{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,13]],"date-time":"2026-04-13T09:59:30Z","timestamp":1776074370989,"version":"3.50.1"},"reference-count":20,"publisher":"Springer Science and Business Media LLC","issue":"2","license":[{"start":{"date-parts":[[2026,2,5]],"date-time":"2026-02-05T00:00:00Z","timestamp":1770249600000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2026,2,5]],"date-time":"2026-02-05T00:00:00Z","timestamp":1770249600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["Int. J. Inf. Secur."],"abstract":"Abstract<\/jats:title>\n Modern organisations face a cyber threat landscape that evolves faster than traditional qualitative risk scoring can adapt. It is important for organisations to keep pace with adversaries\u2019 tactics and react accordingly. This paper develops a quantitative cyber risk assessment framework that integrates Bayesian statistical analysis with system specific hazard mapping. Drawing on the Cyber Security Body of Knowledge (CyBOK) Risk Management and NIST guidance, the study maps unacceptable and acceptable losses to hazards, links hazards to MITRE ATT&CK tactics and onto broader threat categories; and Bayes\u2019 Theorem is applied to update threat probabilities as new cyber threat intelligence (CTI) is ingested. A proof of concept spreadsheet tool was developed - it ingests CTI pulses from publicly available feeds and recalculates hazard probabilities for each system, producing dynamic risk scores and dashboards. Evaluation using a simulated vulnerability set shows that the tool reprioritises hazards based on current exploitation activity: vulnerabilities with recent CTI evidence receive higher posterior probabilities than those with similar CVSS (Common Vulnerability Scoring System) scores but no active threats. The tool\u2019s transparency and its value in bridging technical risk data with organisational decision making, while noting the manual effort hazard mapping process as a candidate for future automation are the key observations. The study concludes that simple Bayesian updating, when combined with system context, provides an accessible yet rigorous approach to threat quantification and lays the foundation for future automation and dependency modelling.<\/jats:p>","DOI":"10.1007\/s10207-026-01220-6","type":"journal-article","created":{"date-parts":[[2026,2,5]],"date-time":"2026-02-05T06:00:48Z","timestamp":1770271248000},"update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":0,"title":["Quantifying cyber threat using Bayesian statistical analysis"],"prefix":"10.1007","volume":"25","author":[{"given":"Sajeev","family":"Thevaratnam","sequence":"first","affiliation":[]},{"given":"Zeinab","family":"Rezaeifar","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2026,2,5]]},"reference":[{"key":"1220_CR1","unstructured":"NVD - Vulnerability Metrics \u2014 nvd.nist.gov. https:\/\/nvd.nist.gov\/vuln-metrics\/cvss, [Accessed 01-09-2025]"},{"key":"1220_CR2","doi-asserted-by":"publisher","DOI":"10.1016\/j.comnet.2024.110446","volume":"247","author":"SM AlHidaifi","year":"2024","unstructured":"AlHidaifi, S.M., Asghar, M.R., Ansari, I.S.: Towards a cyber resilience quantification framework (crqf) for it infrastructure. Comput. Netw. 247, 110446 (2024)","journal-title":"Comput. Netw."},{"issue":"8","key":"1220_CR3","first-page":"123","volume":"9","author":"H Altwaijry","year":"2011","unstructured":"Altwaijry, H., Algarny, S.: A network intrusion detection system based on a hidden na\u00efve bayes multiclass classifier. International Journal of Computer Science and Information Security 9(8), 123\u2013128 (2011)","journal-title":"International Journal of Computer Science and Information Security"},{"key":"1220_CR4","doi-asserted-by":"publisher","DOI":"10.1016\/j.eswa.2024.124572","volume":"255","author":"M Angelelli","year":"2024","unstructured":"Angelelli, M., Arima, S., Catalano, C., Ciavolino, E.: A robust statistical framework for cyber-vulnerability prioritisation under partial information in threat intelligence. Expert Syst. Appl. 255, 124572 (2024)","journal-title":"Expert Syst. Appl."},{"issue":"1","key":"1220_CR5","doi-asserted-by":"publisher","first-page":"79","DOI":"10.1186\/s13677-023-00454-2","volume":"12","author":"D Behbehani","year":"2023","unstructured":"Behbehani, D., Komninos, N., Al-Begain, K., Rajarajan, M.: Cloud enterprise dynamic risk assessment (cedra): a dynamic risk assessment using dynamic bayesian networks for cloud environment. Journal of Cloud Computing 12(1), 79 (2023)","journal-title":"Journal of Cloud Computing"},{"key":"1220_CR6","unstructured":"Burnap, P.: The Cyber Security Body of Knowledge v1.1.0, 2021, chap. Risk Management & Governance. University of Bristol (2021), https:\/\/www.cybok.org\/, kA Version 1.1.1"},{"issue":"1","key":"1220_CR7","doi-asserted-by":"publisher","first-page":"29","DOI":"10.1186\/s42400-021-00086-6","volume":"4","author":"S Chockalingam","year":"2021","unstructured":"Chockalingam, S., Pieters, W., Teixeira, A., van Gelder, P.: Bayesian network model to distinguish between intentional attacks and accidental technical failures: a case study of floodgates. Cybersecurity 4(1), 29 (2021)","journal-title":"Cybersecurity"},{"issue":"2","key":"1220_CR8","doi-asserted-by":"publisher","first-page":"105","DOI":"10.1016\/j.strusafe.2008.06.020","volume":"31","author":"A Der Kiureghian","year":"2009","unstructured":"Der Kiureghian, A., Ditlevsen, O.: Aleatory or epistemic? does it matter? Struct. Saf. 31(2), 105\u2013112 (2009)","journal-title":"Struct. Saf."},{"issue":"2","key":"1220_CR9","first-page":"361","volume":"35","author":"NE Fenton","year":"2015","unstructured":"Fenton, N.E., Neil, M., Marsh, W.: Using Bayesian networks to combine diverse evidence in security risk assessment. Risk Anal. 35(2), 361\u2013384 (2015)","journal-title":"Risk Anal."},{"key":"1220_CR10","doi-asserted-by":"publisher","first-page":"758","DOI":"10.1016\/j.psep.2021.03.031","volume":"149","author":"PG George","year":"2021","unstructured":"George, P.G., Renjith, V.: Evolution of safety and security risk assessment methodologies towards the use of bayesian networks in process industries. Process Saf. Environ. Prot. 149, 758\u2013775 (2021)","journal-title":"Process Saf. Environ. Prot."},{"key":"1220_CR11","unstructured":"Initiative, J.T.F.T.: NIST Special Publication (SP) 800-30 Rev. 1, Guide for Conducting Risk Assessments \u2014 csrc.nist.gov. https:\/\/csrc.nist.gov\/pubs\/sp\/800\/30\/r1\/final, [Accessed 01-09-2025]"},{"issue":"1","key":"1220_CR12","doi-asserted-by":"publisher","first-page":"22","DOI":"10.1186\/s42400-023-00155-y","volume":"6","author":"A Kazeminajafabadi","year":"2023","unstructured":"Kazeminajafabadi, A., Imani, M.: Optimal monitoring and attack detection of networks modeled by bayesian attack graphs. Cybersecurity 6(1), 22 (2023)","journal-title":"Cybersecurity"},{"key":"1220_CR13","doi-asserted-by":"crossref","unstructured":"Lanigan, B., Rezaeifar, Z., Cruciani, F., Milliken, M., Vincent, J., Moore, S., Aaqib, M., Mills, A., Chouhan, P.K., Beard, A., et\u00a0al.: Alert correlation for intelligent threat detection and response. Intelligent Systems with Applications p. 200606 (2025)","DOI":"10.1016\/j.iswa.2025.200606"},{"issue":"2","key":"1220_CR14","doi-asserted-by":"publisher","first-page":"165","DOI":"10.1016\/S0888-613X(01)00039-1","volume":"27","author":"A Oni\u015bko","year":"2001","unstructured":"Oni\u015bko, A., Druzdzel, M.J., Wasyluk, H.: Learning bayesian network parameters from small data sets: application of noisy-or gates. Int. J. Approximate Reasoning 27(2), 165\u2013182 (2001)","journal-title":"Int. J. Approximate Reasoning"},{"key":"1220_CR15","doi-asserted-by":"publisher","first-page":"783","DOI":"10.1016\/j.procs.2024.05.166","volume":"237","author":"E Seid","year":"2024","unstructured":"Seid, E., Satheesh, S., Popov, O., Blix, F.: Fair: cyber security risk quantification in logistics sector. Procedia Computer Science 237, 783\u2013792 (2024)","journal-title":"Procedia Computer Science"},{"key":"1220_CR16","doi-asserted-by":"publisher","DOI":"10.1016\/j.ress.2023.109825","volume":"243","author":"E Uflaz","year":"2024","unstructured":"Uflaz, E., Sezer, S.I., Tun\u00e7el, A.L., Aydin, M., Akyuz, E., Arslan, O.: Quantifying potential cyber-attack risks in maritime transportation under dempster-shafer theory fmeca and rule-based bayesian network modelling. Reliability Engineering & System Safety 243, 109825 (2024)","journal-title":"Reliability Engineering & System Safety"},{"key":"1220_CR17","doi-asserted-by":"crossref","unstructured":"Xie, P., Li, J.H., Ou, X., Liu, P., Levy, R.: Using bayesian networks for cyber security analysis. In: 2010 IEEE\/IFIP international conference on dependable systems & networks (DSN). pp. 211\u2013220. IEEE (2010)","DOI":"10.1109\/DSN.2010.5544924"},{"issue":"2","key":"1220_CR18","doi-asserted-by":"publisher","first-page":"441","DOI":"10.1007\/s12008-018-0496-2","volume":"13","author":"M Yazdi","year":"2019","unstructured":"Yazdi, M.: Improving failure mode and effect analysis (fmea) with consideration of uncertainty handling as an interactive approach. International Journal on Interactive Design and Manufacturing (IJIDeM) 13(2), 441\u2013458 (2019). https:\/\/doi.org\/10.1007\/s12008-018-0496-2","journal-title":"International Journal on Interactive Design and Manufacturing (IJIDeM)"},{"issue":"1","key":"1220_CR19","doi-asserted-by":"publisher","first-page":"57","DOI":"10.1080\/10807039.2018.1493679","volume":"26","author":"M Yazdi","year":"2020","unstructured":"Yazdi, M., Kabir, S.: Fuzzy evidence theory and bayesian networks for process systems risk analysis. Hum. Ecol. Risk Assess. Int. J. 26(1), 57\u201386 (2020)","journal-title":"Hum. Ecol. Risk Assess. Int. J."},{"issue":"10","key":"1220_CR20","doi-asserted-by":"publisher","first-page":"2275","DOI":"10.1111\/risa.13900","volume":"42","author":"P \u017bebrowski","year":"2022","unstructured":"\u017bebrowski, P., Couce-Vieira, A., Mancuso, A.: A bayesian framework for the analysis and optimal mitigation of cyber threats to cyber-physical systems. Risk Anal. 42(10), 2275\u20132290 (2022)","journal-title":"Risk Anal."}],"container-title":["International Journal of Information Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s10207-026-01220-6.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1007\/s10207-026-01220-6","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s10207-026-01220-6.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,4,13]],"date-time":"2026-04-13T09:18:42Z","timestamp":1776071922000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/s10207-026-01220-6"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2026,2,5]]},"references-count":20,"journal-issue":{"issue":"2","published-online":{"date-parts":[[2026,4]]}},"alternative-id":["1220"],"URL":"https:\/\/doi.org\/10.1007\/s10207-026-01220-6","relation":{},"ISSN":["1615-5270"],"issn-type":[{"value":"1615-5270","type":"electronic"}],"subject":[],"published":{"date-parts":[[2026,2,5]]},"assertion":[{"value":"6 October 2025","order":1,"name":"received","label":"Received","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"13 January 2026","order":2,"name":"accepted","label":"Accepted","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"5 February 2026","order":3,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}},{"order":1,"name":"Ethics","group":{"name":"EthicsHeading","label":"Declarations"}},{"value":"The authors declare that they have no competing interests.","order":2,"name":"Ethics","group":{"name":"EthicsHeading","label":"Conflicts of Interest"}},{"value":"The authors declare no competing interests.","order":3,"name":"Ethics","group":{"name":"EthicsHeading","label":"Competing interests"}}],"article-number":"43"}}