Subjective Attack Trees: Security Risk Modeling Under Second-Order Uncertainty

Introduction

An attack tree (AT; Schneier, 1999) is a security paradigm used to define and model all possible attack scenarios against a system in a structured, hierarchical way. The general idea is to analyse how a system can be attacked, and this is done by identifying one or more attack goals against a system and then breaking down each goal into sub-goals (or sub-attacks). A simple example AT is shown in Figure 1, which depicts the possible scenario of infecting a computer by putting a virus on the system and executing the virus. Putting a virus on the system is done by either sending an email containing a malicious attachment or distributing a USB stick. The leaves of the tree represent the actions (also referred to as security events) an attacker can perform in order to complete the attack.

Figure 1.

An example attack tree model. Here, the infect computer node represents an AND node, while the put virus on system node is an OR node

In ATs, reasoning about an attack is done by first evaluating the likelihood of the leaves (i.e., security events), and then propagating the likelihood values to the top of the tree to compute the likelihood of the root node. In ATs, therefore, the main goal of security analysis is to answer the question: What is the likelihood that an attacker can successfully achieve their goal (i.e., the top event node in the tree, e.g., infect a computer as in Figure 1)? Traditionally, such an evaluation is done by assigning probability values to the security events. However, assigning precise values is often difficult in the domain of cybersecurity due to lack of knowledge or insufficient historical data, making the answer to the above question, and therefore the outcomes of risk analysis, unreliable.

Unreliability of likelihood values could lead to unreliable outcomes for risk and security analysis in general because, in order to conduct such analysis, it is essential first to know the likelihood of attacks. Therefore, to have a sound and reliable risk analysis of attack trees, the likelihood of security events should be correctly evaluated, and, in case there is uncertainty around the evaluation, we argue that such uncertainties must be explicitly expressed and reasoned with during the analysis. Doing so would better inform the decision-makers about uncertainties affecting the assessment of risk scenarios and enable them to use finer-grained tools to make a decision based on, for instance, their risk attitudes.

In 2021, my colleagues and I proposed a novel attack tree model, called a subjective attack tree (SAT), to take into account the uncertainty about the probabilities of security events, via subjective opinions (Al-Hadhrami et al., 2021). In subjective logic (Jøsang, 2016), a subjective opinion represents the probability distribution of a random variable complemented by an uncertainty degree about the distribution. The modelling of uncertainty about probability distributions in the form of subjective opinions would produce a model that takes second-order uncertainty (i.e., uncertainty about probabilities) into account.

In 2020, my colleagues and I extended the model of SAT to consider performing a complete security analysis, such as risk measuring and security investments analysis (using the index of return on investment—ROI; Al-Hadhrami et al., 2020). Compared to the security analysis in traditional ATs, such analysis in SATs is carried out in the presence of uncertainty over the probabilities of security events.

In this paper, the author extends on these developments and attempts to address some of their limitations through (a) providing a general form of propagation rules of subjective opinions in SATs to deal with the propagation of any number of input security events, (b) discussing the incorporation of countermeasures into the SAT model when the effectiveness values of these countermeasures are given as precise values in the range of [0, 1] and when given as uncertain values (e.g., due to uncertainties regarding their effectiveness), and (c) extending the discussion of risk analysis in (Al-Hadhrami et al., 2020) to discuss risk measuring based on second order moment matching which approximates risk as a beta distribution.