A Formal Attack Centric Framework Highlighting Expected Losses of an Information Security Breach

Abstract: From the beginning of the different approaches for analyzing and assessing the information related risk affecting organization, the two factors deriving risk are the damages or losses incurred to the organization and the probability of occurring of those risk incidents. Many qualitative and quantitative models have been proposed to estimate the above two factors considering the asset centric and software centric approaches. This paper proposes an attack centric framework that considers approaches of an attacke… Show more

“…Prior works formalized security problems using game theory (e.g., FLIPIT [41], [24]), "weird machines" [10], attack trees [43], Markov models [40], and other methods. Prior notions of attacker quality include O-complexity [9], expected information loss [38], or success probability [30], which is similar to our concept of ∀ versus ∃-attackers. Attacker synthesis work exists in cyber-physical systems [33,5,20,26,30].…”

Automated Attacker Synthesis for Distributed Protocols

“…Prior works formalized security problems using game theory (e.g., FLIPIT [41], [24]), "weird machines" [10], attack trees [43], Markov models [40], and other methods. Prior notions of attacker quality include O-complexity [9], expected information loss [38], or success probability [30], which is similar to our concept of ∀ versus ∃-attackers. Attacker synthesis work exists in cyber-physical systems [33,5,20,26,30].…”

Automated Attacker Synthesis for Distributed Protocols