Journal of Cyber Security and Risk Auditing

Journal of Cyber Security and Risk Auditing

ISSN: 3079-5354 (Online)

Publishing model:

: Open access
Scopus Indexed
2025
14.7

CiteScore

Q1
open accessOpen Access

Article

👁️9views

A Quantitative Framework for Dynamic Cyber Risk Assessment in Hybrid Enterprise Networks

by 

Udit Mamodiya Orcid link ;

Indra Kishor Orcid link ;

Pellakuri Vidyullatha Orcid link ;

Rami Shehab Orcid link ;

Amer Alqatish Orcid link ;

Ghada Alradwan Orcid link

PDF logoPDF

Published: 2026/06/16

Abstract

Cyber risk estimation in hybrid enterprise networks, which integrate cloud-native services with legacy on-premises infrastructure, is increasingly challenging due to their distributed architecture and complex interdependencies. Traditional risk assessment approaches often fail to capture real-time exposure dynamics arising from service-level interactions and context-dependent infrastructure relationships. To address this limitation, this study proposes the Dynamic Enterprise Cyber Risk Estimation with Service Topology (DECRE-ST) framework, an adaptive and quantitative approach for real-time cyber risk estimation in hybrid enterprise environments. The proposed framework models enterprise infrastructure as a weighted interaction graph and incorporates contextual exposure factors to compute dynamic asset risk scores. Experimental validation was performed using enterprise telemetry datasets comprising 120 interconnected assets deployed within simulated hybrid cloud environments. Results demonstrate that the DECRE-ST framework improves risk prediction consistency by 17.6% and reduces estimation variance by 21.3% compared with Bayesian-based dynamic risk estimation models. Furthermore, the framework decreases mean risk estimation latency by 14.2% under fluctuating threat conditions. Ablation analysis further confirms the effectiveness of contextual service dependency modeling, contributing nearly 11% to overall estimation stability. These findings indicate that the DECRE-ST framework provides a more accurate, adaptive, and context-aware approach to cyber risk estimation. By enabling continuous assessment of evolving enterprise environments, the framework supports adaptive security governance and enhances decision-making for organizations operating hybrid cloud infrastructures.

Keywords

Hybrid enterprise networksDynamic cyber risk assessmentContext-aware risk modelingService dependency analysisQuantitative risk estimation

A Quantitative Framework for Dynamic Cyber Risk Assessment in Hybrid Enterprise Networks is licensed under CC BY 4.0CCBY

References

  1. C. Deaver-Vazquez, E. Taylor, D. Rowley, and B. Langis, “A quantitative approach to assessing and managing cybersecurity risks,” Edpacs, Apr. 2024, doi: 10.1080/07366981.2024.2340849.
  2. D. Behbehani, N. Komninos, K. Al–Begain, and M. Rajarajan, “Cloud Enterprise Dynamic Risk Assessment (CEDRA): a dynamic risk assessment using dynamic Bayesian networks for cloud environment,” Journal of cloud computing, vol. 12, no. 1, May 2023, doi: 10.1186/s13677-023-00454-2.
  3. A. Šijan, D. Viduka, L. Ilić, B. Predić, and D. Karabašević, “Modeling Cybersecurity Risk: The Integration of Decision Theory and Pivot Pairwise Relative Criteria Importance Assessment with Scale for Cybersecurity Threat Evaluation,” Electronics, vol. 13, no. 21, p. 4209, Oct. 2024, doi: 10.3390/electronics13214209.
  4. E. Natsheh and F. B. Tabook, “AI-enhanced Cybersecurity Risk Assessment with Multi-Fuzzy Inference,” Journal of ICT Research and Applications, vol. 19, no. 1, pp. 1–26, Sep. 2025, doi: 10.5614/itbj.ict.res.appl.2025.19.1.1.
  5. J. J. Cano, “RAFA Model. Rethinking Cyber Risk Management in Organizations,” Springer International Publishing, 2024, pp. 231–243. doi: 10.1007/978-3-031-47594-8_12.
  6. P. Burnap, E. Anthi, P. Reineckea, L. Williams, F. Cao, and R. Aldmoura, “Mapping Automated Cyber Attack Intelligence to Context-Based Impact on System-Level Goals,” Journal of cybersecurity and privacy, Jun. 2024, doi: 10.3390/jcp4020017.
  7. U. Mamodiya, I. Kishor, P. Vidyullatha, A. Alqutaesh, G. Alradwan, and M. Obedat, “A hybrid fuzzy–deep learning framework for real-time cyber-attack detection in smart energy grids,” International Journal of Data and Network Science, vol. 10, 2026, doi: 10.5267/j.ijdns.2026.2.007.
  8. J. Xie, S. Zhang, H. Wang, and L. Chen, “Multiobjective network security dynamic assessment method based on Bayesian network attack graph,” International Journal of Intelligent Computing and Cybernetics, vol. 17, pp. 38–60, Aug. 2023, doi: 10.1108/ijicc-05-2023-0121.
  9. M. Figueredo Franco, F. Künzler, J. von der Assen, C. Feng, and B. Stiller, “RCVaR: an Economic Approach to Estimate Cyberattacks Costs using Data from Industry Reports,” Computers & Security, vol. 139, p. 103737, Apr. 2024, doi: 10.1016/j.cose.2024.103737.
  10. A.Mishra, P. Sarat, and R. Afza, “A factual study on hybrid multi cloud cyber security threats and proposed methodologies to enable cyber resilience,” pp. 1–6, Jul. 2024, doi: 10.1109/conecct62155.2024.10677052.
  11. M. Safarzadehvahed, F. Abazari, and F. Shabani, “QR-SACP: Quantitative Risk-Based Situational Awareness Calculation and Projection Through Threat Information Sharing,” Springer Science+Business Media, 2023, pp. 170–193. doi: 10.1007/978-981-99-7032-2_11.
  12. M. Khosravi-Farmad and A. Ghaemi Bafghi, “Dynamic Security Risk Management Considering Systems Structural and Probabilistic Attributes”, doi: 10.22067/cke.2023.83744.1102.
  13. Y. Song et al., “Hierarchical-Based Dynamic Scenario-Adaptive Risk Assessment for Power Data Lifecycle,” Electronics, Feb. 2024, doi: 10.3390/electronics13030631.
  14. H.-Y. Chen and T. Lin, “RAIN: Risk Assessment Framework Based on an Interdependent-Input Propagation Network for a 5G Network,” IEEE Access, vol. 11, pp. 54881–54896, doi: 10.1109/ACCESS.2023.3281560.
  15. R. Pal, R. X. Sequeira, X. Yin, S. Zeijlemaker, and V. Kotala, “How Should Enterprises Quantify and Analyze (Multi-Party) APT Cyber-Risk Exposure in their Industrial IoT Network?,” ACM transactions on management information systems, Oct. 2023, doi: 10.1145/3605949.
  16. U. Bhatta, “How to integrate cloud service, data analytic and machine learning technique to reduce cyber risks associated with the modern cloud based infrastructure,” May 2024, doi: 10.48550/arxiv.2405.11601.
  17. N. M. Unal and B. Çeliktaş, “A Metric-Driven IT Risk Scoring Framework: Incorporating Contextual and Organizational Factors,” pp. 1–7, Aug. 2025, doi: 10.1109/acdsa65407.2025.11166074.
  18. V. Kodela, “Real-time threat detection in enterprise networks: Integrating cisco umbrella, stealthwatch, and siem platforms,” Journal of informatics education and research, vol. 2, no. 2, Jul. 2025, doi: 10.52783/jier.v1i2.3301.
  19. S. M. AlHidaifi, M. R. Asghar, and I. S. Ansari, “Towards a cyber resilience quantification framework (CRQF) for IT infrastructure,” Computer Networks, Apr. 2024, doi: 10.1016/j.comnet.2024.110446.
  20. A. Zadeh, B. Lavine, H. M. Zolbanin, and D. Hopkins, “A cybersecurity risk quantification and classification framework for informed risk mitigation decisions,” Decision Analytics Journal, Sep. 2023, doi: 10.1016/j.dajour.2023.100328.
  21. X. Lin, Y. Yao, B. Hu, W. Yang, X. Zhou, and W. Zhang, “Enhancing power communication network security: A comprehensive cyber risk visual analytics framework with real-time risk assessment,” Sustainable Energy, Grids and Networks, vol. 38, p. 101325, Jun. 2024, doi: 10.1016/j.segan.2024.101325.
  22. M. Luo, C. Tao, Y. Liu, S. Chen, and P. Chen, “An Endogenous Security-Oriented Framework for Cyber Resilience Assessment in Critical Infrastructures,” Applied Sciences, vol. 15, no. 15, p. 8342, Jul. 2025, doi: 10.3390/app15158342.
  23. C. Wang, J. Dong, G. Guo, and T. Ren, “Dynamic Real-Time Analysis of Network Attacks Based on Dynamic Risk Probability Algorithm,” Journal of Advanced Computational Intelligence and Intelligent Informatics, Jan. 2024, doi: 10.20965/jaciii.2024.p0141.
  24. U. Mamodiya, I. Kishor, M. Almaiah, A. Alqutaish, R. Shehab, and M. Obeidat, “Behavior-aware cybersecurity using artificial intelligence and cryptographic intelligence,” International Journal of Data and Network Science, vol. 10, 2026, doi: 10.5267/j.ijdns.2026.1.001.
  25. A. Boudermine, R. Khatoun, and J.-H. Choyer, “Dynamic logic-based attack graph for risk assessment in complex computer systems,” Computer networks, vol. 228, p. 109730, Mar. 2023, doi: 10.1016/j.comnet.2023.109730.
  26. Abdi, H. Bennouri, and A. Keane, “Cyber Resilience, Risk Management, and Security Challenges in Enterprise-Scale Cloud Systems: Comprehensive Review,” Jun. 2024, doi: 10.1109/meco62516.2024.10577956.
  27. P. Vajpayee and G. Hossain, “Risk Assessment of Cybersecurity IoT Anomalies Through Cyber Value at Risk (CVaR),” May 2024, doi: 10.1109/aiiot61789.2024.10578956.
  28. Dong, Y. Feng, and W. Shang, “A new method of dynamic network security analysis based on dynamic uncertain causality graph,” Jan. 2024, doi: 10.1186/s13677-023-00568-7.
  29. A. Kim, “Endpoint Device Risk-Scoring Algorithm Proposal for Zero Trust,” Electronics, vol. 12, no. 8, p. 1906, Apr. 2023, doi: 10.3390/electronics12081906.
  30. Zhylin and H. Holych, “Methodology of Quantitative Assessment of Network Cyber Threats Using a Risk-Based Approach,” Applied Cybersecurity & Internet Governance, Jul. 2024, doi: 10.60097/acig/190345.
  31. M. Soylu and R. Daş, “A hybrid graph neural network model for predicting cyber attacks from heterogeneous and dynamic network data,” IEEE Access, p. 1, Jan. 2025, doi: 10.1109/access.2025.3603403.
  32. H. A. A. Cue, T. Bourlai, and M. Lupo, “Proactive Cyber Resilience: A Unified Assessment Methodology for Incident Forecasting with Cyber Threat Intelligence Integration,” IEEE Access, p. 1, Jan. 2025, doi: 10.1109/access.2025.3596252.
  33. S. Ali, A. Razzaque, H. Abbas, M. Yousaf, and S. Ali, “A novel AI-Based Integrated Cybersecurity Risk Assessment Framework and resilience of National critical infrastructure.,” IEEE Access, p. 1, Jan. 2025, doi: 10.1109/access.2024.3524884.
  34. A. D. López, M. Amor, and H. Carvajal Mora, “A Novel Risk-Based Methodology for Enhancing Industrial Control Systems Security: A Systematic Review and Case Study,” IEEE Access, p. 1, Jan. 2025, doi: 10.1109/access.2025.3609252.
  35. R. Masukawa, S. Yun, S. Jeong, N. D. Bastian, and M. Imani, “TriageHD: A Hyper-Dimensional Learning-to-Rank Framework for Dynamic Micro-Segmentation in Zero-Trust Network Security,” IEEE Access, vol. 13, pp. 136806–136815, Jan. 2025, doi: 10.1109/access.2025.3592877.
  36. T. Tang and M. Li, “Enhanced secure storage and data privacy management system for big data based on multilayer model,” Scientific Reports, vol. 15, no. 1, Sep. 2025, doi: 10.1038/s41598-025-16624-y.
  37. Islam, S., Basheer, N., Papastergiou, S. et al. Intelligent dynamic cybersecurity risk management framework with explainability and interpretability of AI models for enhancing security and resilience of digital infrastructure. J Reliable Intell Environ 11, 12 (2025). https://doi.org/10.1007/s40860-025-00253-3
  38. Rana A, Gupta S and Gupta B (2024) A comprehensive framework for quantitative risk assessment of organizational networks using FAIR-modified attack trees. Front. Comput. Sci. 6:1304288. doi: 10.3389/fcomp.2024.1304288
  39. Cheimonidis, P., & Rantos, K. (2023). Dynamic Risk Assessment in Cybersecurity: A Systematic Literature Review. Future Internet, 15(10), 324. https://doi.org/10.3390/fi15100324
  40. A. Sharma, S. Rani, and M. Shabaz, “A comprehensive review of explainable AI in cybersecurity: Decoding the black box,” ICT Express, vol. 11, no. 6, pp. 1200–1219, Dec. 2025, doi: 10.1016/j.icte.2025.10.004.
  41. Radanliev P, De Roure D, Maple C, Nurse JRC, Nicolescu R and Ani U (2024) AI security and cyber risk in IoT systems. Front. Big Data 7:1402745. doi: 10.3389/fdata.2024.1402745
SCImago Journal & Country Rank