MASTER Assignment
Developing a Common Threat Scoring System (CTSS) for Cyber Risk Assessment
Type : Master M-CS
Period: May - October, 2025
Student : Proveddini, E. (Elisabetta, Student M-CS)
Date Final project: October 31, 2025
Supervisors:
Abstract:
Cybersecurity risk is commonly framed as the product of likelihood and impact, yet most practice and standards focus on vulnerability severity rather than the organisation‐level probability of attack. This thesis proposes the \emph{Common Threat Scoring System} (CTSS), a transparent, actor-aware framework that estimates attack likelihood at the organisation or asset level. CTSS operationalises a Capability–Opportunity–Intent model, extended with an Effort term, via a short, standardised questionnaire and produces a numeric likelihood that complements CVSS severity for risk-based prioritisation.
CTSS was developed through literature review and practitioner input, then evaluated using an expert survey, follow-up interviews, and qualitative cross-checks against public breach reports. The study finds CTSS usable and explainable, but identifies accuracy and reliability issues: a systematic tilt toward state actors, underweighting of cybercriminals and insiders, mid-band score compression, and some ambiguous inputs. The thesis proposes concrete fixes: introduce base-rate (“prevalence”) priors, refine intent by actor, widen scoring ladders and improve the exploit step, and adopt an explicit policy for unknowns with visible uncertainty. It also outlines a path to calibration: pilots in real organisations, a larger expert panel, and a curated, actor-labelled incident dataset. With these refinements, CTSS can mature into a defensible likelihood layer that, when combined with CVSS, supports clearer prioritisation and communication in real-world risk management.