Abstract :
[en] Recently security researchers have started to look into au-
tomated generation of attack trees from socio-technical system models.
The obvious next step in this trend of automated risk analysis is au-
tomating the selection of security controls to treat the detected threats.
However, the existing socio-technical models are too abstract to repre-
sent all security controls recommended by practitioners and standards.
In this paper we propose an attack-defence model, consisting of a set of
attack-defence bundles, to be generated and maintained with the socio-
technical model. The attack-defence bundles can be used to synthesise
attack-defence trees directly from the model to o er basic attack-defence
analysis, but also they can be used to select and maintain the security
controls that cannot be handled by the model itself.
Scopus citations®
without self-citations
4