stable over time also called firmographic data. They are especially significant for actors seeking economic gain or reputation without a specific target.

 

Key components of Basal Attractiveness

The assessment of Basal Attractiveness relies on several intrinsic attributes of an organization:

  • Country: certain nations are more frequently targeted due to geopolitical factors, economic status, or regulatory differences.

  • Industry sector: some industries, such as finance or healthcare, store valuable data and are therefore more attractive targets.

  • Revenue and earnings: high-revenue and profitable companies are often targeted for financial extortion.

  • Publicly traded status: public companies may face threats related to stock price manipulation and corporate espionage.

  • Number of employees: a larger workforce increases the attack surface, making social engineering attacks more viable.

  • Profitable: profitable companies might be perceived as lucrative targets.

 

How is Basal Attractiveness measured?

To quantify a company’s attractiveness to cybercriminals, a rule mining and machine learning approach has been developed within the DICYME Project. This methodology consists of the following steps:

  1. Data collection: gathering firmographic attributes from companies that have been confirmed victims of cyber incidents.

  2. Identification of similar companies: expanding the dataset by including organizations that share key characteristics with confirmed victims.

  3. Rule mining analysis: extracting hidden patterns from cyber incidents using rule-based techniques.

  4. Decision Tree classification: training a classifier to estimate the likelihood of an organization experiencing a cyber incident, assigning it a score between 0 and 1, where a higher score represents greater attractiveness to cybercriminals.

 

Results and limitations

Experiments conducted using real-world datasets have demonstrated promising results, indicating that companies with a higher Basal Attractiveness score are more likely to experience cyber incidents. The model shows high accuracy and F1-score, successfully differentiating between high-risk and low-risk organizations.

basal_blog

However, there are certain limitations to consider:

  • The model relies exclusively on confirmed cyber incidents, as there is no reliable data on unsuccessful attacks or attack attempts.

  • Measuring failed attacks is inherently difficult—what qualifies as an attempt? A port scan? A phishing email? A brute-force login? Without standardized metrics, with publicly accessible data only known incidents can be analyzed, which may limit broader attack trend detection.

 

Future work: dynamic risk components

To enhance this methodology, ongoing research is exploring the integration of dynamic cybersecurity factors into the model. Some proposed improvements include:

  • Real-time monitoring: tracking online discussions about a company on social media, hacker forums, and the dark web to identify emerging threats.

  • Threat intelligence integration: incorporating indicators such as public vulnerabilities (CVEs), leaked credentials, and exposure in underground markets.

  • Expanding dataset sources: combining public and private cybersecurity data feeds to improve model accuracy and risk prediction.

With these enhancements, the DICYME project aims to advance cyber risk assessment methodologies, helping organizations develop proactive security strategies to mitigate cyber threats before they materialize.