Quantitative Information Security Risk Estimation Using Probabilistic Attack Graphs

  • Pontus Johnson
  • Alexandre VernotteEmail author
  • Dan Gorton
  • Mathias Ekstedt
  • Robert Lagerström
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10224)


This paper proposes an approach, called pwnPr3d, for quantitatively estimating information security risk in ICT systems. Unlike many other risk analysis approaches that rely heavily on manual work and security expertise, this approach comes with built-in security risk analysis capabilities. pwnPr3d combines a network architecture modeling language and a probabilistic inference engine to automatically generate an attack graph, making it possible to identify threats along with the likelihood of these threats exploiting a vulnerability. After defining the value of information assets to their organization with regards to confidentiality, integrity and availability breaches, pwnPr3d allows users to automatically quantify information security risk over time, depending on the possible progression of the attacker. As a result, pwnPr3d provides stakeholders in organizations with a holistic approach that both allows high-level overview and technical details.


Quantitative risk analysis Attack graphs Threat modeling Network security Information security 



The work presented in this paper has received funding from the European Unions Seventh Framework Programme for research, technological development and demonstration under grant agreement no. 607109 as well as the Swedish Civil Contingencies Agency (MSB) through the research centre on Resilient Information and Control Systems (RICS).


  1. 1.
    Alberts, C.J., Dorofee, A.: Managing Information Security Risks: The OCTAVE Approach. Addison-Wesley Longman Publishing Co., Inc. (2002)Google Scholar
  2. 2.
    Armin, J., Thompson, B., Ariu, D., Giacinto, G., Roli, F., Kijewski, P.: 2020 cybercrime economic costs: No measure no solution. In 10th International Conference on Availability, Reliability and Security (ARES), pp. 701–710. IEEE (2015)Google Scholar
  3. 3.
    Cherkassky, B.V., Goldberg, A.V., Radzik, T.: Shortest paths algorithms: theory and experimental evaluation. Math. Program. 73(2), 129–174 (1996)MathSciNetCrossRefzbMATHGoogle Scholar
  4. 4.
    Chu, M., Ingols, K., Lippmann, R., Webster, S., Boyer, S.: Visualizing attack graphs, reachability, and trust relationships with navigator. In: Proceedings of the 7th International Symposium on Visualization for Cyber Security, pp. 22–33. ACM (2010)Google Scholar
  5. 5.
    European Commission. Towards a general policy on the fight against cyber crime (2007). Accessed 5 March 2017
  6. 6.
    Cooper, D.: The australian and new zealand standard on risk management, as/nzs 4360: 2004. Tutorial Notes: Broadleaf Capital International Pty Ltd, pp. 128–151 (2004)Google Scholar
  7. 7.
    ECB. Recommendations for the security of internet payments (2015)., Accessed 5 March 2017
  8. 8.
    FFIEC. Supplement to authentication in an internet banking environment (2011). Accessed 5 March 2017
  9. 9.
    W. E. Forum. Industry agenda. partnering for cyber resilience - towards the quantification of cyber threats, January 2015. Accessed 5 March 2017
  10. 10.
    Frigault, M., Wang, L., Singhal, A., Jajodia, S.: Measuring network security using dynamic Bayesian network. In: Proceedings of the 4th ACM Workshop on Quality of Protection, pp. 23–30. ACM (2008)Google Scholar
  11. 11.
    Goodyear, M., Goerdel, H.T., Portillo, S., Williams, L.: Cybersecurity management in the states: The emerging role of chief information security officers. Available at SSRN 2187412 (2010)Google Scholar
  12. 12.
    Holm, H.: A large-scale study of the time required to compromise a computer system. IEEE Trans. Dependable Secure Comput. 11(1), 2–15 (2014)CrossRefGoogle Scholar
  13. 13.
    Holm, H., Shahzad, K., Buschle, M., Ekstedt. M.: P cysemol: predictive, probabilistic cyber security modeling language. IEEE Trans. Dependable Secure Comput. 12(6), 626–639 (2015)Google Scholar
  14. 14.
    Homer, J., Zhang, S., Ou, X., Schmidt, D., Du, Y., Rajagopalan, S.R., Singhal, A.: Aggregating vulnerability metrics in enterprise networks using attack graphs. J. Comput. Secur. 21(4), 561–597 (2013)CrossRefGoogle Scholar
  15. 15.
    Hoo, K.J.S.: How much is enough? A risk management approach to computer security. Stanford University Stanford, Calif (2000)Google Scholar
  16. 16.
    Howard, M., LeBlanc, D.: Writing secure code, 2nd edn. (2002)Google Scholar
  17. 17.
    E. ISO. Iec 27005: 2011 (en) information technology-security techniques-information security risk management switzerland. ISO/IEC (2011)Google Scholar
  18. 18.
    Johnson, P., Vernotte, A., Ekstedt, M., Lagerström, R.: pwnpr3d: an attack-graph-driven probabilistic threat-modeling approach. In: 11th International Conference on Availability, Reliability and Security (ARES). IEEE (2016)Google Scholar
  19. 19.
    Jonsson, E., Olovsson, T.: A quantitative model of the security intrusion process based on attacker behavior. IEEE Trans. Softw. Eng. 23(4), 235–245 (1997)CrossRefGoogle Scholar
  20. 20.
    Kaspersky. The great bank robbery: Carbanak cybergang steals $1bn from 100 financial institutions worldwide (2015). Accessed 5 March 2017
  21. 21.
    Lund, M.S., Solhaug, B., Stølen, K.: Model-Driven Risk Analysis: The CORAS Approach. Springer Science & Business Media, Heidelberg (2010)zbMATHGoogle Scholar
  22. 22.
    Meta object facility (MOF) 2.5 core specification (2015).
  23. 23.
    S. NIST. 800–30. Risk management guide for information technology systems, pp. 800–30 (2002)Google Scholar
  24. 24.
    Noel, S., Elder, M., Jajodia, S., Kalapa, P., O’Hare, S., Prole, K.: Advances in topological vulnerability analysis. In: Conference For Homeland Security, CATCH 2009. Cybersecurity Applications Technology, pp. 124–129, March 2009Google Scholar
  25. 25.
    Noel, S., Jajodia, S., Wang, L., Singhal, A.: Measuring security risk of networks using attack graphs. Int. J. Next Gener. Comput. 1(1), 135–147 (2010)Google Scholar
  26. 26.
    Nyanchama, M.: Enterprise vulnerability management and its role in information security management. Inform. Syst. Secur. 14(3), 29–56 (2005)CrossRefGoogle Scholar
  27. 27.
    Ponemon Institute. Cost of cyber crime report (2013)Google Scholar
  28. 28.
    Poolsappasit, N., Dewri, R., Ray, I.: Dynamic security risk management using Bayesian attack graphs. IEEE Trans. Dependable Secure Comput. 9(1), 61–74 (2012)CrossRefGoogle Scholar
  29. 29.
    Soomro, Z.A., Shah, M.H., Ahmed, J.: Information security management needs more holistic approach: a literature review. Int. J. Inf. Manage. 36(2), 215–225 (2016)CrossRefGoogle Scholar
  30. 30.
    Verizon. Data breach investigations report (2014)Google Scholar
  31. 31.
    Xie, P., Li, J.H., Ou, X., Liu, P., Levy, R.: Using Bayesian networks for cyber security analysis. In: 2010 IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), pp. 211–220. IEEE (2010)Google Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  • Pontus Johnson
    • 1
  • Alexandre Vernotte
    • 1
    Email author
  • Dan Gorton
    • 2
  • Mathias Ekstedt
    • 1
  • Robert Lagerström
    • 1
  1. 1.KTH Royal Institute of TechnologyStockholmSweden
  2. 2.Foreseeti ABStockholmSweden

Personalised recommendations