References of "Muller, Cédric"
     in
Bookmark and Share    
Full Text
Peer Reviewed
See detailFast and optimal countermeasure selection for attack defence trees
Muller, Steve UL; Harpes, Carlo; Muller, Cédric

in Lecture Notes in Computer Science (2017), 10224 LNCS

Risk treatment is an important part of risk management, and deals with the question which security controls shall be implemented in order to mitigate risk. Indeed, most notably when the mitigated risk is ... [more ▼]

Risk treatment is an important part of risk management, and deals with the question which security controls shall be implemented in order to mitigate risk. Indeed, most notably when the mitigated risk is low, the costs engendered by the implementation of a security control may exceed its benefits. The question becomes particularly interesting if there are several countermeasures to choose from. A promising candidate for modeling the effect of defensive mechanisms on a risk scenario are attack–defence trees. Such trees allow one to compute the risk of a scenario before and after the implementation of a security control, and thus to weigh its benefits against its costs. A naive approach for finding an optimal set of security controls is to try out all possible combinations. However, such a procedure quickly reaches its limits already for a small number of defences. This paper presents a novel branch-and-bound algorithm, which skips a large part of the combinations that cannot lead to an optimal solution. The performance is thereby increased by several orders of magnitude compared to the pure brute–force version. © 2017, Springer International Publishing AG. [less ▲]

Detailed reference viewed: 72 (9 UL)
Full Text
Peer Reviewed
See detailBridging two worlds: Reconciling practical risk assessment methodologies with theory of attack trees
Gadyatskaya, Olga UL; Harpes, Carlo; Mauw, Sjouke UL et al

in Proc. of GraMSec (2016)

Security risk treatment often requires a complex cost-benefit analysis to be carried out in order to select countermeasures that optimally reduce risks while having minimal costs. According to ISO/IEC ... [more ▼]

Security risk treatment often requires a complex cost-benefit analysis to be carried out in order to select countermeasures that optimally reduce risks while having minimal costs. According to ISO/IEC 27001, risk treatment relies on catalogues of countermeasures, and the analysts are expected to estimate the residual risks. At the same time, recent advancements in attack tree theory provide elegant solutions to this optimization problem. In this short paper we propose to bridge the gap between these two worlds by introducing optimal countermeasure selection problem on attack-defense trees into the TRICK security risk assessment methodology. [less ▲]

Detailed reference viewed: 126 (10 UL)