In cybersecurity risk is commonly measured by impact and probability, the former is objectively measured based on the consequences from the use of technology to obtain business gains, or by achieving business objectives. The latter has been measured, in sectors such as financial or insurance, based on historical data because there is vast information, and many other fields have applied the same approach. Although in cybersecurity, as a new discipline, there is not always historical data to support an objective measure of probability, the data available is not public and there is no consistent formatting to store and share it, so a new approach is required to measure cybersecurity events incidence. Through a comprehensive analysis of the state of the art, including current methodologies, frameworks, and incident data, considering tactics, techniques, and procedures (TTP) used by attackers, indicators of compromise (IOC), and defence controls, this work proposes a data model that describes a cyber exposure profile that provides an indirect but objective measure for likelihood, including different sources and metrics to update the model if needed. We further propose a set of practical, quantifiable metrics for risk assessment, enabling cybersecurity practitioners to measure likelihood without relying solely on historical incident data. By combining these metrics with our data model, organizations gain an actionable framework for continuously refining their cybersecurity strategies.

翻译：在网络安全领域，风险通常通过影响和概率来衡量，前者基于利用技术获取业务收益或实现业务目标所产生的后果进行客观测量。后者在金融或保险等行业中基于历史数据衡量，因为这些领域拥有海量信息，其他许多领域也采用了相同的方法。然而，网络安全作为一门新兴学科，并非总有历史数据来支撑概率的客观衡量——现有数据不公开且缺乏统一的存储和共享格式。因此，需要一种新方法来衡量网络安全事件的发生率。通过全面分析现有技术现状，包括当前方法论、框架和事件数据，并综合考虑攻击者使用的策略、技术与规程（TTP）、入侵指标（IOC）以及防御控制措施，本文提出了一种数据模型。该模型描述了网络暴露特征，为可能性提供间接但客观的度量，并整合了不同数据源和指标以便在必要时更新模型。我们进一步提出了一套实用且可量化的风险评估指标，使网络安全从业者能够不单纯依赖历史事件数据来衡量可能性。通过将这些指标与数据模型相结合，组织可获得一套可操作的框架，从而持续优化其网络安全策略。