IDEAS home Printed from https://ideas.repec.org/a/eee/reensy/v263y2025ics0951832025004569.html

A probabilistic cost-benefit analysis approach for cyberattack path evaluation

Author

Listed:
  • Zhang, Jinghan
  • Zio, Enrico
  • Ma, Chiye
  • Liu, Kang
  • Wang, Wei

Abstract

Analyzing attacker behavior and exploring attack paths are crucial to design effective cybersecurity protection mechanisms. In this work, we propose a Monte Carlo (MC)-based probabilistic cost-benefit analysis approach to assess cyber vulnerabilities and identify attack paths most likely to be exploited in an industrial control setting. First, we draw an attack graph to represent the potential attack paths that attackers could exploit to compromise the vulnerabilities of a target Industrial Control System (ICS). A cost-benefit analysis is, then, integrated into a graph path algorithm to explore attacker’s decisions for exploiting vulnerabilities, whilst accounting for the dynamic characteristics of the system configuration. A probabilistic risk metric is introduced to measure the uncertainty that derives from the intrinsic technical exploitability of vulnerabilities and attackers’ propensities. For demonstration, we apply the proposed approach to a simplified corporate network in an ICS environment, which is vulnerable to multi-step cyberattacks. We identify the shortest attack paths with the highest probabilities and assess the risk associated to each vulnerable element.

Suggested Citation

  • Zhang, Jinghan & Zio, Enrico & Ma, Chiye & Liu, Kang & Wang, Wei, 2025. "A probabilistic cost-benefit analysis approach for cyberattack path evaluation," Reliability Engineering and System Safety, Elsevier, vol. 263(C).
    • Handle: RePEc:eee:reensy:v:263:y:2025:i:c:s0951832025004569
    DOI: 10.1016/j.ress.2025.111255
    as

    Download full text from publisher

    File URL: http://www.sciencedirect.com/science/article/pii/S0951832025004569
    Download Restriction: Full text for ScienceDirect subscribers only
    File URL: https://libkey.io/10.1016/j.ress.2025.111255?utm_source=ideas
    LibKey link: if access is restricted and if your library uses this service, LibKey will redirect you to where you can use your library subscription to access this item
    ---><---

    As the access to this document is restricted, you may want to

    for a different version of it.

    References listed on IDEAS

    as
    1. Cui, Lirong & Ma, Hang & Yi, He, 2025. "Mission optimal assignment of multi-mission systems under multiple phases with a shared component following an exponential lifetime distribution," Reliability Engineering and System Safety, Elsevier, vol. 257(PA).
    2. Ballester-Ripoll, Rafael & Leonelli, Manuele, 2022. "Computing Sobol indices in probabilistic graphical models," Reliability Engineering and System Safety, Elsevier, vol. 225(C).
    3. Vuillod, Bruno & Montemurro, Marco & Panettieri, Enrico & Hallo, Ludovic, 2023. "A comparison between Sobol’s indices and Shapley’s effect for global sensitivity analysis of systems with independent input variables," Reliability Engineering and System Safety, Elsevier, vol. 234(C).
    4. Wang, Xiaomin & Zhuang, Xiao & Zhou, Di & Ge, Jian & Xiang, Jiawei, 2025. "A novel sparrow search algorithm based co-correlation graph construction strategy for wind turbine group anomaly identification via graph attention networks," Reliability Engineering and System Safety, Elsevier, vol. 260(C).
    5. Zhang, Jing & Zhuang, Jun & Jose, Victor Richmond R., 2018. "The role of risk preferences in a multi-target defender-attacker resource allocation game," Reliability Engineering and System Safety, Elsevier, vol. 169(C), pages 95-104.
    6. Schmidt, Adam & Albert, Laura A. & Zheng, Kaiyue, 2021. "Risk management for cyber-infrastructure protection: A bi-objective integer programming approach," Reliability Engineering and System Safety, Elsevier, vol. 205(C).
    7. IAIANI, Matteo & TUGNOLI, Alessandro & BONVICINI, Sarah & COZZANI, Valerio, 2021. "Analysis of Cybersecurity-related Incidents in the Process Industry," Reliability Engineering and System Safety, Elsevier, vol. 209(C).
    8. Lin, Chen & Xiao, Hui & Xiang, Yisha & Peng, Rui, 2023. "Optimizing dynamic performance of phased-mission systems with a common bus and warm standby elements," Reliability Engineering and System Safety, Elsevier, vol. 240(C).
    9. Khakzad, Nima, 2023. "A methodology based on Dijkstra's algorithm and mathematical programming for optimal evacuation in process plants in the event of major tank fires," Reliability Engineering and System Safety, Elsevier, vol. 236(C).
    10. Sonal, & Ghosh, Debomita, 2022. "Impact of situational awareness attributes for resilience assessment of active distribution networks using hybrid dynamic Bayesian multi criteria decision-making approach," Reliability Engineering and System Safety, Elsevier, vol. 228(C).
    11. Michael Greenacre, 2024. "The chiPower transformation: a valid alternative to logratio transformations in compositional data analysis," Advances in Data Analysis and Classification, Springer;German Classification Society - Gesellschaft für Klassifikation (GfKl);Japanese Classification Society (JCS);Classification and Data Analysis Group of the Italian Statistical Society (CLADAG);International Federation of Classification Societies (IFCS), vol. 18(3), pages 769-796, September.
    12. Elkady, Sahar & Hernantes, Josune & Labaka, Leire, 2023. "Towards a resilient community: A decision support framework for prioritizing stakeholders' interaction areas," Reliability Engineering and System Safety, Elsevier, vol. 237(C).
    13. Mazaher Kianpour & Stewart J. Kowalski & Harald Øverby, 2021. "Systematically Understanding Cybersecurity Economics: A Survey," Sustainability, MDPI, vol. 13(24), pages 1-28, December.
    14. Maidana, Renan G. & Parhizkar, Tarannom & Martin, Gabriel San & Utne, Ingrid B., 2024. "Dynamic probabilistic risk assessment with K-shortest-paths planning for generating discrete dynamic event trees," Reliability Engineering and System Safety, Elsevier, vol. 242(C).
    15. Yeh, Wei-Chang, 2021. "Novel Algorithm for Computing All-Pairs Homogeneity-Arc Binary-State Undirected Network Reliability," Reliability Engineering and System Safety, Elsevier, vol. 216(C).
    16. Wang, Jie & Zhang, Yangyi & Li, Shunlong & Xu, Wencheng & Jin, Yao, 2024. "Directed network-based connectivity probability evaluation for urban bridges," Reliability Engineering and System Safety, Elsevier, vol. 241(C).
    17. He, Yaoyao & Zheng, Yaya, 2018. "Short-term power load probability density forecasting based on Yeo-Johnson transformation quantile regression and Gaussian kernel function," Energy, Elsevier, vol. 154(C), pages 143-156.
    18. Uflaz, Esma & Sezer, Sukru Ilke & Tunçel, Ahmet Lutfi & Aydin, Muhammet & Akyuz, Emre & Arslan, Ozcan, 2024. "Quantifying potential cyber-attack risks in maritime transportation under Dempster–Shafer theory FMECA and rule-based Bayesian network modelling," Reliability Engineering and System Safety, Elsevier, vol. 243(C).
    19. Kriaa, Siwar & Pietre-Cambacedes, Ludovic & Bouissou, Marc & Halgand, Yoran, 2015. "A survey of approaches combining safety and security for industrial control systems," Reliability Engineering and System Safety, Elsevier, vol. 139(C), pages 156-178.
    Full references (including those not matched with items on IDEAS)

    Most related items

    These are the items that most often cite the same works as this one and are cited by the same works as this one.
    1. Liu, Jie & Yang, Xiaolin & Yang, Yi & Wang, Wanqing & Chen, Ziyu & Ding, Fanshu & Zhu, Haoyuan, 2025. "Research on fire risk quantification for extralong highway tunnels based on Wuli–Shili–Renli theory, dempster–shafer theory, and bayesian network," Reliability Engineering and System Safety, Elsevier, vol. 264(PB).
    2. Iaiani, Matteo & Tugnoli, Alessandro & Macini, Paolo & Cozzani, Valerio, 2021. "Outage and asset damage triggered by malicious manipulation of the control system in process plants," Reliability Engineering and System Safety, Elsevier, vol. 213(C).
    3. Abdellaoui, Sara & Dumitrescu, Emil & Escudero, Cédric & Zamai, Eric, 2026. "Monitoring cyberthreats in railway systems: A hybrid framework for detecting stealthy data tampering attacks," Reliability Engineering and System Safety, Elsevier, vol. 266(PB).
    4. Ma, Yuan-Zhuo & Jin, Xiang-Xiang & Zhao, Xiang & Li, Hong-Shuang & Zhao, Zhen-Zhou & Xu, Chang, 2024. "Reliability-oriented global sensitivity analysis using subset simulation and space partition," Reliability Engineering and System Safety, Elsevier, vol. 242(C).
    5. Mo, Lipo & Li, Shuyun & Wang, Siqi, 2026. "Reliability analysis and maintenance strategy for phased-mission balanced systems with flexible structure," Reliability Engineering and System Safety, Elsevier, vol. 266(PB).
    6. Radoslaw Miskiewicz, 2022. "Clean and Affordable Energy within Sustainable Development Goals: The Role of Governance Digitalization," Energies, MDPI, vol. 15(24), pages 1-17, December.
    7. Xinjie Shi & Jianzhou Wang & Jialu Gao, 2025. "Multimodal Optimization Forecasting Model Based on Intelligent Fuzzy Interval Reconstruction," SN Operations Research Forum, Springer, vol. 6(3), pages 1-37, September.
    8. Shang, Xiaobing & Wang, Lipeng & Fang, Hai & Lu, Lingyun & Zhang, Zhi, 2024. "Active Learning of Ensemble Polynomial Chaos Expansion Method for Global Sensitivity Analysis," Reliability Engineering and System Safety, Elsevier, vol. 249(C).
    9. Barati, Hojjat & Yazici, Anil & Almotahari, Amirmasoud, 2024. "A methodology for ranking of critical links in transportation networks based on criticality score distributions," Reliability Engineering and System Safety, Elsevier, vol. 251(C).
    10. Liu, Qi & Sun, Ke & Liu, Wenqi & Li, Yufeng & Zheng, Xiangyu & Cao, Chenhong & Li, Jiangtao & Qin, Wutao, 2025. "Quantitative risk assessment for connected automated Vehicles: Integrating improved STPA-SafeSec and Bayesian network," Reliability Engineering and System Safety, Elsevier, vol. 253(C).
    11. Tang, Daogui & Fang, Yi-Ping & Zio, Enrico, 2023. "Vulnerability analysis of demand-response with renewable energy integration in smart grids to cyber attacks and online detection methods," Reliability Engineering and System Safety, Elsevier, vol. 235(C).
    12. Chen, Chao & Yang, Ming & Reniers, Genserik, 2021. "A dynamic stochastic methodology for quantifying HAZMAT storage resilience," Reliability Engineering and System Safety, Elsevier, vol. 215(C).
    13. Lin, Chen & Xiao, Hui & Kou, Gang & Peng, Rui, 2020. "Defending a series system with individual protection, overarching protection, and disinformation," Reliability Engineering and System Safety, Elsevier, vol. 204(C).
    14. Witold Torbacki, 2021. "A Hybrid MCDM Model Combining DANP and PROMETHEE II Methods for the Assessment of Cybersecurity in Industry 4.0," Sustainability, MDPI, vol. 13(16), pages 1-35, August.
    15. Siwar Kriaa & Marc Bouissou & Youssef Laarouchi, 2019. "A new safety and security risk analysis framework for industrial control systems," Journal of Risk and Reliability, , vol. 233(2), pages 151-174, April.
    16. Wang, Lei & Liu, Qing & Dong, Shiyu & Guedes Soares, C., 2022. "Selection of countermeasure portfolio for shipping safety with consideration of investment risk aversion," Reliability Engineering and System Safety, Elsevier, vol. 219(C).
    17. Wang, Wei & Cammi, Antonio & Di Maio, Francesco & Lorenzi, Stefano & Zio, Enrico, 2018. "A Monte Carlo-based exploration framework for identifying components vulnerable to cyber threats in nuclear power plants," Reliability Engineering and System Safety, Elsevier, vol. 175(C), pages 24-37.
    18. Chen, Shi-Shun & Li, Xiao-Yang, 2025. "Comparison of global sensitivity analysis methods for a fire spread model with a segmented characteristic," Mathematics and Computers in Simulation (MATCOM), Elsevier, vol. 229(C), pages 304-318.
    19. Jiang, Hongrui & Ding, Long & Ji, Jie & Zhu, Jiping, 2024. "Building reliability of risk assessment of domino effects in chemical tank farm through an improved uncertainty analysis method," Reliability Engineering and System Safety, Elsevier, vol. 252(C).
    20. Kim, Hee Eun & Son, Han Seong & Kim, Jonghyun & Kang, Hyun Gook, 2017. "Systematic development of scenarios caused by cyber-attack-induced human errors in nuclear power plants," Reliability Engineering and System Safety, Elsevier, vol. 167(C), pages 290-301.

    More about this item

    Keywords

    ;
    ;
    ;
    ;
    ;
    ;
    ;

    Statistics

    Access and download statistics

    Corrections

    All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:eee:reensy:v:263:y:2025:i:c:s0951832025004569. See general information about how to correct material in RePEc.

    If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.

    If CitEc recognized a bibliographic reference but did not link an item in RePEc to it, you can help with this form .

    If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.

    For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: Catherine Liu (email available below). General contact details of provider: https://www.journals.elsevier.com/reliability-engineering-and-system-safety .

    Please note that corrections may take a couple of weeks to filter through the various RePEc services.

    IDEAS is a RePEc service. RePEc uses bibliographic data supplied by the respective publishers.