Subjective Attack Trees: Security Risk Modeling Under Second-Order Uncertainty

Subjective attack trees (SATs) extend traditional attack trees by taking into account the uncertainty about the probability values of security events. Assigning precise values is often difficult due to lack of knowledge, or insufficient historical data, making the evaluation of risk in existing approaches unreliable, and therefore unreliable security decisions. With SATs, the author seeks to better reflect the reality underpinning the model and offer a better approach to decision-making via the modeling of uncertainty about the probability distributions in the form of subjective opinions, resulting in a model taking second-order uncertainty into account. The author further discusses how to conduct security analysis, such as risk measuring and security investments analysis, under the proposed model. Security investments analysis requires first to incorporate the model with countermeasures and then study how these countermeasures reduce risk in the presence of uncertainty about probability values. The importance and advantage of the SAT model are demonstrated through extended examples.


INTROdUCTION
An attack tree (AT; Schneier, 1999) is a security paradigm used to define and model all possible attack scenarios against a system in a structured, hierarchical way.The general idea is to analyse how a system can be attacked, and this is done by identifying one or more attack goals against a system and then breaking down each goal into sub-goals (or sub-attacks).A simple example AT is shown in Figure 1, which depicts the possible scenario of infecting a computer by putting a virus on the system and executing the virus.Putting a virus on the system is done by either sending an email containing a malicious attachment or distributing a USB stick.The leaves of the tree represent the actions (also referred to as security events) an attacker can perform in order to complete the attack.
In ATs, reasoning about an attack is done by first evaluating the likelihood of the leaves (i.e., security events), and then propagating the likelihood values to the top of the tree to compute the likelihood of the root node.In ATs, therefore, the main goal of security analysis is to answer the question: What is the likelihood that an attacker can successfully achieve their goal (i.e., the top event node in the tree, e.g., infect a computer as in Figure 1)?Traditionally, such an evaluation is done by assigning probability values to the security events.However, assigning precise values is often difficult in the domain of cybersecurity due to lack of knowledge or insufficient historical data, making the answer to the above question, and therefore the outcomes of risk analysis, unreliable.
Unreliability of likelihood values could lead to unreliable outcomes for risk and security analysis in general because, in order to conduct such analysis, it is essential first to know the likelihood of attacks.Therefore, to have a sound and reliable risk analysis of attack trees, the likelihood of security events should be correctly evaluated, and, in case there is uncertainty around the evaluation, we argue that such uncertainties must be explicitly expressed and reasoned with during the analysis.Doing so would better inform the decision-makers about uncertainties affecting the assessment of risk scenarios and enable them to use finer-grained tools to make a decision based on, for instance, their risk attitudes.
In 2021, my colleagues and I proposed a novel attack tree model, called a subjective attack tree (SAT), to take into account the uncertainty about the probabilities of security events, via subjective opinions (Al-Hadhrami et al., 2021).In subjective logic (Jøsang, 2016), a subjective opinion represents the probability distribution of a random variable complemented by an uncertainty degree about the distribution.The modelling of uncertainty about probability distributions in the form of subjective opinions would produce a model that takes second-order uncertainty (i.e., uncertainty about probabilities) into account.
In 2020, my colleagues and I extended the model of SAT to consider performing a complete security analysis, such as risk measuring and security investments analysis (using the index of return on investment-ROI; Al-Hadhrami et al., 2020).Compared to the security analysis in traditional ATs, such analysis in SATs is carried out in the presence of uncertainty over the probabilities of security events.
In this paper, the author extends on these developments and attempts to address some of their limitations through (a) providing a general form of propagation rules of subjective opinions in SATs to deal with the propagation of any number of input security events, (b) discussing the incorporation of countermeasures into the SAT model when the effectiveness values of these countermeasures are given as precise values in the range of [0, 1] and when given as uncertain values (e.g., due to uncertainties regarding their effectiveness), and (c) extending the discussion of risk analysis in (Al-Hadhrami et al., 2020) to discuss risk measuring based on second order moment matching which approximates risk as a beta distribution.
The rest of the paper is organised as follows.The following section provides an overview of attack trees and subjective logic.Next, the SAT model is presented, and the propagation method of subjective opinions in the model is demonstrated.Following this, the security analysis in the SAT Figure 1.An example attack tree model.Here, the infect computer node represents an AND node, while the put virus on system node is an OR node model is discussed.The discussion includes conducting risk computation, adding countermeasures to the model, and performing security investments analysis using the index of ROI to select the most profitable security controls for implementation.An illustrative security analysis example using the SAT model is given in the subsequent section.After that, the importance and advantages of the proposed model are demonstrated through a comparison model with the classic probabilistic attack tree model.The discussion section evaluates the proposed model, and finally, some promising future directions for this research are provided.

BACKGROUNd Attack Trees and Related work
Attack trees (ATs) were first introduced in 1999 by Schneier as tools to analyse and evaluate all possible attack scenarios against complex systems in a structured, hierarchical way (Schneier, 1999).Recently, a number of computer-based models and systems are developed such that the security aspect in these systems is being evaluated using the AT model (for example, see Krichen et al., 2019;Scala et al., 2022;Valluripally et al., 2020;Shang et al., 2019).The general idea of ATs is to identify one or more attack goals against a system and then break down each goal into sub-goals (or sub-attacks), which can be further decomposed into other sub-goals until reaching a state where sub-attacks cannot be further refined.These final sub-attacks, representing the leaves of an AT, are the basic security events (or actions) an attacker can perform-by exploiting existing vulnerabilities-to achieve their overall goal, i.e., the root node of an AT.A node's children can be decomposed in a conjunctive or disjunctive manner.The former requires that all of the node's children be satisfied in order to complete an attack, while with the latter, at least one of the child nodes has to be satisfied.
The values of nodes in a tree can take on different forms, depending on the security attributes or properties that need to be analysed.Such values may represent the probability of success of a given attack, the likelihood that an attacker will try a given attack, the impact of an attack, and so on.Among these various input parameters used in ATs, the likelihood of attack parameter represents one of the core input parameters required to conduct security analysis, as it allows one to determine how likely a system can be attacked.Having determined the likelihood, it is possible after that to extend the security analysis to involve, for example, risk measuring, or conducting security investments analysis to select implementable countermeasures.However, security events often occur in a context of uncertainty, and security analysts should analyse the potential uncertainties around them for efficient identification, management, and evaluation of risk (Couce-Vieira et al., 2017).
The most common approach to evaluate likelihoods in the literature is the use of the probabilistic approach (e.g., Buldas et al., 2020;K. Edge et al., 2007;Kumar & Stoelinga, 2017;Pieters & Davarynejad, 2014;Roy et al., 2010;P. Wang et al., 2012), which provides precise values, as probability distributions, for likelihoods.In this approach, however, eliciting accurate probabilities is usually difficult due to a lack of expertise or insufficient historical data, meaning that the results obtained from using such an approach could be unreliable, and therefore unreliable security decisions (Kaplan & Ivanovska, 2018).Furthermore, using the probabilistic approach, we cannot model situations of ignorance, expressed by "I don't know" (Jøsang, 2016), or situations of high uncertainties as a result of poor knowledge for assigning probabilities.
Other approaches proposed to model uncertainty about likelihoods in risk analysis models, aiming to address the limitations of the probabilistic approach, is the use of interval analysis (Jürgenson & Willemson, 2007) and fuzzy numbers (Buoni et al., 2010;Zhang et al., 2017).In the interval analysis approach, a range of possible values, bounded by lower and upper values, is defined (rather than just a single value) to express possible probabilities for likelihoods.Similarly, with the fuzzy numbers approach, a range of possible values is also defined, but additionally, the approach determines the most likely value within the range, having assigned a possibility of one to this value, while others are assigned lower possibilities (i.e., membership degrees).In these approaches, however, specifying lower and upper bounds (or determining the most likely value in the fuzzy numbers approach) does not resolve the issue of how these values were precisely determined, that is, in case of insufficient historical data, for example, how can one be certain that the probability is bounded by two known values and therefore cannot be less than the lower value nor greater than the upper value?

Subjective Logic
Subjective logic (Jøsang, 2016) is a formalism for reasoning under uncertainty that extends the probabilistic logic to allow for second-order uncertainty to be expressed about probability values, via so-called subjective opinions.In subjective logic, a subjective opinion represents the probability distribution of a random variable complemented by an uncertainty degree about the distribution.Consider a proposition X such as "the workstation is compromised."The validity of X is uncertain in general, but we can assume there is a "ground truth" probability p x that X is true, and p x (i.e., 1 − p x ) that X is false.This makes X a binary random variable over the domain X x x = { } , .If little evidence supporting this proposition is available, or if there is a lack of relevant knowledge regarding the truth of the statement, then we will be unable to obtain the exact probabilities p x and p x .A subjective opinion, expressed in terms of both the belief itself and the uncertainty in this belief, models such a situation better.In the security domain, such subjective opinions are clearly useful.In subjective logic, two types of subjective opinions are defined: binomial opinions (opinions over binary frames, i.e., frames with only two possible states) and multinomial opinions (opinions on a frame larger than binary).This paper deals with only binomial opinions.
, be a state space containing x and its complement x .A binomial opinion about the truth of state x is the tuple ω , where b x is the belief mass in support of x being true, d x is the belief mass in support of x being false, u x is the amount of uncommitted belief mass (i.e., uncertainty), and a x is the prior probability, also called the base rate, in the absence of committed belief mass.Further, these components must satisfy the conditions that b d u For a given binomial opinion ω X , the corresponding projected probability distribution where P x ( ) represents the probability estimation of x which varies from the base rate value, in the case of complete ignorance ( u x = 1 ), to the actual probability in case that u x = 0 .

Subjective Logic Operators
Subjective logic provides a set of operators where input and output arguments take the form of opinions.There is a standard set of logical operators (such as conjunction, disjunction, and negation) used in domains containing uncertainty, and, more specifically, domains in which there are opinions regarding the truth or falsehood of a (set of) domain elements.Here, only three operators are needed, namely the conjunction (also called multiplication), disjunction (also called co-multiplication), and complement (also called negation) operators.By using the symbol ( ⋅ ) to denote this operator, multiplication of opinions can be written as ω ω ω x y x y ∧ = ⋅ .

Definition 3: Disjunction Operator
Given two opinions, ω x By using the symbol (  ) to denote this operator, co-multiplication of opinions can be written as ω ω ω x y x y ∨ =  .

Definition 4: Complement Operator
Given an opinion ω where x belongs to a frame of discernment, we may compute the complement opinion ω ¬x , known as the propositional negation, as

Binomial Opinions and Beta distributions
A binomial opinion translates directly into a beta distribution.To understand such a connection between binomial opinions and beta distributions, this section begins with an overview of beta distributions and then discusses how subjective opinions are translated into beta distributions and vice versa.When probabilities are uncertain (e.g., due to limited observations), such an uncertainty can be captured by a beta distribution (Gupta & Nadarajah, 2004), i.e., a distribution of possible probabilities.Let us consider a binary variable X that can take on the value of true or false (i.e., X x = or X x = ).As discussed earlier, there is an underlying ground truth probability p x that X is true, and p x (i.e., 1 − p x ) that X is false.If p x is drawn from a beta distribution, it has the following probability density function (PDF; Cerutti et al., 2019): , where β ⋅ ( ) is the beta function and the beta parameters α α α , such that The value of X can be determined from N ins independent observations.Let n x be the total number of observations supporting X x = , and n x be the total number of observations supporting , where a x is the prior assumption, and W is a prior weight indicating the strength of the prior assumption.In this paper, unless specified otherwise, we assume ∀ = X a x , .0 5 , and W = 2 , to obtain the prior beta distribution as a uniform distribution, which is an uninformative prior.By making W = 2 and a x = 0 5 ., the above formula of beta parameters thus becomes α X , which reflects the parameters of a posterior beta distribution when having a likelihood in a Bernoulli distribution and a uniform prior expressed as a beta distribution with parameters 〈 〉 1 1 , .Suppose, for example, that the total observations for X is 10, 7 of which support X x = (and thus 3 observations support X x = ), the beta parameters then becomes 〈 〉 11 4 , .Figure 2 shows the beta distribution of this example.Given a beta-distributed random variable X , its Dirichlet strength S X and mean µ X are computed using the following two equations, respectively: , From these two equations, the beta parameters can be equivalently written as: The variance of a beta-distributed random variable X is: and from this equation we can rewrite S X as: As mentioned earlier, there is a correspondence between beta distributions and binomial opinions.The mapping from a beta-distributed random variable X with parameters α α α to a subjective opinion is defined by: With this transformation, the mean of X is equivalent to the projected probability P X ( ) defined in Equation 1, and the Dirichlet strength is inversely proportional to the uncertainty of an opinion, which can be directly computed from the subjective opinion as: Conversely, a subjective opinion ω X translates directly into a beta distributed random variable.
Given a subjective opinion ω X , the corresponding beta parameters α α α Cerutti et al. ( 2019) defined some operators that can be applied on independent beta distributed random variables such as sum and product, designed as alternatives to the operators of addition and multiplication on subjective opinions, and thus are useful when converting opinions into corresponding beta distributions.These operators approximate the resulting distribution as a beta distribution via moment matching on mean and variance.In this paper, we make use of the product operator.

Definition 5: Product
Given X and Y as two beta-distributed random variables, the product of X and Y is defined a s t h e b e t a -d i s t r i b u t e d r a n d o m va r i a b l e Z s u ch t h a t µ µ µ µ . By knowing the mean ( µ Z ) and variance ( σ Z 2 ) of a beta-distributed random variable Z , it is possible to compute the beta parameters by first determining the Dirichlet strength according to Equation 6, and then obtaining the beta parameters using Equation 4.

SUBJeCTIVe ATTACK TReeS
The Model Subjective attack trees (SATs) extend the classical probabilistic attack trees by allowing for uncertainty degrees about the probabilities of security events to be explicitly expressed via subjective opinions, resulting in a model taking second-order uncertainty into account.Therefore, the tree structure in SATs is not different from the one in traditional ATs in that it also allows for the (conjunctive or disjunctive) decomposition of the main goal of an attacker into sub-goals, except that the input parameters represent subjective opinions rather than probabilities.Figure 3 shows an example SAT with three possible paths (ways) an attacker can choose to achieve their main goal (MG).These paths begin by the execution of the following security events: ( SE 1 and SE 2 ), SE 3 , and ( SE 4 and SE 5 ).Taking the first path with security events SE 1 and SE 2 as an example, the subjective opinions on them, respectively, are denoted by ω SE 1 and ω SE 2 .The subjective opinion on sub-goal 1 ( ω SG 1 ) is computed from the conjunction of ω SE 1 and ω SE 2 , and the subjective opinion on the main goal ( ω MG ) is computed from the disjunction of ω SG 1 and ω SG 2 .The subjective opinion on MG represents the belief and disbelief that an attacker can successfully achieve their main goal, complemented by an uncertainty degree about such belief and disbelief masses.

Propagation of Subjective Opinions in SATs
Subjective opinions in the SAT model are assigned to the leaves, and then propagated up the tree to compute a subjective opinion about the root node.Such propagation is achieved by solving two types of gates between nodes, namely the AND gate and OR gate.

Propagation Through an AND Gate
An AND gate signifies that the output event E occurs if all the input events have accrued simultaneously.To compute an output from AND gate, the conjunction operator of subjective logic is used.Let E be an event node in a SAT, where In other words, E is the main goal MG (i.e, the root node), or any sub goal , ,. . ., be the subjective opinions on the children nodes of the event E , which all must be satisfied to ensure the occurrence of E .We compute a subjective opinion on E using the following AND gate's propagation rule ω ω ω ω , where ⋅ is the conjunction operator, and ω ω in case that E is the direct parent of the security events (i.e., the leaves), or ω CE i is computed first from its children nodes using either the same propagation rule or the OR-gate's propagation rule we discuss below.Figure 4a shows an example computation of a subjective opinion on event E via AND gate.

Propagation Through an OR Gate
An OR gate signifies that the output event E occurs if at least one of the input events has accrued.
To compute an output from OR gate, the disjunction operator of subjective logic is used.Let E be an event node in a SAT, where E MG SG i

∈ { }
, .In other words, E is the main goal MG (i.e., the root node), or any sub goal ( SG i ) in a SAT.Let ω ω ω , ,. . ., be the subjective opinions on the children nodes of the event E , which at least one of them must be satisfied to ensure the occurrence of E .We compute a subjective opinion on E using the following OR gate's propagation rule ω ω ω ω , where  is the disjunction operator, and ω ω in case that E is the direct parent of the security events (i.e., the leaves), or ω CE i is computed first from its children nodes using either the same propagation rule or the AND gate's propagation rule we discussed above.Figure 4b shows an example computation of a subjective opinion on event E via OR gate.

SeCURITy ANALySIS IN SATS
In this section, we discuss how to conduct security analysis (e.g., risk computation and security investments analysis) under the proposed SAT model.This requires us to enrich the model with additional metrics and components such as impact (for risk computation) and countermeasures (and their costs) for security investments analysis to determine which countermeasures are profitable, using the index of ROI (Sonnenreich et al., 2006).Since likelihoods in the SAT model are subjective opinions (i.e., there is uncertainty about the probabilities), the security analysis differs from the analysis of security in traditional ATs models.Therefore, it is essential to study how risk or security investments analysis is conducted, simultaneously showing how to handle uncertainties in the model for effective decision analysis.

Risk Computation
In the context of ATs, the risk to a system refers to the system's risk with respect to a particular attack scenario, i.e., risk at the root node.Here, two measures need to be taken into consideration, the first is the probability of attack success, and the other one is the amount of damage that an attack scenario can render to the system.Combining the two, risk to the system can be defined as the expected value of the impact (review the discussion in Roy et al., 2012): The likelihood of attack success in our SAT model is a subjective opinion, and so the risk cannot be simply computed using Equation 10 directly-we cannot directly multiply a subjective opinion (which represents the likelihood) by a number (representing the impact).Also, sometimes the impact can be represented as a beta distribution (rather than a single value) to express confidence in the level of impact, such as the approach given by Lallemant and Kiremidjian (2015) for characterizing earthquake damage.Here, representing the impact as a beta distribution in our model would have to be combined with the subjective opinion of the likelihood in order to compute risk (i.e., the expected value of the impact).In this section, we discuss how to calculate risk in the SAT model based on the representation of the impact value (i.e., when the impact is represented as a single value, and when it is given as a beta distribution).

Risk Computation With a Single Value of Impact
The problem of computing risk in our SAT model using Equation 10 is that the impact value (given it is a single value in the range [0, 1]) cannot be directly multiplied by the subjective opinion of the likelihood.One possible way to calculate risk in this case is to multiply the impact value with the projected probability of the subjective opinion, meaning that we are considering only the most expected value of risk.However, using this simple approach, we move away from the advantage of keeping the distribution of the likelihood explicit when computing risk in order to enable using finer grained tools to make a decision based on, for example, risk appetite.
Given that the likelihood is a subjective opinion (knowing that subjective opinions translate directly into beta distributions) and the impact is a single value, the risk is a scaled version of the beta distribution with support from zero to the value of impact.It is therefore possible to approximate risk as a regular beta distribution as long as the impact is bounded by one (i.e., within the range [0, 1]).To approximate risk as a beta distribution, we perform second order moment matching so that the Dirichlet strength represents the variance.The second order moment matching method has been discussed further by Kaplan and Ivanovska (2018), but here we briefly discuss the steps to calculate risk in our model based on such a method.
To compute the beta parameters of risk, we need to determine the mean and Dirichlet strength.The mean is calculated by multiplying the impact value with the projected probability of the subjective opinion, i.e., µ R i P x = × ( ) , where i is the impact value and P x ( ) is the projected probability.
To compute the Dirichlet strength, we follow the following approach.By using the symbols r , i , and p to denote risk, impact, and probability, respectively, we write the risk formula (see Equation 10) for simplicity as r i p = × .In our approach, impact i is considered to be deterministic and p is beta distributed.This makes r a random variable with expected value: , the mean of risk as discussed above), and so: where (also see Owen, 2008, for the method of moments).
In Equation 12, E p       represents the projected probability of the subjective opinion.By knowing E r 2       , it is possible to compute the variance of risk as: where E r [ ] 2 is the square value of E r       obtained from Equation 11.Now having the mean of risk, µ R , and its variance, σ R 2 , we can compute the Dirichlet strength, S R , as follows (review Equation 6): Finally, knowing the Dirichlet strength S R and mean µ R , we compute the beta parameters as , 1 .
The mean of risk µ R = × = 0 4 0 7 0 28 . . ., where 0.7 is the projected probability of ω SE .Using Equation 12, we obtain E r 2 ., . .The beta distribution of risk in this example is shown in Figure 5a.

Risk Computation With a Beta Distribution Representation of Impact
When the impact is given as a beta distribution, risk is measured based on two beta-distributed random variables, representing the impact and likelihood (knowing that subjective opinions for likelihoods can be translated directly into beta distributions).Our approach for calculating risk is therefore based on first translating the subjective opinion into a beta distribution, and then enabling the product of the two beta-distributed random variables according to Definition 5.The following summarises the steps to calculate risk in case that the impact is given as a beta distribution: 1. We translate the given subjective opinion into the corresponding beta distribution (see Equation 9), and then compute its mean and variance via Equation 3 and Equation 5, respectively.2. We compute the mean and variance of the impact from the given beta parameters of the impact distribution.3. We use the product operator of independent beta-distributed random variables (see Definition 5) to compute the mean and variance of risk.4. We use these values of mean and variance to calculate the Dirichlet strength of risk using Equation 6. 5. We use the mean and Dirichlet strength of risk to get the beta parameters of risk distribution using Equation 4.
. The Dirichlet strength is therefore S R = 21 5 . .Based on this, we obtain beta parameters for risk as α = 〈 〉 16 8 4 7 ., . .The risk (loss) distribution is shown in Figure 5b.Since both representations of impact (the single value and beta distribution representation) yield a beta distribution for risk, for simplicity, in the rest of this paper, we model impact through single values.Here, two measures need to be taken into consideration in order to compute risk at the root node: the subjective opinion on the attack success, ω goal and the amount of damage (i.e., impact) that an attack scenario can present to the system, I goal .The propagation of subjective opinions in the attack model to compute ω goal is discussed in the previous section, and the propagation of impact values to compute I goal is discussed in (K. S. Edge et al., 2006).However, since our impact scale is [0, 1] and not [1, 10], we redefine the propagation rule of impact values defined in (K. S. Edge et al., 2006) as follows (see Table 1, which summarises the formulae for computing the impact in our model): where n is the number of children nodes and each A i is the unique name of a child node.Figure 6 shows an example propagation of impact values, as well as subjective opinions, to compute risk at the root node.Our approach of decision analysis takes into account the uncertainty about a likelihood or about risk, so we discuss in the next section how we deal with uncertainty for risk and decision analysis.

dealing with Uncertainty for decision Analysis
In our approach, metrics such as likelihood and risk are defined as beta distributions (given that subjective opinions for likelihoods translate directly into beta distributions) rather than single values.
For decision analysis, it is important therefore to handle the uncertainty in such metrics, as we will see in the next section when coming to analyse security investments.We discuss in this section two possible approaches to reason about risk (or about likelihood) in the presence of uncertainty about the values.These approaches are: (a) reasoning with the most expected value, and (b) reasoning with best and worst-case scenarios via confidence intervals.

Approach 1: Reasoning With the Most Expected Value
In this approach, security managers use the most expected value of risk (or likelihood) to reason about risk under the most expected scenario.For likelihoods, the most expected value is the projected probability of the subjective opinion, and it is the distribution's mean when reasoning about risk.For example, in Example 2 discussed earlier, one could make a decision based on the most expected scenario of risk using the value of 0.78, which represents the mean of risk as shown in Figure 5b.

Approach 2: Reasoning With Confidence Intervals for Best-and Worst-Case Scenarios
Unlike in the previous approach, which represents risk as a single value, risk in this approach is represented by a range of possible values, determined by lower and upper bounds with a given Table 1.Formulae for attack impact computation

Gate type Attack impact
AND gate confidence level, therefore allowing one to consider additional scenarios for risk such as the best and worst-case scenarios.The approach thus offers the advantage of conducting a what-if analysis, for example, by analysing the outcome according to different possible values.
In the literature, several approaches exist to compute confidence intervals of a beta distribution (e.g., Newcombe, 1998;Daly, 1992;Julious, 2005).A simple approach is the one Julious discussed (2019), wherein the lower bound of the confidence interval is determined as: and the upper bound as: where α is the level of statistical significance, k the number of events observed, and n the sample size.BETAINV() is the cumulative distribution function (taken from Excel) of a beta distribution.The lower and upper bounds calculated from the two equations above will determine the range of possible values that the risk value is likely to be within.
As an example, consider again the example of Figure 5b, which represents the beta distribution of risk with shape parameters α = 〈 〉 16 8 4 7 ., . . .The sample size n represents α α The number of events observed k , as discussed in Section 2.6.2,represents n x in the formula . If we assume (as discussed earlier) that W = 2 and a x = 0 5 ., then k in this example is 15.8.For a 95% confidence interval, the statistical significance level α takes the value 0.05.Using the BETAINV function in Excel, we obtain the lower bound as 0.50 and the upper bound as 0.89.Therefore, the 95% confidence interval in this example is [0.50, 0.89].This means that we are 95% confident that the risk value is likely to be within this interval, and so, additional risk scenarios could be considered as part of dealing with uncertainty.

Analyzing Security Investments
In this section, we discuss security investment analysis in SATs.In order to conduct such an analysis, we first need to incorporate the model with countermeasures and study how these countermeasures reduce risk in the presence of subjective opinions.Following this, we conduct an investment analysis using the index of ROI for countermeasures.

Adding Countermeasures to SATs
The SAT model presented in the third section does not take into account defence mechanisms which can be implemented by the defending organization orhe costs sustained for security investments.In this section, we discuss the addition of countermeasures to the SAT model, studying how these countermeasures reduce risk (here, likelihoods) in the presence of uncertainty about probability values (i.e., in the presence of subjective opinions).Each added countermeasure should be associated with a value representing the effectiveness of the countermeasures in reducing risk.In the literature, the effectiveness value of a countermeasure is expressed as a percentage or as a value in the interval 0 1 ,       (see for example (Roy et al., 2012;Bistarelli et al., 2006)), and the estimation of such a value is typically determined by expert knowledge.The likelihood of an attack in the presence of a countermeasure is then calculated by multiplying the attack probability without the countermeasure by the countermeasure's effectiveness value subtracted from one.However, when there is uncertainty about the likelihood (as in SATs), the calculation should be different.
Our approach to calculating the likelihood (i.e., the subjective opinion) on a node when adding a countermeasure (with an effectiveness greater than 0) to it is based on ensuring that the projected probability of the resulting subjective opinion from the application of the countermeasure is obtained as if the projected probability of the original subjective opinion (i.e., the subjective opinion without a countermeasure) was reduced in the same way a probability value is reduced as a result of the application of a countermeasure.In other words, a countermeasure reduces (indirectly) the projected probability of the subjective opinion in the same way it does with probability values.For example, if the projected probability on a node is 0.8, then adding a countermeasure of 0.5 effectiveness would reduce the projected probability to 0.4 (based on the calculation discussed above).To achieve this, we assume here that the effectiveness value would affect only the belief mass and base rate of the subjective opinion while maintaining the same uncertainty value.The disbelief mass is then calculated by subtracting the total value of the resulting new belief mass and uncertainty from one.This process ensures to have a subjective opinion that has a reduced projected probability according to the effectiveness value of the countermeasure.Formally, assuming ω SE Note that in the approach above, we considered, as in existing approaches, the use of precise values in the range [0, 1] to represent the effectiveness values of countermeasures, ignoring the uncertainty aspect in them as a result of poor knowledge for assigning such values.Since the effectiveness of a countermeasure actually represents the probability of the countermeasure's success (see Roy et al., 2012), therefore, it might be possible, to consider assigning each countermeasure a subjective opinion such that they represent the likelihood (with associated uncertainty degrees) that each countermeasure would be successful in reducing risk.In this case, calculating the likelihood of a node in the presence of a countermeasure is based on multiplying the subjective opinion on the node with the complement of the subjective opinion (review Definition 4) about countermeasure success.
Since both representations of the effectiveness value (i.e., the single value and subjective opinion representations) yield a subjective opinion on a node, for simplicity, in the rest of this paper, we model countermeasures' effectiveness through single values.
Figure 7 shows two countermeasures (in the ovals) added to the subjective attack tree of attacking a system with a remote login.These countermeasures were added to the nodes of exploiting an online vulnerability (update the system periodically) and exploiting a web server vulnerability (use an antivirus software) to reduce their likelihoods, which are expressed by the subjective opinions of 〈 〉 0 7 0 2 0 1 0 5 ., ., ., .and 〈 〉 0 6 0 1 0 3 0 5 ., ., ., ., respectively.The effectiveness of the two countermeasures are 0.8 and 0.6, respectively.The figure shows the resulting subjective opinions on the nodes after applying these two countermeasures, which led to a change in the risk value on the root node (attack the system with a remote login) from 〈 〉 0 88 0 65 0 77 0 75 ., ., ., . to 〈 〉 0 35 0 44 0 21 0 28 ., ., ., . .

ROI Analysis
We discuss in this section how a security investment is analysed in the SAT model, using the index of ROI, an economic metric that is used to measure the profit obtained by the implementation of a specific countermeasure CM i .ROI for a security investment is calculated as (Sonnenreich et al., 2006): In AT models, risk exposure represents risk at the root node.Depending on the purpose of the model, risk exposure can represent different forms.For example, it can be the likelihood on the root node if the model is concerned only with determining how likely a system can be attacked without considering impact values.Here, the purpose of countermeasures is to reduce the likelihood of attack.Risk exposure could also be the expected impact on the root mode if impact values are considered in the model, and the countermeasures applied to such models would aim to reduce the overall expected impact.
In this paper, we consider ROI analysis with risk exposure to be defined as the likelihood (in our model, the subjective opinion) with regard to the goal (i.e., the top event node).We do so for two reasons: (1) for the sake of simplicity, and (2) because countermeasures do not affect the impact value directly (the impact value at the root node is the same apart from whether there were countermeasures applied or not), but rather affect the likelihood of an event occurrence (see Roy et al., 2012).This means that by reducing likelihoods, the expected impacts are reduced accordingly.We should note here that in case of considering risk exposure to be the expected impact, and since the expected impact in our model is a beta distribution, we can first translate the beta distribution into the corresponding opinion and then follow the same approach discussed below (or alternatively, we consider the beta distribution itself and use the value of mean or any of the confidence interval bounds to represent the value for risk exposure in the formula above, as discussed below).
The % Risk mitigated value is the amount of the percentage risk mitigated as a result of applying a specific countermeasure.Unlike with single probabilistic values, it is difficult in our approach to directly calculate such a percentage because the uncertainty value and base rate at the root node might change as a result of applying a countermeasure to the model.Therefore, we must first resolve the uncertainties in the subjective opinions (using one of the approaches discussed in the previous section) in order to be able to compute the percentage risk mitigated, and then use this percentage in the above formula of ROI.
As an example, suppose the subjective opinion at the root node without countermeasure CM i i s ω goal without CM i ./ . . .For abbreviation, we denote such a calculation of risk mitigated by %RM .
Investment cost is the cost of the applied countermeasure.In this paper, we assume, as in existing approaches, that the cost of a countermeasure is a single value.Based on the discussion above, we re-define ROI for a countermeasure CM i as where R sys is the system risk, i.e., the subjective opinion on the root node ω goal , with an uncertainty treated according to the approaches in the previous section.In other words, R sys can take on any of the following values: the projected probability of ω goal , the lower bound of the desired confidence interval, or its upper bound.%RM is computed as demonstrated above; 1 − ( ) In Equation 16, a countermeasure is the cost of the countermeasure CM i ), and this is satisfied when the risk value is within the scale of [0, 100] rather than [0, 1] (see Bistarelli et al., 2006).Therefore, we calculate risk as R sys ×100 .If ROI is zero or a negative number, the investment is not profitable.Otherwise, it is financially justified, and so the higher the value of ROI, the more desirable the investment.Suppose in the example given above, t he cost for implementing CM i is $20.
. Since ROI is negative, the countermeasure is not profitable.

ILLUSTRATIVe eXAMPLe
Consider the attack tree example for the data attack scenario presented by Bistarelli et al. (2012); a version of the model with countermeasures is also presented, but for simplicity, we consider here only four countermeasures, as shown in Figure 8.The attack tree model demonstrates two different attack scenarios against data belonging to a hosting service provided by an internet service company.An attacker can consider either (a) damaging the business activity of the company, or (b) accessing data about customers.To damage the business activity of the company, the attacker can perform a denial-ofservice attack (DoS) by performing the following attack actions: (a) scanning the network to discover some vulnerabilities, (b) gaining access to a machine, (c) installing a zombie, and (d) performing the attack activating the zombie.The DoS attack node is therefore of the AND type because, in order to successfully perform this attack strategy, the attacker must perform all the actions composing the attack.In order to access data about customers, the attacker can perform different alternative actions such as performing a man-in-the-middle attack or performing a phishing attack.The model in Figure 8 shows examples of subjective opinions associated with the six security events of the attack model.Table 2 presents the impact values of each security even, and Table 3 presents the effectiveness and cost of implementation of each countermeasure.To compute the impact at the top event node (data attack node) in Figure 12, we propagate the impact values given in Table 2 according to the set of propagation rules given in Table 1.
The subjective opinion about data attack is 〈 〉 0 57 0 18 0 25 0 76 ., ., ., ., and the impact is 0.96.Therefore, the risk (as discussed in the preceding section) is approximated as a beta distribution with .The mean of risk is 0.73, representing the most likely value of risk.The 95% confidence interval of the risk distribution is [0.30, 0.89], providing the lowest and highest possible values.Security managers here, in comparison to traditional risk assessment approaches, can use these values to reason about risk and make decisions as per their risk attitudes.Suppose, for example, that the security manager would only consider protection against the attack if the risk is greater than 0.5.Here, if they tend to use the most likely value (0.73) or if they are pessimistic regarding risk by considering the worst-case scenario (the risk value is 0.89), then they will go for protecting the system.However, considering the best-case scenario for those who tend to be optimistic regarding risk, they might go for not protecting the system as the value of risk considered in this case is only 0.30, which is below the defined threshold value.The consideration of uncertainty explicitly when conducting risk analysis, as this example demonstrates, offers therefore a better approach to decision-making by allowing one to consider different scenarios of risk and make decisions based on, for example, risk attitudes.
We now turn our attention to the analysis of security investments, using the ROI index.Applying each countermeasure would result in a reduction in the subjective opinion about the top event, i.e., ω goal .Table 4 shows the subjective opinion about data attack when applying each countermeasure, as well as the percentage risk mitigated following uncertainty treatment using the most likely value approach.Using Equation 16, we obtain ROI for each countermeasure as shown in Table 4.As appear, two countermeasures, CM 1 and CM 2 , since their ROIs are negative, they should be excluded.The only two countermeasures that are profitable are CM 3 and CM 4 , and CM 3 is more profitable than CM 4 .However, ROI for CM 4 approaches from zero, and so it does not seem to be significantly

COMPARISON wITH PROBABILISTIC ATS MOdeLS
In this section, we provide a detailed example to compare our approach against probabilistic ATs in terms of risk and security investments analysis.With the example, we aim to demonstrate why uncertainty about the probabilities of security events should be taken into account when conducting security risk analysis in ATs.Furthermore, we show how the decision-making process is better offered by the SAT model in comparison to traditional probabilistic ATs models.We begin by describing the comparison model, and then presenting and analysing the results.

Comparison Model description
We use the SAT model in Figure 9 as an example model to conduct the comparison.The model contains two countermeasures, CM 1 (with a cost of $10 and 0.8 effectiveness) and CM 2 (with a cost of $20 and 0.9 effectiveness), applied to the security events SE 1 and SE 4 , respectively.The subjective opinions about the four security events were established to contain relatively high uncertainty values.Propagating these opinions led to also having a relatively high uncertainty (0.38) about the likelihood on the root node.The uncertainty values in the opinions lead to several different underlying probability values in contrast to a 0 uncertainty.For example, the probabilities of 0.75, 0.6, and 0.55 could represent possible truth values for the subjective opinion about SE 4 (〈 〉 0 40 0 25 0 35 50 ., ., ., ).Here, the uncertainty value (0.35) has affected these probabilities as follows: it has affected only the belief mass of the probability distribution of 0.75 (because the sum of the uncertainty value and the belief mass of the opinion, i.e., 0.4, is 0.75), it has affected only the disbelief mass of the probability distribution of 0.6 (because the sum of the uncertainty value and the disbelief mass of the opinion (i.e., 0.25) is 0.6), and it has affected both the belief and disbelief masses of the probability distribution of 0.55 (here, the uncertainty has affected the belief mass by only 0.15).
Based on such a discussion, we generate probability values for the four security events in the example (assuming they represent truth values) as follows: Prob SE 1 0 3 ( ) = . ,Prob SE 2 0 25 ( ) = . ,Prob SE 3 0 4 ( ) = . ,and Prob SE 4 0 45 ( ) = . .Here, we assumed that the uncertainties in the opinions about the security events had affected both the belief and disbelief masses of these probabilities at random.Propagating these probabilities, using the propagation method of probabilities discussed previously, resulting in a probability of 0.24 at the root node.

Results and Analysis
First, we began by comparing the risk outcomes from the SAT model in Figure 9 with the risk obtained from applying traditional risk analysis using the above set of probabilities.In the case of the SAT model, the risk obtained is a beta distribution with parameters α = 〈 〉 2 92 3 43 ., .and mean 0.46.The 95% confidence interval of the risk distribution is [0.04, 0.74].In the case of the AT approach, the risk obtained is a single value of 0.22.Suppose the security manager would only protect the system against the attack if the risk is greater than 0.45.It is evident that in the case of the AT approach, the system would not be protected.In the case of the SAT model, there are cases in which the security manager would choose to protect the system.For example, if the security manager tends to use the most expected value (i.e., the mean of risk), or if they are too pessimistic and wish to consider the worst-case scenario (via the upper bound of the confidence interval), they might go for protecting the system, as both values are greater than the defined threshold value.However, the decision would be the same as in the AT approach if they are optimistic and wish to consider the best-case scenario (via the lower bound of the confidence interval).
, respectively.The projected probability of each subjective opinion and their 95% confidence intervals are given in Table 5.Using this information and the cost of each countermeasure, we considered three scenarios for computing ROI for each countermeasure: (1) the most expected scenario (based on the projected probability), (2) the best-case scenario (based on the lower bound of the confidence interval), and (3) the worst-case scenario (based on the upper bound of the confidence interval).We denote the ROI calculated from the first scenario by ROI µ , and by ROI lower and ROI upper for the other two scenarios, respectively.
ROI µ for CM 1 , for example, is computed based on using the projected probability 0.37 (from the subjective opinion about the attack when presenting CM 1 ) as a value for R sys in Equation 16, and the percentage risk mitigated (%RM) is computed as 1 0 37 0 5 0 26 − ( ) for CM 2 (see Table 6).Clearly, none of the countermeasures is profitable, unlike in the SAT model, wherein the two countermeasures are financially justified in the three defined scenarios, except with the worst-case scenario for CM 1 , in which ROI returned a 0 value.These results clearly demonstrate the importance of taking uncertainty into account when conducting cybersecurity risk assessments, as doing so can lead to completely different security decisions.In terms of the risk analysis, the SAT model offers a more flexible approach to decisionmaking by allowing one to consider different scenarios (e.g., the best and worst-case scenarios), and therefore allowing security managers to make decisions based on, for instance, their risk attitudes, or the organisation's financial capabilities.In terms of the security investments analysis (with ROI index), in addition to that the SAT model resulted in different ROI values for countermeasures, our example above interestingly showed that introducing uncertainty about the probabilities resulted in higher ROI values for countermeasures (in contrast to a 0 uncertainty).This means that the chance to apply a countermeasure in the SAT model was higher, which might be also interpreted as follows: the SAT model in our example showed it is more inclined to protect the system in comparison to the traditional attack tree approach.To evaluate whether this observation generalises, more examples and analysis dealing with different sets of probabilities and different uncertainty values are required, which we leave for future work.For now, it has been clearly shown by the given example that the SAT model could result in different analysis of security investments, and therefore a different set of implementable countermeasures, demonstrating therefore the importance of considering uncertainty about the probabilities during security risk analysis.

dISCUSSION
In this paper, we have presented a novel attack tree model, called a subjective attack tree (SAT), that takes second-order uncertainty into account, via subjective opinions.We also discussed the propagation rules of subjective opinion in the proposed model.Furthermore, we extended the SAT model to consider conducting a comprehensive security analysis, such as risk measuring and security investments analysis using ROI index.In the proposed SAT model, risk computation was discussed as one aspect of the security analysis.Since the probability component required to compute risk is not a single value, but rather a subjective opinion, the calculation of risk was different.We discussed how to compute risk (i.e., the expected impact) in case the impact is given as a single value in the range [0, 1] and in case it is represented as a beta distribution, demonstrating that in both representations of impact, the resulting value of risk is approximated as a beta distribution.It was therefore essential to also discuss how to understand risk as a beta distribution, and how to handle the uncertainty in the distribution for decision analysis.Following this, we considered defence modelling, i.e., adding countermeasures to the model, to study how risk is reduced when adding them to a model containing uncertainty values about probabilities (i.e., subjective opinions).Here, because the nodes in our model contain subjective opinions (as likelihoods of attacks), adding a countermeasure to a node should affect the subjective opinion on it towards reducing its likelihood value, based on the effectiveness value of the countermeasure.We suggested that a countermeasure reduces (indirectly) the projected probability of the subjective opinion in the same way it does with probability values.To achieve this, we assumed that the effectiveness value of the countermeasure would affect only the belief mass and base rate while maintaining the same uncertainty value.This process ensures to have a subjective opinion that has a reduced projected probability according to the effectiveness value of the countermeasure.
Having incorporated countermeasures into the model, we discussed another aspect of security analysis, namely security investments analysis, using the index of ROI as a metric to measure the profitability of a given countermeasure.Classically, the formula for computing ROI for a countermeasure (see Equation 15) defines risk as a single value (because the probability and impact are assumed to be single values).In our model, the risk is beta distributed, and so we redefined the formula so as to capture the uncertainty aspect in likelihoods, discussing the difference in computing ROI in contrast to the computation in probabilistic models.
We discussed the importance and advantage of our approach in terms of risk and security investments analysis through a comparison model with the probabilistic approach.The results showed that risk analysis in SATs is different, and such a difference can lead to different security decisions.This is because that the uncertainty in the SAT model allows one to consider different scenarios for decision analysis, with which risk could be interpreted differently.Furthermore, regarding the security investments analysis, it has been shown that the SAT model resulted in different ROI values for countermeasures, and more interestingly, our example showed that these values were higher (in contrast to a 0 uncertainty).This means that the chance to apply a countermeasure in the SAT model was higher.To be able to evaluate whether this observation generalises, more examples and analysis dealing with different sets of probabilities and different uncertainty values are required, which we leave to future work.

FUTURe wORK
In this section, we point out some future directions.In the section of security analysis using SATs, we used the index of ROI for security investment analysis (i.e., analysing the benefit from applying a particular countermeasure).Another index used in ATs aiming to analyse the gain from conducting a particular attack is the return on attack (ROA; see Roy et al., 2012).It might be worth extending the security analysis by incorporating additional metrics, such as the cost of attack, allowing one to conduct ROA analysis (see Roy et al., 2012, Equation 14).First, the ROA formula needs to be redefined for the SAT model as we did with the ROI formula, and then use these defined formulas to quantify the nature of the competition between the attacker and the defender.One could also study how uncertainty about probabilities might affect such a competition, and how the best countermeasures can be selected under uncertainty about the two indexes.
Another future direction is more general that focuses on the possibility of extending the use of subjective logic to formalise other models of security risk analysis.Considering other models of security risk assessment, it might be worth examining how subjective logic could be used in these models to formalise the risk problem.For example, like attack trees, another model that is widely used to analyse risk of an enterprise network is attack graphs (Phillips & Swiler, 1998).In attack graphs, risk is analysed based on understanding how vulnerabilities can be combined and exploited to stage an attack.Traditionally, the composition of vulnerabilities can be modelled using probabilistic attack graphs (for example, see Feng & Jin-Shu, 2008;Keramati & Akbari, 2012;and L. Wang et al., 2008), which show all paths of attacks that will lead to network penetration.Using subjective logic, it might be possible to develop an alternative approach that measures security in absence of evidence about the vulnerability evaluations.Given that cycles could appear in attack graphs (as a result of the various ways that host interconnections and network privileges could be gained; see Homer et al., 2009), a key challenging may arise from the development of a subjective logic approach is that how to treat such cycles (to prevent distortion of the results) in the presence of uncertainty values about nodes probabilities.
and y belong to independent frames of discernment, we compute the conjunction of the two opinions, ω x y and y belong to independent frames of discernment, we compute the disjunction of the two opinions, ω x y

Figure 3 .
Figure 3.A subjective attack tree (SAT) model uses subjective opinions as input parameters to capture uncertainty degrees about the events' likelihoods.Here, ω i is a subjective opinion capturing aspects of the likelihood of event i

Figure 4 .
Figure 4. Computing a subjective opinion on event E through (a) AND gate, and (b) OR gate on Equation13, we obtain the variance of risk as σ R the mean of risk as µ R = 0 28. and variance as σ R 2 0 0031 = ., we compute the Dirichlet strength using Equation14as S R = ×

Figure 5 .
Figure 5.The beta distributions of loss (risk) in (a) Example 1 and (b) Example 2, where 0 indicates no risk and 1 indicates that the risk is catastrophic

Figure 6 .
Figure 6.An example SAT showing propagation of impacts and subjective opinions.The top event shows the system risk with a beta distribution representation, calculated from the subjective opinion 〈 〉 0 68 0 07 0 25 0 81 ., ., ., .and impact value of 0.92 security event SE , CM is a potential countermeasure to reduce risk, and E CE is the countermeasure effectiveness, we compute the opinion about SE with countermeasure CM , denoted by ω

Figure 7 .
Figure 7.A SAT model with two countermeasures (ovals), showing how they reduce likelihoods (i.e., subjective opinions) on the leaves, and subsequently on the root node.The variable E CM denotes countermeasure effectiveness , ., . .Suppose also we want to reason about risk using the most likely value, i.e., the projected probability of each subjective opinion.The projected probability of ω goal without CM i − − is 0.82, and it is 0.66 for ω goal with CM i

Figure 8 .
Figure 8.The SAT model with countermeasures (ovals) for data attack example

Figure 9 .
Figure 9.A SAT model with two countermeasures.The values below the subjective opinions are impact values

Table 3 . The effectiveness and cost of implementation of each countermeasure in the data attack example
As a result, the security manager may think of applying CM 3 (authentication of the IP address) as a possible security solution against the attack.

Table 5 . The projected probability of each subjective opinion about the attack with and without countermeasures and their 95% confidence intervals
= are all positives (except in one case) as shown in Table6.In the case of AT model, the ROI obtained for each countermeasure, denoted by ROI pro , is-0.49 for CM 1 and-0.24