Security Analysis Using Subjective Attack Trees

Nasser Al-Hadhrami; Matthew Collinson; Nir Oren

doi:10.1007/978-3-030-69255-1_19

Security Analysis Using Subjective Attack Trees

Nasser Al-Hadhrami, Matthew Collinson, Nir Oren

Research output: Chapter in Book/Report/Conference proceeding › Published conference contribution

39 Downloads (Pure)

Abstract

Subjective attack trees are an extension to traditional attack trees, proposed so to take uncertainty about likelihoods of security events into account during the modelling of security risk scenarios, using subjective opinions. This paper extends the work of subjective attack trees by allowing for the modelling of countermeasures, as well as conducting a comprehensive security and security investment analysis, such as risk measuring and analysis of profitable security investments. Our approach is evaluated against traditional attack trees. The results demonstrate the importance and advantage of taking uncertainty about probabilities into account. In terms of security investment, our approach seems to be more inclined to protect systems in presence of uncertainty (or lack of knowledge) about security events evaluations.

Original language	English
Title of host publication	Innovative Security Solutions for Information Technology and Communications
Subtitle of host publication	SecITC 2020. Lecture Notes in Computer Science
Editors	Diana Maimut, Andrei-George Oprina, Damien Sauveron
Publisher	Springer
Pages	288-301
Number of pages	14
Volume	12596
ISBN (Electronic)	978-3-030-69255-1
ISBN (Print)	978-3-030-69254-4
DOIs	https://doi.org/10.1007/978-3-030-69255-1_19
Publication status	Published - 4 Feb 2021
Event	Security Solutions for Information Technology and Communications - 13th International Conference - Bucharest, Romania Duration: 19 Nov 2020 → 20 Nov 2020 Conference number: 13th https://www.springer.com/gp/book/9783030692544?utm_campaign=bookpage_about_buyonpublisherssite&utm_medium=referral&utm_source=springerlink

Publication series

Name	Lecture Notes in Computer Science
Publisher	Springer
Volume	12596
ISSN (Electronic)	0302-9743

Conference

Conference	Security Solutions for Information Technology and Communications - 13th International Conference
Abbreviated title	SecITC 2020
Country/Territory	Romania
City	Bucharest
Period	19/11/20 → 20/11/20
Internet address	https://www.springer.com/gp/book/9783030692544?utm_campaign=bookpage_about_buyonpublisherssite&utm_medium=referral&utm_source=springerlink

Keywords

Attack trees
risk analysis
Subjective logic
Risk analysis

Access to Document

10.1007/978-3-030-69255-1_19Licence: Unspecified

Al-Hadhrami_et_al_LNCS_SecurityAnalysisUsing_AAM
The final authenticated version is available online at https://doi.org/10.1007/978-3-030-69255-1_19
Accepted author manuscript, 589 KBLicence: Other

Cite this

Al-Hadhrami, N., Collinson, M., & Oren, N. (2021). Security Analysis Using Subjective Attack Trees. In D. Maimut, A.-G. Oprina, & D. Sauveron (Eds.), Innovative Security Solutions for Information Technology and Communications: SecITC 2020. Lecture Notes in Computer Science (Vol. 12596, pp. 288-301). (Lecture Notes in Computer Science; Vol. 12596). Springer . https://doi.org/10.1007/978-3-030-69255-1_19

Security Analysis Using Subjective Attack Trees. / Al-Hadhrami, Nasser; Collinson, Matthew ; Oren, Nir.
Innovative Security Solutions for Information Technology and Communications: SecITC 2020. Lecture Notes in Computer Science. ed. / Diana Maimut; Andrei-George Oprina; Damien Sauveron. Vol. 12596 Springer , 2021. p. 288-301 (Lecture Notes in Computer Science; Vol. 12596).

Research output: Chapter in Book/Report/Conference proceeding › Published conference contribution

Al-Hadhrami, N, Collinson, M & Oren, N 2021, Security Analysis Using Subjective Attack Trees. in D Maimut, A-G Oprina & D Sauveron (eds), Innovative Security Solutions for Information Technology and Communications: SecITC 2020. Lecture Notes in Computer Science. vol. 12596, Lecture Notes in Computer Science, vol. 12596, Springer , pp. 288-301, Security Solutions for Information Technology and Communications - 13th International Conference, Bucharest, Romania, 19/11/20. https://doi.org/10.1007/978-3-030-69255-1_19

Al-Hadhrami, Nasser ; Collinson, Matthew ; Oren, Nir. / Security Analysis Using Subjective Attack Trees. Innovative Security Solutions for Information Technology and Communications: SecITC 2020. Lecture Notes in Computer Science. editor / Diana Maimut ; Andrei-George Oprina ; Damien Sauveron. Vol. 12596 Springer , 2021. pp. 288-301 (Lecture Notes in Computer Science).

@inproceedings{b48e7be76b674a158a4a80667e9ce1d0,

title = "Security Analysis Using Subjective Attack Trees",

abstract = "Subjective attack trees are an extension to traditional attack trees, proposed so to take uncertainty about likelihoods of security events into account during the modelling of security risk scenarios, using subjective opinions. This paper extends the work of subjective attack trees by allowing for the modelling of countermeasures, as well as conducting a comprehensive security and security investment analysis, such as risk measuring and analysis of profitable security investments. Our approach is evaluated against traditional attack trees. The results demonstrate the importance and advantage of taking uncertainty about probabilities into account. In terms of security investment, our approach seems to be more inclined to protect systems in presence of uncertainty (or lack of knowledge) about security events evaluations.",

keywords = "Attack trees, risk analysis, Subjective logic, Risk analysis",

author = "Nasser Al-Hadhrami and Matthew Collinson and Nir Oren",

year = "2021",

month = feb,

day = "4",

doi = "10.1007/978-3-030-69255-1_19",

language = "English",

isbn = "978-3-030-69254-4",

volume = "12596",

series = "Lecture Notes in Computer Science",

publisher = "Springer ",

pages = "288--301",

editor = "Diana Maimut and Andrei-George Oprina and Damien Sauveron",

booktitle = "Innovative Security Solutions for Information Technology and Communications",

note = "Security Solutions for Information Technology and Communications - 13th International Conference, SecITC 2020 ; Conference date: 19-11-2020 Through 20-11-2020",

url = "https://www.springer.com/gp/book/9783030692544?utm_campaign=bookpage_about_buyonpublisherssite&utm_medium=referral&utm_source=springerlink",

}

TY - GEN

T1 - Security Analysis Using Subjective Attack Trees

AU - Al-Hadhrami, Nasser

AU - Collinson, Matthew

AU - Oren, Nir

N1 - Conference code: 13th

PY - 2021/2/4

Y1 - 2021/2/4

N2 - Subjective attack trees are an extension to traditional attack trees, proposed so to take uncertainty about likelihoods of security events into account during the modelling of security risk scenarios, using subjective opinions. This paper extends the work of subjective attack trees by allowing for the modelling of countermeasures, as well as conducting a comprehensive security and security investment analysis, such as risk measuring and analysis of profitable security investments. Our approach is evaluated against traditional attack trees. The results demonstrate the importance and advantage of taking uncertainty about probabilities into account. In terms of security investment, our approach seems to be more inclined to protect systems in presence of uncertainty (or lack of knowledge) about security events evaluations.

AB - Subjective attack trees are an extension to traditional attack trees, proposed so to take uncertainty about likelihoods of security events into account during the modelling of security risk scenarios, using subjective opinions. This paper extends the work of subjective attack trees by allowing for the modelling of countermeasures, as well as conducting a comprehensive security and security investment analysis, such as risk measuring and analysis of profitable security investments. Our approach is evaluated against traditional attack trees. The results demonstrate the importance and advantage of taking uncertainty about probabilities into account. In terms of security investment, our approach seems to be more inclined to protect systems in presence of uncertainty (or lack of knowledge) about security events evaluations.

KW - Attack trees

KW - risk analysis

KW - Subjective logic

KW - Risk analysis

UR - http://www.scopus.com/inward/record.url?scp=85101522071&partnerID=8YFLogxK

U2 - 10.1007/978-3-030-69255-1_19

DO - 10.1007/978-3-030-69255-1_19

M3 - Published conference contribution

SN - 978-3-030-69254-4

VL - 12596

T3 - Lecture Notes in Computer Science

SP - 288

EP - 301

BT - Innovative Security Solutions for Information Technology and Communications

A2 - Maimut, Diana

A2 - Oprina, Andrei-George

A2 - Sauveron, Damien

PB - Springer

T2 - Security Solutions for Information Technology and Communications - 13th International Conference

Y2 - 19 November 2020 through 20 November 2020

ER -

Security Analysis Using Subjective Attack Trees

Abstract

Publication series

Conference

Keywords

Access to Document

Other files and links

Fingerprint

Cite this