Proactive cyber-risk assessment is gaining momentum due to the wide range of sectors that can benefit from the prevention of cyber-incidents. The increasing connectivity of digital and (cyber-)physical systems requires more attention to cybersecurity to enhance the integrity, confidentiality, and availability of data. We introduce a statistical framework for the prioritisation of cyber-vulnerabilities, using robust and interpretable regression models to support decision-making. Specifically, we take advantage of mid-quantile regression to deal with ordinal risk assessments, and we compare it to current alternatives for cyber-risk ranking and graded responses, identifying a novel accuracy measure suited for rankings with partial knowledge of existing vulnerabilities. Our model is tested on both simulated and real data from selected databases that support the exploitation of cyber-vulnerabilities in real contexts. The variety of information arising from such datasets allows us to compare multiple models based on their predictive performance, showing how accessible information can influence perception and, hence, decision-making in operational scenarios. Applications to threat intelligence are discussed too.

翻译：主动式网络安全风险评估正受到越来越多的关注，因为广泛领域的各类行业都能从网络事件的预防中获益。数字系统与（网络）物理系统日益增强的互联性要求我们更加重视网络安全，以提升数据的完整性、机密性和可用性。我们提出了一种用于网络漏洞优先排序的统计框架，该框架利用稳健且可解释的回归模型来支持决策制定。具体而言，我们利用中分位数回归来处理有序风险评估，并将其与当前用于网络风险排序和分级响应的替代方法进行比较，同时提出了一种适用于仅掌握部分已知漏洞信息的排序场景的新型准确度度量指标。我们的模型在模拟数据以及来自特定数据库的真实数据上进行了测试，这些数据库支持真实场景下网络漏洞的利用。这些数据集所蕴含的丰富信息使我们能够基于多种模型的预测性能进行比较，进而揭示可获取的信息如何影响感知，并最终影响实际场景中的决策制定。本文同样探讨了该框架在威胁情报领域的应用。