Attack Modeling for System Security Analysis

(Position Paper)
  • Abdullah Altawairqi
  • Manuel MaarekEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10489)


Approaches to the safety analysis of software-intensive systems are being adapted to also provide security assurance. Extensions have been proposed to reflect the specific nature of security analysis by introducing intention as a causal factor to reaching unsafe state of the system, or by introducing new layers in the system modelling to model its surface of attack.

In this paper we propose to extend these approaches by modelling the attacks perspective alongside the system. We explain how such modelling could be used to verify the coverage of the security analysis and facilitate its maintenance.


Hazard analysis Security analysis Attack model 


  1. 1.
    Abdulkhaleq, A., Wagner, S., Leveson, N.: A comprehensive safety engineering approach for software-intensive systems based on STPA. Proc. Eng. 128, 2–11 (2015). doi: 10.1016/j.proeng.2015.11.498 CrossRefGoogle Scholar
  2. 2.
    Friedberg, I., McLaughlin, K., Smith, P., Laverty, D., Sezer, S.: STPA-SafeSec: safety and security analysis for cyber-physical systems. J. Inf. Secur. Appl. Part 2 34, 183–196 (2016). doi: 10.1016/j.jisa.2016.05.008 Google Scholar
  3. 3.
    Jhawar, R., Kordy, B., Mauw, S., Radomirović, S., Trujillo-Rasua, R.: Attack trees with sequential conjunction. In: Federrath, H., Gollmann, D. (eds.) SEC 2015. IAICT, vol. 455, pp. 339–353. Springer, Cham (2015). doi: 10.1007/978-3-319-18467-8_23 CrossRefGoogle Scholar
  4. 4.
    Kriaa, S., Pietre-Cambacedes, L., Bouissou, M., Halgand, Y.: A survey of approaches combining safety and security for industrial control systems. Reliab. Eng. Syst. Saf. 139, 156–178 (2015). doi: 10.1016/j.ress.2015.02.008 CrossRefGoogle Scholar
  5. 5.
    Leveson, N.: Engineering a Safer World: Systems Thinking Applied to Safety. The MIT Press, Cambridge (2011)Google Scholar
  6. 6.
    Leveson, N., Thomas, J.: An STPA Primer (2013).
  7. 7.
    Schmittner, C., Gruber, T., Puschner, P., Schoitsch, E.: Security application of failure mode and effect analysis (FMEA). In: Bondavalli, A., Di Giandomenico, F. (eds.) SAFECOMP 2014. LNCS, vol. 8666, pp. 310–325. Springer, Cham (2014). doi: 10.1007/978-3-319-10506-2_21 Google Scholar
  8. 8.
    Schmittner, C., Ma, Z., Puschner, P.: Limitation and improvement of STPA-sec for safety and security co-analysis. In: Skavhaug, A., Guiochet, J., Schoitsch, E., Bitsch, F. (eds.) SAFECOMP 2016. LNCS, vol. 9923, pp. 195–209. Springer, Cham (2016). doi: 10.1007/978-3-319-45480-1_16 CrossRefGoogle Scholar
  9. 9.
    Steiner, M., Liggesmeyer, P.: Combination of safety and security analysis - finding security problems that threaten the safety of a system. In: Workshop on Dependable Embedded and Cyber-Physical Systems DECS of the 32nd International Conference on Computer Safety, Reliability and Security (2013)Google Scholar
  10. 10.
    Young, W., Leveson, N.: Systems thinking for safety and security. In: 29th Annual Computer Security Applications Conference ACSAC, pp. 1–8 (2013). doi: 10.1145/2523649.2530277
  11. 11.
    Young, W., Leveson, N.: An integrated approach to safety and security based on systems theory. Commun. ACM 57(2), 31–35 (2014). doi: 10.1145/2556938 CrossRefGoogle Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  1. 1.Heriot-Watt UniversityEdinburghUK

Personalised recommendations