Bridging Two Worlds: Reconciling Practical Risk Assessment Methodologies with Theory of Attack Trees

  • Olga Gadyatskaya
  • Carlo Harpes
  • Sjouke Mauw
  • Cédric Muller
  • Steve Muller
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9987)


Security risk treatment often requires a complex cost-benefit analysis to be carried out in order to select countermeasures that optimally reduce risks while having minimal costs. According to ISO/IEC 27001, risk treatment relies on catalogues of countermeasures, and the analysts are expected to estimate the residual risks. At the same time, recent advancements in attack tree theory provide elegant solutions to this optimization problem. In this paper we propose to bridge the gap between these two worlds by introducing optimal countermeasure selection problem on attack-defense trees into the TRICK security risk assessment methodology.


  1. 1.
    Albanese, M., Jajodia, S., Noel, S.: Time-efficient and cost-effective network hardening using attack graphs. In: 2012 42nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), pp. 1–12. IEEE (2012)Google Scholar
  2. 2.
    Aslanyan, Z., Nielson, F.: Pareto efficient solutions of attack-defence trees. In: Focardi, R., Myers, A. (eds.) POST 2015. LNCS, vol. 9036, pp. 95–114. Springer, Heidelberg (2015)Google Scholar
  3. 3.
    Bistarelli, S., Fioravanti, F., Peretti, P.: Defense trees for economic evaluation of security investments. In: The First International Conference on Availability, Reliability and Security, 2006 ARES 2006, pp. 8-pp. IEEE (2006)Google Scholar
  4. 4.
    Bundesamt fur Sicherheit in der Informationstechnik: IT-Grundschutz-Catalogues, 13th version (2013)Google Scholar
  5. 5.
    Edge, K.S., Dalton, G.C., Raines, R.A., Mills, R.F., et al.: Using attack and protection trees to analyze threats and defenses to homeland security. In: Military Communications Conference 2006. MILCOM 2006, pp. 1–7. IEEE (2006)Google Scholar
  6. 6.
    European Organization for Safety of Air Navigation: Threats, Pre-controls and post-controls catalogues (2009)Google Scholar
  7. 7.
    Gadyatskaya, O.: How to generate security cameras: towards defence generation for socio-technical systems. In: Mauw, S., et al. (eds.) GraMSec 2015. LNCS, vol. 9390, pp. 50–65. Springer, Heidelberg (2016). doi: 10.1007/978-3-319-29968-6_4 CrossRefGoogle Scholar
  8. 8.
    Gadyatskaya, O., Jhawar, R., Kordy, P., Lounis, K., Mauw, S., Trujillo-Rasua, R.: Attack trees for practical security assessment: ranking of attack scenarios with ADTool 2.0. In: Agha, G., Van Houdt, B. (eds.) QEST 2016. LNCS, vol. 9826, pp. 159–162. Springer, Heidelberg (2016). doi: 10.1007/978-3-319-43425-4_10 CrossRefGoogle Scholar
  9. 9.
    Harpes, C., Adelsbach, A., Zatti, S., Peccia, N.: Quantitative risk assessment with ISAMM on ESA’s operations data system. In: Proceedings of TTC (2007)Google Scholar
  10. 10.
    ISO: 27799:2008 Health Informatics - Information security management in health using ISO/IEC 27002 (2008)Google Scholar
  11. 11.
    ISO, IEC: 27005:2011 Information technology Security techniques Information security risk management (2011)Google Scholar
  12. 12.
    ISO, IEC: 27001:2013 Information technology - Security techniques - Information security management systems - Requirements (2013)Google Scholar
  13. 13.
    ISO, IEC: 27002:2013 Information technology Security techniques Code of practice for information security controls (2013)Google Scholar
  14. 14.
    ISO, IEC: TR 27019:2013 Information technology Security techniques Information security management guidelines based on ISO/IEC 27002 for process control systems specific to the energy utility industry (2013)Google Scholar
  15. 15.
    Kordy, B., Kordy, P., Mauw, S., Schweitzer, P.: ADTool: security analysis with attack–defense trees. In: Joshi, K., Siegle, M., Stoelinga, M., D’Argenio, P.R. (eds.) QEST 2013. LNCS, vol. 8054, pp. 173–176. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  16. 16.
    Kordy, B., Mauw, S., Radomirović, S., Schweitzer, P.: Attack-defense trees. J. Logic Comput. 24(1), 55–87 (2014)MathSciNetCrossRefzbMATHGoogle Scholar
  17. 17.
    Mauw, S., Oostdijk, M.: Foundations of attack trees. In: Won, D.H., Kim, S. (eds.) ICISC 2005. LNCS, vol. 3935, pp. 186–198. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  18. 18.
    NATO Research and Technology Organisation (RTO): Improving common security risk analysis (2008)Google Scholar
  19. 19.
    NIST: Special Publication 800–53 Revision 4. Security and privacy controls for federal information systems and organizations (2013).
  20. 20.
    NIST: Framework for Improving Critical Infrastructure Cybersecurity (2014)Google Scholar
  21. 21.
    OWASP: CISO AppSec Guide: Criteria for managing application security risks (2013)Google Scholar
  22. 22.
    PCI Security Standards Council: Payment Card Industry Data Security Standards (PCI DSS) (2016).
  23. 23.
    PWC: The global state of information security survey (2016).
  24. 24.
    Refsdal, A., Solhaug, B., Stølen, K.: Cyber-Risk Management. Springer Briefs in Computer Science. Springer International Publishing, Heidelberg (2015)CrossRefGoogle Scholar
  25. 25.
    Roy, A., Kim, D.S., Trivedi, K.S.: Scalable optimal countermeasure selection using implicit enumeration on attack countermeasure trees. In: Proceedings of the 42nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks, pp. 299–310. IEEE (2012)Google Scholar
  26. 26.
    Schneier, B.: Attack trees. Dr. Dobb’s J. Softw. Tools 24, 21–29 (1999)Google Scholar
  27. 27.
    TREsPASS: Technology-supported Risk Estimation by Predictive Assessment of Socio-technical Security (2016).

Copyright information

© Springer International Publishing AG 2016

Authors and Affiliations

  • Olga Gadyatskaya
    • 1
  • Carlo Harpes
    • 2
  • Sjouke Mauw
    • 1
  • Cédric Muller
    • 1
    • 2
  • Steve Muller
    • 2
  1. 1.SnT, University of LuxembourgLuxembourgLuxembourg
  2. 2.itrust ConsultingNiederanvenLuxembourg

Personalised recommendations