Quantifying Cyber Risk: The Art and Math of Attack Surface Scoring (Part 2)

In Part 1, I shared how I approach cyber risk by looking at it through the lens of Attack Surface Scoring (ASS). Now in Part 2, I expand on the model by aligning it with real-world frameworks like OSSTMM and Risk Assessment Values (RAV) to make it practical, defensible, and repeatable.

Why I Chose OSSTMM and RAV

What I like about OSSTMM is how it gives a clear, measurable way to look at security which is way beyond your typical checkbox audit. It breaks things down into exposure, trust, access, and controls, which fits perfectly with how I want to model risk.

And then there’s RAV, also from ISECOM which lets me bring in context by assigning numeric values based on what actually matters. That’s something static models just can’t do.

Building the Metric Layer

Here’s what I score for each asset:

• Visibility (V): How easily can it be found?
• Access (A): Who or what can reach it?
• Trust (T): How much freedom does it have?
• Controls (C): What’s protecting it?

I use a simplified version of OSSTMM’s risk formula:

I typically rate these factors from 1 to 10, using data from asset inventories, IAM logs, config reviews, and my vulnerability management stack.

How I Use RAV for Context

Raw numbers aren’t enough. That’s why I integrate RAV to factor in how critical an asset is and how likely it is to be targeted. Here’s an example from one of my worksheets:

Metric	Raw Score	RAV Weight	Weighted Score
Visibility	8	1.2	9.6
Access	6	1.0	6.0
Trust	7	1.5	10.5
Controls	4	1.0	4.0

Final score: (9.6 x 6.0 x 10.5) / 4.0 = 151.2

This approach helps me compare risk across business units and prioritize effectively.

Real-World Example: My External Web Server

One case I often refer to is an Apache web server that was public-facing:

• Visibility: 9 (shows up on Shodan within minutes)
• Access: 7 (internet-facing, basic firewall)
• Trust: 5 (no internal network trust)
• Controls: 6 (behind a WAF, regular patching)

Using OSSTMM + RAV, the final score came out to 130 which a number that pushed this asset into my remediation queue.

Why This Matters

Risk quantification must reflect not just exposure, but context. By using OSSTMM to define the structure and RAV to add weight, we evolve from checklists to cyber-econometrics. This approach helps to:

• Justify why certain systems need fixing first
• Explain risk posture to stakeholders
• Automate and audit with confidence

What’s Coming Next

In Part 3, I will show how I scale this model by walking through how I normalize these scores across different environments, benchmark against internal and external baselines, and run simulations to predict future risk trends.

Stay tuned, and prepare to bring mathematics to your cybersecurity roadmap.