Defense trees for economic evaluation of security investments

Authors:
Stefano Bistarelli;Fabio Fioravanti;Pamela Peretti
Affiliations:
Universita degli Studi "G. d'Annunzio" Pescara, Italy;Universita degli Studi "G. d'Annunzio" Pescara, Italy;Universita degli Studi "G. d'Annunzio" Pescara, Italy
Venue:
ARES '06 Proceedings of the First International Conference on Availability, Reliability and Security
Year:
2006

Citing 0
Cited 19

Augmented Risk Analysis

Electronic Notes in Theoretical Computer Science (ENTCS)
Using CP-nets as a guide for countermeasure selection

Proceedings of the 2007 ACM symposium on Applied computing
Analyzing Security Scenarios Using Defence Trees and Answer Set Programming

Electronic Notes in Theoretical Computer Science (ENTCS)
A Layered Decision Model for cost-effective system security

International Journal of Information and Computer Security
IT security risk management

Proceedings of the 46th Annual Southeast Regional Conference on XX
An Approach to Security Policy Configuration Using Semantic Threat Graphs

Proceedings of the 23rd Annual IFIP WG 11.3 Working Conference on Data and Applications Security XXIII
Security risk management using internal controls

Proceedings of the first ACM workshop on Information security governance
Quantified security is a weak hypothesis: a critical survey of results and assumptions

NSPW '09 Proceedings of the 2009 workshop on New security paradigms workshop
Answer set optimization for and/or composition of CP-nets: a security scenario

CP'07 Proceedings of the 13th international conference on Principles and practice of constraint programming
Strategic games on defense trees

FAST'06 Proceedings of the 4th international conference on Formal aspects in security and trust
Cybersecurity for critical infrastructures: attack and defense modeling

IEEE Transactions on Systems, Man, and Cybernetics, Part A: Systems and Humans
Analyzing the security in the GSM radio network using attack jungles

ISoLA'10 Proceedings of the 4th international conference on Leveraging applications of formal methods, verification, and validation - Volume Part I
Foundations of attack-defense trees

FAST'10 Proceedings of the 7th International conference on Formal aspects of security and trust
Technical Communication: Attribution of attack trees

Computers and Electrical Engineering
A novel risk assessment and optimisation model for a multi-objective network security countermeasure selection problem

Decision Support Systems
Attack countermeasure trees (ACT): towards unifying the constructs of attack and defense trees

Security and Communication Networks
Benchmarking cloud security level agreements using quantitative policy trees

Proceedings of the 2012 ACM Workshop on Cloud computing security workshop
ADTool: security analysis with attack---defense trees

QEST'13 Proceedings of the 10th international conference on Quantitative Evaluation of Systems
Comparing attack trees and misuse cases in an industrial setting

Information and Software Technology

Quantified Score

Hi-index	0.00

Visualization

Abstract

In this paper we present a mixed qualitative and quantitative approach for evaluation of Information Technology (IT) security investments. For this purpose, we model security scenarios by using defense trees, an extension of attack trees with attack countermeasures and we use economic quantitative indexes for computing the defender's return on security investment and the attacker's return on attack. We show how our approach can be used to evaluate effectiveness and economic profitability of countermeasures as well as their deterrent effect on attackers, thus providing decision makers with a useful tool for performing better evaluation of IT security investments during the risk management process.