Evaluation of complex security scenarios using defense trees and economic indexes

Bistarelli, Stefano; Fioravanti, Fabio; Peretti, Pamela; Santini, Francesco

doi:10.1080/13623079.2011.587206

Cited by 18 publications

(7 citation statements)

References 19 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…1. The AT metamodel (ATMM), unifies several extensions of the attack tree formalism including traditional attack trees [25,31], attack-defense trees [18], defense trees [6], etc. It consists of two parts: the Structure metamodel and the Values metamodel.…”

Section: Metamodels For Attack Tree Analysismentioning

confidence: 99%

Effective Analysis of Attack Trees: A Model-Driven Approach

Kumar

Schivo

Ruijters

et al. 2018

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Attack trees (ATs) are a popular formalism for security analysis, and numerous variations and tools have been developed around them. These were mostly developed independently, and offer little interoperability or ability to combine various AT features. We present ATTop, a software bridging tool that enables automated analysis of ATs using a model-driven engineering approach. ATTop fulfills two purposes: 1. It facilitates interoperation between several AT analysis methodologies and resulting tools (e.g., ATE, ATCalc, ADTool 2.0), 2. it can perform a comprehensive analysis of attack trees by translating them into timed automata and analyzing them using the popular model checker Uppaal, and translating the analysis results back to the original ATs. Technically, our approach uses various metamodels to provide a unified description of AT variants. Based on these metamodels, we perform model transformations that allow to apply various analysis methods to an AT and trace the results back to the AT domain. We illustrate our approach on the basis of a case study from the AT literature.

show abstract

Section: Metamodels For Attack Tree Analysismentioning

confidence: 99%

Effective Analysis of Attack Trees: A Model-Driven Approach

Kumar

Schivo

Ruijters

et al. 2018

Lecture Notes in Computer Science

View full text Add to dashboard Cite

show abstract

“…Moreover, the effects that IT security investments have on reducing the incidence of data security breaches over time were analyzed (Angst et al 2017). Methods and models for evaluation have been suggested, for instance, by Bistarelli et al (2012), Bodin et al (2005), Cavusoglu et al (2004), Chou et al (2006), Cremonini & Martini (2005), Jing (2009), Locher (2005), Sheen (2010) and Wang et al (2011). Several metrics have been introduced to measure improvements in the overall organizational performance rooted in information security investments, for example, metrics that quantify the Return On Security Investment (ROSI), e.g., Anderson et al (2008), Gordon & Loeb (2002a), the Internal Rate of Return (IRR), e.g., Buck et al (2008) and Wawrzyniak (2006), Net Present Value (NPV), e.g., Eisenga et al (2012) and Sheen (2010), Annual Loss Expectancy (ALE), e.g., Cremonini & Martini (2005) and Tanaka et al (2005) or Cumulated Abnormal Return (CAR), e.g., Andoh-Baidoo & Osei-Bryson (2007) and Campbell et al (2003).…”

Section: Research On Information Security Investmentmentioning

confidence: 99%

“…Due to the complexity and time expenditure of evaluating information security investment decisions, evaluation processes are not applied in practice which contravenes the academic literature providing several methods, models and processes for evaluation (Barnard & von Solms 2000;Bistarelli et al 2012;Bodin et al 2005;Cremonini & Martini 2005;Eloff & Von Solms 2000;Knapp et al 2009;Vroom & von Solms 2004). Academia provides several metrics (Jansen 2011;…”

Section: Metrics and Evaluation Processes Used To Measure The Changesmentioning

confidence: 99%

Information security investments: An exploratory multiple case study on decision-making, evaluation and learning

Weishäupl

Yasasin

Schryen

2018

Computers & Security

View full text Add to dashboard Cite

The need to protect resources against attackers is reflected by huge information security investments of firms worldwide. In the presence of budget constraints and a diverse set of assets to protect, organizations have to decide in which IT security measures to invest, how to evaluate those investment decisions, and how to learn from past decisions to optimize future security investment actions. While the academic literature has provided valuable insights into these issues, there is a lack of empirical contributions. To address this lack, we conduct a theory-based exploratory multiple case study. Our case study reveals that (1) firms' investments in information security are largely driven by external environmental and industry-related factors, (2) firms do not implement standardized decision processes, (3) the security process is perceived to impact the business process in a disturbing way, (4) both the implementation of evaluation processes and the application of metrics are hardly existent and (5) learning activities mainly occur at an ad-hoc basis.

show abstract

“…Technically, it is referred to as 'vulnerability', and it outlines the ease of rupturing a system's security state observed from a defensive point of view. For instance, defense trees [41], [42], the CVSS paradigm [43]- [45], the change-point detection evaluation approach [46], etc., have been used to derive metric values used to represent system susceptibilities to potential threats and attacks. Similarly, the knowledge of these vulnerabilities can help the easy identification and appropriation of security controls and efforts.…”

Section: A) Security Dimension (L1 Scoping)mentioning

confidence: 99%

A framework for Operational Security Metrics Development for industrial control environment

Ani

Tiwari

2018

Journal of Cyber Security Technology

View full text Add to dashboard Cite

Security metrics are very crucial towards providing insights when measuring security states and susceptibilities in industrial operational environments. Obtaining practical security metrics depend on effective security metrics development approaches. To be effective, a security metrics development framework should be scopedefinitive, objective-oriented, reliable, simple, adaptable, and repeatable (SORSAR). A framework for Operational Security Metrics Development (OSMD) for industry control environments is presented, which combines concepts and characteristics from existing approaches. It also adds the new characteristic of adaptability. The OSMD framework is broken down into three phases of: target definition, objective definition, and metrics synthesis. A case study scenario is used to demonstrate an instance of how to implement and apply the proposed framework to demonstrate its usability and workability. Expert elicitation has also be used to consolidate the validity of the proposed framework. Both validation approaches have helped to show that the proposed framework can help create effective and efficient ICScentric security metrics taxonomy that can be used to evaluate capabilities or vulnerabilities. The understanding from this can help enhance security assurance within industrial operational environments.

show abstract

Evaluation of complex security scenarios using defense trees and economic indexes

Cited by 18 publications

References 19 publications

Effective Analysis of Attack Trees: A Model-Driven Approach

Effective Analysis of Attack Trees: A Model-Driven Approach

Information security investments: An exploratory multiple case study on decision-making, evaluation and learning

A framework for Operational Security Metrics Development for industrial control environment

Contact Info

Product

Resources

About