Skip to Main Content
Mean time-to-compromise is a comparative security metric that applies lessons learned from physical security. To address this need in the SCADA world specifically and the corporate IT security world more generally, we propose a mean time-to-compromise (MTTC) interval as an estimate of the time it will take for an attacker with a specific skill level to successfully impact a target system. We also propose a state-space model (SSM) and algorithms for estimating attack paths and state times to calculate these MTTC intervals for a given target system. Although we use SCADA as an example, we believe our approach should work in any IT environment.