Making the Case for Cybersecurity
3.2
REIMAGINING RISK AS STRUCTURED INFERENCE
This transformation begins with a new conceptual foundation: risk is not a score— it is a structured situation. It exists when a motivated attacker can exploit a system-specific vulnerability to harm a mission-relevant asset. This condition must be supported by traceable evidence about the system, its exposures, and its defenses.
In this framework, each risk involves a structured argument— a chain of logical subclaims about attackers, attack paths, system vulnerabilities, mitigation gaps, and potential impacts. These claims are orchestrated by an assurance argument that does not sit passively at the end of the pipeline, but instead drives the inference of knowledge, the propagation of evidence, and the triggering of analytic actions.
Automation becomes possible because each claim type has defined inputs, semantic meaning, and justifiable outputs. The pipeline is no longer a sequence of tools— it becomes a reasoning engine, producing machine-consumable narratives of risk.
Figure 3-1: Risk claim structure.
3.3 THE ATTACK-CENTRIC RISK CLAIM STRUCTURE THAT SUPPORTS AUTOMATION
At the heart of this reasoning structure lies a critical design decision: attack is the common denominator of all risk logic. Every risk ultimately resolves to the presence of one or more technically feasible, insufficiently mitigated attack paths.
This is not just a modeling convenience— it is what enables automated inference and integration with external cybersecurity knowledge. Repositories like MITRE ATT & CK( offensive techniques) and MITRE D3FEND( defensive techniques) organize knowledge around attacks. By aligning risk claims to this structure, we enable the flow of curated, community-maintained knowledge into bespoke security assessments.
44 May 2025