Modelling Security Risk Scenarios Using Subjective Attack Trees

Al-Hadhrami, Nasser; Collinson, Matthew; Oren, Nir

doi:10.1007/978-3-030-68887-5_12

Cited by 3 publications

(1 citation statement)

References 15 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In 2021, my colleagues and I proposed a novel attack tree model, called a subjective attack tree (SAT), to take into account the uncertainty about the probabilities of security events, via subjective opinions (Al-Hadhrami et al, 2021). In subjective logic (Jøsang, 2016), a subjective opinion represents the probability distribution of a random variable complemented by an uncertainty degree about the distribution.…”

Section: Introductionmentioning

confidence: 99%

Subjective Attack Trees

Al-Hadhrami¹

2023

International Journal of Blockchain Applications and Secure Computing

Self Cite

View full text Add to dashboard Cite

Subjective attack trees (SATs) extend traditional attack trees by taking into account the uncertainty about the probability values of security events. Assigning precise values is often difficult due to lack of knowledge, or insufficient historical data, making the evaluation of risk in existing approaches unreliable, and therefore unreliable security decisions. With SATs, the author seeks to better reflect the reality underpinning the model and offer a better approach to decision-making via the modeling of uncertainty about the probability distributions in the form of subjective opinions, resulting in a model taking second-order uncertainty into account. The author further discusses how to conduct security analysis, such as risk measuring and security investments analysis, under the proposed model. Security investments analysis requires first to incorporate the model with countermeasures and then study how these countermeasures reduce risk in the presence of uncertainty about probability values. The importance and advantage of the SAT model are demonstrated through extended examples.

show abstract

Section: Introductionmentioning

confidence: 99%

Subjective Attack Trees

Al-Hadhrami¹

2023

International Journal of Blockchain Applications and Secure Computing

Self Cite

View full text Add to dashboard Cite

show abstract

Security Analysis Using Subjective Attack Trees

Al-Hadhrami

Collinson

Oren

2021

Innovative Security Solutions for Information Technology and Communications

Self Cite

View full text Add to dashboard Cite

Subjective attack trees are an extension to traditional attack trees, proposed so to take uncertainty about likelihoods of security events into account during the modelling of security risk scenarios, using subjective opinions. This paper extends the work of subjective attack trees by allowing for the modelling of countermeasures, as well as conducting a comprehensive security and security investment analysis, such as risk measuring and analysis of profitable security investments. Our approach is evaluated against traditional attack trees. The results demonstrate the importance and advantage of taking uncertainty about probabilities into account. In terms of security investment, our approach seems to be more inclined to protect systems in presence of uncertainty (or lack of knowledge) about security events evaluations.

show abstract