Abstract
Security risk treatment often requires a complex cost-benefit analysis to be carried out in order to select countermeasures that optimally reduce risks while having minimal costs. According to ISO/IEC 27001, risk treatment relies on catalogues of countermeasures, and the analysts are expected to estimate the residual risks. At the same time, recent advancements in attack tree theory provide elegant solutions to this optimization problem. In this paper we propose to bridge the gap between these two worlds by introducing optimal countermeasure selection problem on attack-defense trees into the TRICK security risk assessment methodology.
The research leading to the results presented in this work received funding from the European Commission’s Seventh Framework Programme (FP7/2007–2013) under grant agreement number 318003 (TREsPASS) and Fonds National de la Recherche Luxembourg under the grant C13/IS/5809105 (ADT2P).
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Albanese, M., Jajodia, S., Noel, S.: Time-efficient and cost-effective network hardening using attack graphs. In: 2012 42nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), pp. 1–12. IEEE (2012)
Aslanyan, Z., Nielson, F.: Pareto efficient solutions of attack-defence trees. In: Focardi, R., Myers, A. (eds.) POST 2015. LNCS, vol. 9036, pp. 95–114. Springer, Heidelberg (2015)
Bistarelli, S., Fioravanti, F., Peretti, P.: Defense trees for economic evaluation of security investments. In: The First International Conference on Availability, Reliability and Security, 2006 ARES 2006, pp. 8-pp. IEEE (2006)
Bundesamt fur Sicherheit in der Informationstechnik: IT-Grundschutz-Catalogues, 13th version (2013)
Edge, K.S., Dalton, G.C., Raines, R.A., Mills, R.F., et al.: Using attack and protection trees to analyze threats and defenses to homeland security. In: Military Communications Conference 2006. MILCOM 2006, pp. 1–7. IEEE (2006)
European Organization for Safety of Air Navigation: Threats, Pre-controls and post-controls catalogues (2009)
Gadyatskaya, O.: How to generate security cameras: towards defence generation for socio-technical systems. In: Mauw, S., et al. (eds.) GraMSec 2015. LNCS, vol. 9390, pp. 50–65. Springer, Heidelberg (2016). doi:10.1007/978-3-319-29968-6_4
Gadyatskaya, O., Jhawar, R., Kordy, P., Lounis, K., Mauw, S., Trujillo-Rasua, R.: Attack trees for practical security assessment: ranking of attack scenarios with ADTool 2.0. In: Agha, G., Van Houdt, B. (eds.) QEST 2016. LNCS, vol. 9826, pp. 159–162. Springer, Heidelberg (2016). doi:10.1007/978-3-319-43425-4_10
Harpes, C., Adelsbach, A., Zatti, S., Peccia, N.: Quantitative risk assessment with ISAMM on ESA’s operations data system. In: Proceedings of TTC (2007)
ISO: 27799:2008 Health Informatics - Information security management in health using ISO/IEC 27002 (2008)
ISO, IEC: 27005:2011 Information technology Security techniques Information security risk management (2011)
ISO, IEC: 27001:2013 Information technology - Security techniques - Information security management systems - Requirements (2013)
ISO, IEC: 27002:2013 Information technology Security techniques Code of practice for information security controls (2013)
ISO, IEC: TR 27019:2013 Information technology Security techniques Information security management guidelines based on ISO/IEC 27002 for process control systems specific to the energy utility industry (2013)
Kordy, B., Kordy, P., Mauw, S., Schweitzer, P.: ADTool: security analysis with attack–defense trees. In: Joshi, K., Siegle, M., Stoelinga, M., D’Argenio, P.R. (eds.) QEST 2013. LNCS, vol. 8054, pp. 173–176. Springer, Heidelberg (2013)
Kordy, B., Mauw, S., Radomirović, S., Schweitzer, P.: Attack-defense trees. J. Logic Comput. 24(1), 55–87 (2014)
Mauw, S., Oostdijk, M.: Foundations of attack trees. In: Won, D.H., Kim, S. (eds.) ICISC 2005. LNCS, vol. 3935, pp. 186–198. Springer, Heidelberg (2006)
NATO Research and Technology Organisation (RTO): Improving common security risk analysis (2008)
NIST: Special Publication 800–53 Revision 4. Security and privacy controls for federal information systems and organizations (2013). http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf
NIST: Framework for Improving Critical Infrastructure Cybersecurity (2014)
OWASP: CISO AppSec Guide: Criteria for managing application security risks (2013)
PCI Security Standards Council: Payment Card Industry Data Security Standards (PCI DSS) (2016). https://www.pcisecuritystandards.org/
PWC: The global state of information security survey (2016). http://www.pwc.com/gx/en/issues/cyber-security/information-security-survey.html
Refsdal, A., Solhaug, B., Stølen, K.: Cyber-Risk Management. Springer Briefs in Computer Science. Springer International Publishing, Heidelberg (2015)
Roy, A., Kim, D.S., Trivedi, K.S.: Scalable optimal countermeasure selection using implicit enumeration on attack countermeasure trees. In: Proceedings of the 42nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks, pp. 299–310. IEEE (2012)
Schneier, B.: Attack trees. Dr. Dobb’s J. Softw. Tools 24, 21–29 (1999)
TREsPASS: Technology-supported Risk Estimation by Predictive Assessment of Socio-technical Security (2016). http://www.trespass-project.eu/
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing AG
About this paper
Cite this paper
Gadyatskaya, O., Harpes, C., Mauw, S., Muller, C., Muller, S. (2016). Bridging Two Worlds: Reconciling Practical Risk Assessment Methodologies with Theory of Attack Trees. In: Kordy, B., Ekstedt, M., Kim, D. (eds) Graphical Models for Security. GraMSec 2016. Lecture Notes in Computer Science(), vol 9987. Springer, Cham. https://doi.org/10.1007/978-3-319-46263-9_5
Download citation
DOI: https://doi.org/10.1007/978-3-319-46263-9_5
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-46262-2
Online ISBN: 978-3-319-46263-9
eBook Packages: Computer ScienceComputer Science (R0)