A Hybrid Quantitative Risk Assessment Framework for Zero-Trust Architectures Using Stochastic Petri Nets and Attack Graphs

Main Article Content

Wijdan Noaman Marzoog Al Mukhtar

Abstract

Although there has been a significant increase in the adoption of Zero Trust Architectures (ZTA), very few formalized methods exist for evaluating the continuously changing risks of these systems. Our work proposes a hybrid framework based on Stochastic Petri Nets (SPNs) and Attack Graphs that assesses the systemic risks associated with a ZTA deployment through the explicit modelling of micro-segmentation, least privilege, and re-authentication intervals. We introduce three quantitative metrics to aid in assessing the risk from a systemic point of view: Mean Time to Security Breach (MTTSB), Expected Loss Exposure (ELE), and Conditional Value at Risk (CVaR). We evaluated the framework using a simulation of a 150-microservice environment, using our ZTA-Breach-150 synthetic dataset (calibrated for statistical accuracy using the Verizon Data Breach Investigations Database - VCDB and CSE-CIC-IDS2018), which simulated 10,000 breaches over five different types of attack. The simulations produced a predicted mean time to successful breach (MTTSB) within four standard deviations of the empirical average MTTB for breaches that occur in real-world networks. The simulation was based on a cloud-native E-Commerce Microservices architecture running on Kubernetes with ZTA enforcement through a Policy Decision Point (PDP) and a Policy Enforcement Point (PEP). Sensitivity analysis demonstrates that using re-authentication intervals of 90-120 seconds minimizes ELE by 37% compared to static policies. The proposed framework has O(n2) scaling characteristics (approximately linear in practice) and can be used to provide a basis for risk-aware adaptive decision-making in next-generation access control through provably quantified risk metrics.


 

Article Details

Section

Articles

How to Cite

[1]
“A Hybrid Quantitative Risk Assessment Framework for Zero-Trust Architectures Using Stochastic Petri Nets and Attack Graphs”, JUBPAS, vol. 34, no. 2, pp. 395–431, Jun. 2026, doi: 10.29196/jubpas.v34i2.6635.

Similar Articles

You may also start an advanced similarity search for this article.