[en] Security risk treatment often requires a complex cost-benefit analysis to be carried out in order to select countermeasures that optimally reduce risks while having minimal costs. According to ISO/IEC 27001, risk treatment relies on catalogues of countermeasures, and the analysts are expected to estimate the residual risks. At the same time, recent advancements in attack tree theory provide elegant solutions to this optimization problem. In this short paper we propose to bridge the gap between these two worlds by introducing optimal countermeasure selection problem on attack-defense trees into the TRICK security risk assessment methodology.
Centre de recherche :
Interdisciplinary Centre for Security, Reliability and Trust - SnT
Disciplines :
Sciences informatiques
Auteur, co-auteur :
GADYATSKAYA, Olga ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT)
Harpes, Carlo
MAUW, Sjouke ; University of Luxembourg > Faculty of Science, Technology and Communication (FSTC) > Computer Science and Communications Research Unit (CSC)
Muller, Cedric
Muller, Steve
Co-auteurs externes :
no
Langue du document :
Anglais
Titre :
Bridging two worlds: Reconciling practical risk assessment methodologies with theory of attack trees
Date de publication/diffusion :
2016
Nom de la manifestation :
The Third International Workshop on Graphical Models for Security (GraMSec)
Date de la manifestation :
27-06-2016
Manifestation à portée :
International
Titre de l'ouvrage principal :
Proc. of GraMSec
Maison d'édition :
Springer
Collection et n° de collection :
LNCS 9987
Peer reviewed :
Peer reviewed
Focus Area :
Security, Reliability and Trust
Projet européen :
FP7 - 318003 - TRESPASS - Technology-supported Risk Estimation by Predictive Assessment of Socio-technical Security
