The Cost of Exploitation: A comparative view of socio-technical factors across varying degrees of attack complexity

In a typical assessment for cyber security risk a defender would make an assumption of adversaries likely to attack the entity in question whether this be, for example, an amateur, hacktivist or even nation-state actor. Rather than rely on this ambiguous assumption the defender would be better informed through quantifying the cost an adversary would incur in order to compromise a system in relation to time, money, and technical expertise. Once cost of exploitation is quantified, the defender may better understand the type of advisories they are likely to face, and apply security controls to fit their risk appetite.
In recent years large scale cyber attacks have become increasingly prevalent whether for monetary gains, destructive potential, or espionage. One common theme among many of these cyber attacks is the use of joint human based (social) and technology based (technical) techniques to cause the most impact. The attack on Target in 2013 which saw 40 million credit and debit card accounts stolen was instigated through a phishing email containing malware, before further compromise and more complex technical based attacks were employed. This shows that for the cost of exploitation to be accurate, understanding the cost of social attacks is just as crucial as understanding the cost of technical attacks. These large scale socio-technical cyber attacks are being seen too on industrial control systems (ICS), notably the 2015 attack on the Ukranian Kyivoblenergo and the infamous Stuxnet of 2010, both of which utilised social techniques, spear phishing and malware enabled USB sticks respectively, and both used niche technical attacks pertaining to industrial control systems. In the realm of industrial control systems the cost of exploitation, particularly technical expertise, could be greatly exacerbated due to the niche knowledge required and more difficult to decipher nodes on the networks.
To best explore the cost of exploitation, understanding how exploitation is achieved in a generic non-context specific manner would be the initial step. This would allow for a much broader scale in the way of a control variable by which to compare the more complex ICS environment. Research would likely be carried out through literature reviews and engagement with information security practitioners in both offensive roles for information on attack techniques and complexity, and defensive roles for perceived impact and risk of attacks. This work could lead to a metric, framework, or possibly a tool which would provide the estimated cost of exploitation for a given system, providing context to aid in better assessing risk in both IT and ICS environments. Finally the development of such a metric, framework, or tool would require evaluation, this could be done through its application to live environments in order to calculate the expected cost of exploitation towards the risk assessment.