Information Security Risk and Maturity Analysis Utilising Directed Graphs

In the current era of cyber-attack proliferation, it is imperative to better understand and mitigate information security risks within an organisation. By their nature, existing cybersecurity frameworks and standards do not model the relationships between cybersecurity elements such as controls, control objectives, threats, vulnerabilities, etc. and how one piece can impact another. This weakness in current frameworks makes it difficult to understand the context and prioritise risk mitigation activities, often resulting in a “box ticking” approach.

This thesis investigates the use of Directed Graphs as an analytical framework to represent, assess, and improve cybersecurity maturity and risk management. Traditional risk assessment models and cybersecurity frameworks often suffer from limitations such as static representations, scalability challenges, and a lack of dynamic adaptability to evolving cyber threats. This research proposes a graph-based approach to address these shortcomings, leveraging the relational power of Directed Graphs to represent assets, controls, threats, and vulnerabilities as interconnected nodes and edges.

The study begins with a comprehensive literature review of existing cybersecurity frameworks and assessment methodologies, identifying key limitations and areas where graph-based models offer improvements. A systematic methodology is presented, detailing the construction of Directed Graph models, including node and edge definitions, calculation formulas for key attributes such as Threat Value (Tv), Vulnerability Value (Viv), Risk Value (Rv), and Likelihood Value (Lv), and their mathematical justifications. The research further explores how Directed Graphs enable dynamic risk propagation analysis, gap identification, and prioritization of mitigation strategies.

A practical case study is conducted to validate the proposed model using a custom developed application called CyConex, which is used to demonstrate the effectiveness in assessing cybersecurity risks and visualizing vulnerabilities across an organizational network. Results from the case study indicate that Directed Graphs provide improved clarity, scalability, and actionable insights compared to traditional risk management techniques. Evaluation of the results highlights both the strengths and limitations of the approach, offering recommendations for refining the model in future applications.

This thesis contributes to the evolving field of cybersecurity by presenting a scalable, adaptable, and mathematically justified Directed Graph framework for cybersecurity maturity and risk assessment. It bridges theoretical insights with practical applicability, offering a foundation for future research and real-world implementations in complex cybersecurity environments.