Cyber Attack Grammars for Risk/Cost Analysis
ICCWS 2020 : 15th International Conference on Cyber Warfare and Security, Norfolk, VA (March 2020).
In practice, mitigating cyber risk involves economic analysis—it is not realistic to eliminate all risk, so the goal is to find the most cost-effective mitigations for the most significant risks. This economic analysis, however, requires principled quantification of cyber risk. This paper describes how to enhance attack tree analysis (Schneier, 1999) to enumerate the possible attacks against a specific system and to assign risk values to each attack. This enumeration enables the attacks ruled out by a specific mitigation to be counted, and the corresponding risk reduction to be calculated precisely. Assigning a cost to each mitigation enables risk mitigation to be related to cost. Specifically, a weighted-set-covering analysis reveals the sequence of mitigations that achieve the greatest risk reduction per unit cost. The result of this analysis is a curve that shows how much the cost goes up as the risk comes down, directly revealing how much cyber risk can be mitigated for a specific cost, how much it would cost to mitigate 80% of the cyber risk, etc. This quantitative, objective approach to cyber risk/cost analysis enables stakeholders to allocate their cyber defense resources efficiently.
Traditional attack tree representations struggle to scale to large, complex systems. Our approach addresses this issue by representing attack trees using a highly scalable grammar formalism from linguistics. By necessity, linguistic grammars must be extremely compact representations of the large decision spaces associated with languages such as English and Chinese. Mechanisms such as class inheritance and recursion capture the generalizations needed to achieve scalability. In particular, Halliday’s (2003) Systemic Functional Grammar is a grammar formalism that retains the functional and graphical nature of traditional attack trees while enhancing scalability. Using Systemic Functional Grammars to represent attack trees enables precise risk/cost analyses to scale to address large, complex systems.
For More InformationTo learn more or request a copy of a paper (if available), contact Terry Patten.
(Please include your name, address, organization, and the paper reference. Requests without this information will not be honored.)