Security Stress: Evaluating ICT Robustness Through a Monte Carlo Method

  • Fabrizio BaiardiEmail author
  • Fabio Corò
  • Federico Tonelli
  • Alessandro Bertolini
  • Roberto Bertolotti
  • Luca Guidi
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8985)


The security stress is a synthetic evaluation of how an ICT infrastructure resists to attacks. We define the security stress and show how it is approximated through the Haruspex suite. Then, we show how it supports the comparison of three versions of an industrial control system. Haruspex is a suite of tools that apply a Monte Carlo method and support a scenario-based assessment where in each scenario intelligent agents compose attacks to reach some predefined goals.


Risk assessment Intelligent agent Robustness 


  1. 1.
    Baiardi, F., Sgandurra, D.: Assessing ict risk through a monte carlo method. Environ. Syst. Decisions 33(4), 1–14 (2013)Google Scholar
  2. 2.
    Baiardi, F., Corò, F., Tonelli, F., Guidi, L.: Gvscan: Scanning networks for global vulnerabilities. In: First International Workshop on Emerging Cyberthreats and Countermeasures, Regensburg, Germany (2013)Google Scholar
  3. 3.
    Vaughn Jr., R.B., Henning, R., Siraj, A.: Information assurance measures and metrics - state of practice and proposed taxonomy. In: Proceedings of the 36th Annual Hawaii International Conference on System Sciences, 2003, p. 10 (2003)Google Scholar
  4. 4.
    Schudel, G., Wood, B.: Adversary work factor as a metric for information assurance. In: Proceedings of the 2000 Workshop on New Security Paradigms. NSPW 2000, pp. 23–30. ACM, New York (2000)Google Scholar
  5. 5.
    Langweg, H.: Framework for malware resistance metrics. In: 2nd ACM Workshop on Quality of Protection, pp. 39–44. ACM, New York (2006)Google Scholar
  6. 6.
    Wang, L., Jajodia, S., Singhal, A., Cheng, P., Noel, S.: k-zero day safety: A network security metric for measuring the risk of unknown vulnerabilities. IEEE Trans. Dependable Sec. Comput. 11(1), 30–44 (2014)CrossRefGoogle Scholar
  7. 7.
    Jaquith, A.: Security Metrics: Replacing Fear, Uncertainty, and Doubt. Addison-Wesley Professional (2007). ISBN:0321349989Google Scholar
  8. 8.
    Payne, S.C.: A guide to security metrics. SANS Institute (2006)Google Scholar
  9. 9.
    Swanson, M.: Security metrics guide for information technology systems. Technical report, NIST, US Department of Commerce (2003)Google Scholar
  10. 10.
    La Corte, A., Scatà, M.: Failure analysis and threats statistic to assess risk and security strategy in a communication system. In: ICSNC 2011, The Sixth International Conference on Systems and Networks Communications, pp. 149–154 (2011)Google Scholar
  11. 11.
    Nai Fovino, I., Masera, M., Guidi, L., Carpi, G.: An experimental platform for assessing scada vulnerabilities and countermeasures in power plants (2010)Google Scholar
  12. 12.
    Pamula, J., Jajodia, S., Ammann, P., Swarup, V.: A weakest-adversary security metric for network configuration security analysis. In: Proceedings of the 2nd ACM Workshop on Quality of Protection. QoP 2006, pp. 31–38. ACM, New York (2006)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  • Fabrizio Baiardi
    • 1
    Email author
  • Fabio Corò
    • 1
  • Federico Tonelli
    • 1
  • Alessandro Bertolini
    • 1
  • Roberto Bertolotti
    • 1
  • Luca Guidi
    • 2
  1. 1.Dipartimento di InformaticaUniversità di PisaPisaItaly
  2. 2.ENEL Ingegneria e Ricerca SpAPisaItaly

Personalised recommendations