The analysis of cyber threats and the vulnerabilities in the system assets constitute the main body of all methods that measure the risks coming from the cyberspace. The cybersecurity community has extensively studied the management of vulnerabilities whereas the in-depth analysis of threat actors requires more attention and efforts. Cyber knowledge, which is described as “theoretical and practical proficiency relating to computers, information networks, or automated systems”, is one of the essential metrics that is covered in threat analysis activities [1]. In order to align protection strategies with their threat profiles, the defenders should understand the level of technical skills required to compromise significant system assets. The other necessary environment where the evaluation of technical skills is highly demanded is hands-on offensive cyber security training. It is argued that mismatch between the difficulty level of the cyber games and learner skills can be a significant obstacle in such training, which means balancing is needed if cyber games are used for educational purposes [2]. However, there is a lack of systematic tools to design a diverse set of challenges with different difficulty levels.

Attack graph is a security model of computer networks which provides the list of possible attack paths and the series of vulnerabilities that can be used for the exploitation of a system asset under the given network connectivity and access control rules. An attack path can be expressed as a sequence of vulnerabilities an attacker needs to exploit to get from their starting position, often from outside of organization’s network, to an attack goal – a particular action on a particular asset. This model has been utilized for the prediction of exploitation likelihood of attack paths by using the CVSS values of vulnerabilities [5].

In this paper, we propose a categorization method to classify the skill levels required to traverse the attack paths once the target system is modelled with an attack graph. Firstly, we elicited expert knowledge for the identification of skill categories and their descriptions. Secondly, we applied the obtained knowledge to each vulnerability to find out the skill level to compromise it. Finally, the required skill level for traversing a whole attack path is determined. We assume that the lower boundary on the technical capability or computer knowledge required for exploitation of the given system asset is determined as skill level.

The decision support systems that are tasked with providing input to risk management process can benefit from this method to evaluate the required technical skills of the threat agents. Also, the cyber game organizers can utilize this method at the design stage for balancing the difficulty levels of challenges with the skills of participants. This method considers only the cyber knowledge of attackers which means factors such as attacker commitments and resource issues other than required knowledge are out of the scope. It is the purpose of cyber games to challenge the technical skills of participants, and they are all constrained on how much time and resources they can invest in the attacks. The output of our method should be complemented by additional threat intelligence regarding the commitment and resource level of attackers in order to have a comprehensive analysis of threat agents.