Current cybersecurity risk modeling methodologies do not consider humans as risk initiators
or mitigators. Human factors are considered primarily in terms of how users use networks,
which help defenders and IT managers prioritize assets; while the defenders and IT managers
consider risk from their perspective of how to best protect their system. Risk management
within the context of the NIST framework does not consider humans as actual risk factors,
initiators and mitigators of risk, and therefore potential components of a predictive model of
network security risk. Attributes of the human actors, attackers, defenders, and users, such as
experience, knowledge, and cultural background, may significantly influence how human actors
contribute to or mitigate cyber risk, and thus are appropriate parameters to include in a predictive
cybersecurity risk model. In this paper, we extend our previous work conceptualizing a
dynamic aggregated cybersecurity risk assessment model based on a Bayesian belief network
and incorporate variables representing critical risk-inducing and risk-mitigating human and cultural
factors into a proof of concept.
