Academic

Operationalising Cyber Risk Management Using AI: Connecting Cyber Incidents to MITRE ATT&CK Techniques, Security Controls, and Metrics

arXiv:2603.12455v1 Announce Type: cross Abstract: The escalating frequency of cyber-attacks poses significant challenges for organisations, particularly small enterprises constrained by limited in-house expertise, insufficient knowledge, and financial resources. This research presents a novel framework that leverages Natural Language Processing to address these challenges through automated mapping of cyber incidents to adversary techniques. We introduce the Cyber Catalog, a knowledge base that systematically integrates CIS Critical Security Controls, MITRE ATT&CK techniques, and SMART metrics. This integrated resource enables organisations to connect threat intelligence directly to actionable controls and measurable outcomes. To operationalise the framework, we fine-tuned all-mpnet-base-v2, a highly regarded sentence-transformers model used to convert text into numerical vectors on an augmented dataset comprising 74,986 incident-technique pairs to enhance semantic similarity between c

E
Emad Sherif, Iryna Yevseyeva, Vitor Basto-Fernandes, Allan Cook · · 1 min read · 13 views
#cs.CR #cs.AI

arXiv:2603.12455v1 Announce Type: cross Abstract: The escalating frequency of cyber-attacks poses significant challenges for organisations, particularly small enterprises constrained by limited in-house expertise, insufficient knowledge, and financial resources. This research presents a novel framework that leverages Natural Language Processing to address these challenges through automated mapping of cyber incidents to adversary techniques. We introduce the Cyber Catalog, a knowledge base that systematically integrates CIS Critical Security Controls, MITRE ATT&CK techniques, and SMART metrics. This integrated resource enables organisations to connect threat intelligence directly to actionable controls and measurable outcomes. To operationalise the framework, we fine-tuned all-mpnet-base-v2, a highly regarded sentence-transformers model used to convert text into numerical vectors on an augmented dataset comprising 74,986 incident-technique pairs to enhance semantic similarity between cyber incidents and MITRE ATT&CK techniques. Our fine-tuned model achieved a Spearman correlation of 0.7894 and Pearson correlation of 0.8756, demonstrating substantial improvements over top baseline models including all-mpnet-base-v2, all-distilroberta-v1, and all-MiniLM-L12-v2. Furthermore, our model exhibited significantly lower prediction errors (MAE = 0.135, MSE = 0.027) compared to all baseline models, confirming superior accuracy and consistency. The Cyber Catalog, training dataset, trained model, and implementation code made publicly available to facilitate further research and enable practical deployment in resource-constrained environments. This work bridges the gap between threat intelligence and operational security management, providing an actionable tool for systematic cyber incident response and evidence-based cyber risk management.

Executive Summary

This article proposes a novel framework that leverages Natural Language Processing to address cyber-attack challenges faced by small enterprises. The framework, known as the Cyber Catalog, integrates CIS Critical Security Controls, MITRE ATT&CK techniques, and SMART metrics to facilitate threat intelligence and operational security management. By fine-tuning a widely used sentence-transformers model, the researchers achieved substantial improvements in correlation and prediction accuracy, making the Cyber Catalog a valuable tool for systematic cyber incident response and evidence-based cyber risk management.

Key Points

  • Development of the Cyber Catalog framework to address cyber-attack challenges
  • Integration of CIS Critical Security Controls, MITRE ATT&CK techniques, and SMART metrics
  • Fine-tuning of a sentence-transformers model for improved correlation and prediction accuracy

Merits

Strength

The article presents a comprehensive framework that bridges the gap between threat intelligence and operational security management, providing actionable insights for resource-constrained environments.

Strength

The fine-tuned model achieved substantial improvements over baseline models, demonstrating the effectiveness of the proposed framework.

Demerits

Limitation

The article assumes the availability of a large dataset for model training, which may not be feasible for all organizations, particularly small enterprises.

Limitation

The framework's reliance on Natural Language Processing may limit its applicability in cases where human-generated text is not available or is insufficient.

Expert Commentary

The article presents a significant contribution to the field of cybersecurity, particularly in addressing the challenges faced by resource-constrained environments. While the framework shows promise, its reliance on Natural Language Processing and the assumption of a large training dataset may limit its applicability. Nevertheless, the Cyber Catalog framework has the potential to become a valuable tool for systematic cyber incident response and evidence-based cyber risk management.

Recommendations

  • Further research should focus on developing models that can handle smaller datasets or limited text availability.
  • The framework's applicability should be tested in real-world scenarios to validate its effectiveness and identify areas for improvement.

Sources

Related Articles