Automating Defence Generation for Risk Assessment

TitleAutomating Defence Generation for Risk Assessment
Publication TypeConference Paper
Year of Publication2016
AuthorsGadyatskaya O.
Conference Name1st European Symposium on Security and Privacy, Saarbrücken, Germany
Date PublishedMarch
PublisherIEEE Computer Society
Conference LocationUSA
ISBN Numbernot assigned

Efficient risk assessment requires automation of its most tedious tasks: identification of vulnerabilities, attacks that can exploit these vulnerabilities, and countermeasures that can mitigate the attacks. E.g., the attack tree generation by policy invalidation approach looks at systematic automatic generation of attack trees from a socio-technical model of an organization. Attack trees succinctly represent the ways to attack the system. They are useful for identifying the most dangerous attacks, and can be explained to the stakeholders. We now propose a technique to generate attack-defence trees from a socio- technical model. Generated trees incorporate not only attacks, but also defences already present in the system. Furthermore, they can be further used as a basis for risk treatment.