Calculating Adversarial Risk from Attack Trees: Control Strength and Probabilistic Attackers

  • Wolter PietersEmail author
  • Mohsen Davarynejad
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8872)


Attack trees are a well-known formalism for quantitative analysis of cyber attacks consisting of multiple steps and alternative paths. It is possible to derive properties of the overall attacks from properties of individual steps, such as cost for the attacker and probability of success. However, in existing formalisms, such properties are considered independent. For example, investing more in an attack step would not increase the probability of success. As this seems counterintuitive, we introduce a framework for reasoning about attack trees based on the notion of control strength, annotating nodes with a function from attacker investment to probability of success. Calculation rules on such trees are defined to enable analysis of optimal attacker investment. Our second result consists of the translation of optimal attacker investment into the associated adversarial risk, yielding what we call adversarial risk trees. The third result is the introduction of probabilistic attacker strategies, based on the fitness (utility) of available scenarios. Together these contributions improve the possibilities for using attack trees in adversarial risk analysis.


Adversarial risk analysis Attack trees Attacker models Control strength Fitness functions Security metrics Simulation 



The research leading to these results has received funding from the European Union’s Seventh Framework Programme (FP7/2007–2013) under grant agreement number ICT-318003 (TREsPASS). This publication reflects only the authors’ views and the Union is not liable for any use that may be made of the information contained herein.


  1. 1.
    Arnold, F., Hermanns, H., Pulungan, R., Stoelinga, M.: Time-dependent analysis of attacks. In: Abadi, M., Kremer, S. (eds.) POST 2014 (ETAPS 2014). LNCS, vol. 8414, pp. 285–305. Springer, Heidelberg (2014) CrossRefGoogle Scholar
  2. 2.
    Arnold, F., Pieters, W., Stoelinga, M.I.A.: Quantitative penetration testing with item response theory. In: 2013 Proceedings of Information Assurance and Security (IAS). IEEE (2013)Google Scholar
  3. 3.
    Bistarelli, S., Fioravanti, F., Peretti, P.: Defense trees for economic evaluation of security investments. In: 2006 The First International Conference on Availability, Reliability and Security, ARES 2006 (2006)Google Scholar
  4. 4.
    Buldas, A., Laud, P., Priisalu, J., Saarepera, M., Willemson, J.: Rational choice of security measures via multi-parameter attack trees. In: López, J. (ed.) CRITIS 2006. LNCS, vol. 4347, pp. 235–248. Springer, Heidelberg (2006) CrossRefGoogle Scholar
  5. 5.
    Cox Jr, L.A.: Game theory and risk analysis. Risk Anal. 29(8), 1062–1068 (2009)CrossRefGoogle Scholar
  6. 6.
    Cremonini, M., Martini, P.: Evaluating information security investments from attackers perspective: the return-on-attack (ROA). In: 4th Workshop on the Economics on Information Security (2005)Google Scholar
  7. 7.
    Kordy, B., Kordy, P., Mauw, S., Schweitzer, P.: ADTool: security analysis with attack–defense trees. In: Joshi, K., Siegle, M., Stoelinga, M., D’Argenio, P.R. (eds.) QEST 2013. LNCS, vol. 8054, pp. 173–176. Springer, Heidelberg (2013) CrossRefGoogle Scholar
  8. 8.
    Kordy, B., Piètre-Cambacédès, L., Schweitzer, P.: DAG-based attack and defense modeling: don’t miss the forest for the attack trees. Comput. Sci. Rev. 13–14, 1–38 (2014)CrossRefGoogle Scholar
  9. 9.
    Mauw, S., Oostdijk, M.: Foundations of attack trees. In: Won, D.H., Kim, S. (eds.) ICISC 2005. LNCS, vol. 3935, pp. 186–198. Springer, Heidelberg (2006) CrossRefGoogle Scholar
  10. 10.
    de la Maza, M., Tidor, B.: An analysis of selection procedures with particular attention paid to proportional and Boltzmann selection. In: Proceedings of the 5th International Conference on Genetic Algorithms, pp. 124–131 (1993)Google Scholar
  11. 11.
    Nulton, J.D., Salamon, P.: Statistical mechanics of combinatorial optimization. Phys. Rev. A 37(4), 1351–1356 (1988)CrossRefMathSciNetGoogle Scholar
  12. 12.
    Pieters, W.: Defining “the weakest link”: comparative security in complex systems of systems. In: 2013 IEEE 5th International Conference on Cloud Computing Technology and Science (CloudCom), vol. 2, pp. 39–44, December 2013Google Scholar
  13. 13.
    Pieters, W., Lukszo, Z., Hadžiosmanović, D., Van den Berg, J.: Reconciling malicious and accidental risk in cyber security. J. Internet Serv. Inf. Secur. 4(2), 4–26 (2014)Google Scholar
  14. 14.
    Pieters, W., Van der Ven, S.H.G., Probst, C.W.: A move in the security measurement stalemate: elo-style ratings to quantify vulnerability. In: Proceedings of the 2012 New Security Paradigms Workshop, NSPW 2012, pp. 1–14. ACM (2012)Google Scholar
  15. 15.
    Schneier, B.: Attack trees: modeling security threats. Dr. Dobb’s J. 24(12), 21–29 (1999)Google Scholar
  16. 16.
    The Open Group. Risk taxonomy. Technical report C081, The Open Group (2009)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  1. 1.Technology Policy and Management, ICTDelft University of TechnologyDelftThe Netherlands
  2. 2.EEMCS, Services, Cybersecurity and SafetyUniversity of TwenteEnschedeThe Netherlands
  3. 3.Department of Radiation OncologyErasmus Medical Center, Daniel den Hoed Cancer CenterRotterdamThe Netherlands

Personalised recommendations