Security Analysis Using Subjective Attack Trees

Nasser Al-Hadhrami, Matthew Collinson, Nir Oren

Research output: Chapter in Book/Report/Conference proceedingPublished conference contribution

10 Downloads (Pure)


Subjective attack trees are an extension to traditional attack trees, proposed so to take uncertainty about likelihoods of security events into account during the modelling of security risk scenarios, using subjective opinions. This paper extends the work of subjective attack trees by allowing for the modelling of countermeasures, as well as conducting a comprehensive security and security investment analysis, such as risk measuring and analysis of profitable security investments. Our approach is evaluated against traditional attack trees. The results demonstrate the importance and advantage of taking uncertainty about probabilities into account. In terms of security investment, our approach seems to be more inclined to protect systems in presence of uncertainty (or lack of knowledge) about security events evaluations.
Original languageEnglish
Title of host publicationInnovative Security Solutions for Information Technology and Communications
Subtitle of host publicationSecITC 2020. Lecture Notes in Computer Science
EditorsDiana Maimut, Andrei-George Oprina, Damien Sauveron
Number of pages14
ISBN (Electronic)978-3-030-69255-1
ISBN (Print)978-3-030-69254-4
Publication statusPublished - 4 Feb 2021
EventSecurity Solutions for Information Technology and Communications - 13th International Conference - Bucharest, Romania
Duration: 19 Nov 202020 Nov 2020
Conference number: 13th

Publication series

NameLecture Notes in Computer Science
ISSN (Electronic)0302-9743


ConferenceSecurity Solutions for Information Technology and Communications - 13th International Conference
Abbreviated titleSecITC 2020
Internet address


  • Attack trees
  • risk analysis
  • Subjective logic
  • Risk analysis


Dive into the research topics of 'Security Analysis Using Subjective Attack Trees'. Together they form a unique fingerprint.

Cite this