An Approach to Security Policy Configuration Using Semantic Threat Graphs

Foley, Simon N.; Fitzgerald, William M.

doi:10.1007/978-3-642-03007-9_3

Cited by 9 publications

(12 citation statements)

References 15 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Nodes in attack trees can be annotated with quantitative properties, but so far the models have addressed attack possibilities only qualitatively. Such trees can also be augmented with countermeasures, as is done in attack-defence trees [20] and semantic threat graphs [13]. Also, argumentation-based approaches have been proposed to reason about security [33].…”

Section: Security Risk Modelsmentioning

confidence: 99%

A move in the security measurement stalemate

Pieters

Ven

Probst

2012

Proceedings of the 2012 New Security Paradigms Workshop

View full text Add to dashboard Cite

One of the big problems of risk assessment in information security is the quantification of risk-related properties, such as vulnerability. Vulnerability expresses the likelihood that a threat agent acting against an asset will cause impact, for example, the likelihood that an attacker will be able to crack a password or break into a system. This likelihood depends on the capabilities of the threat agent and the strength of the controls in place. In this paper, we provide a framework for estimating these three variables based on the Elo rating used for chess players. This framework re-interprets security from the field of Item Response Theory. By observing the success of threat agents against assets, one can rate the strength of threats and controls, and predict the vulnerability of systems to particular threats. The application of Item Response Theory to the field of risk is new, but analogous to its application to children solving math problems. It provides an innovative and sound way to quantify vulnerability in models of (information) security.

show abstract

Section: Security Risk Modelsmentioning

confidence: 99%

A move in the security measurement stalemate

Pieters

Ven

Probst

2012

Proceedings of the 2012 New Security Paradigms Workshop

View full text Add to dashboard Cite

show abstract

“…A semantic threat graph [11], constructed in terms of an ontology, can be defined as a graph that represents the meaning of a threat domain. Enterprise assets are represented as individuals of the Asset concept.…”

Section: Threat Model For Xmppmentioning

confidence: 99%

“…Semantic Threat Graphs [11], a variation of the traditional threat tree, are encoded within the ontology-based framework in order to relate knowledge about enterprise-level security requirements, best practice recommendations and access-control rules in terms of assets, threats, vulnerabilities and countermeasures. Threats are organised into a hierarchical structure such as a Microsoft STRIDEbased [17] hierarchy.…”

Section: Introductionmentioning

confidence: 99%

Management of heterogeneous security access control configuration using an ontology engineering approach

Fitzgerald

Foley

2010

Proceedings of the 3rd ACM Workshop on Assurable and Usable Security Configuration

View full text Add to dashboard Cite

Management of heterogeneous enterprise security mechanisms is complex and requires a security administrator to have deep knowledge of each security mechanism's configuration. Effective configuration may be hampered by poor understanding and/or management of the enterprise security policy which, in turn, may unnecessarily expose the enterprise to known threats. This paper argues that knowledge about detailed security configuration, enterprise-level security requirements including best practice recommendations and their relationships can be modelled, queried and reasoned over within an ontology-based framework. A threatbased approach is taken to structure this knowledge. The management of XMPP application-level and firewall-level access control configuration is investigated.

show abstract

“…Attack trees are typically used to assist attack elicitation and countermeasure selection. While they may be used to provide ongoing recommendation about the best current countermeasures [8], they do not explicitly consider the ongoing-process of testing countermeasure effectiveness. This difference to ERM can be illustrated by the following UML class style diagram, whereby an attack can be regarded as a knock-on consequence of some risk and the countermeasures are the controls that used to mitigate that risk:…”

Section: Risk Management and Internal Controlsmentioning

confidence: 99%

“…An enterprise will have a very large number of technical security risks and we suggest that attack-tree based methodologies [8,15,17] can help in the elicitation and management of this complexity. Note that we propose the use of ERM to track known risks and do not consider how "unknown unknowns" might be discovered.…”

Section: Examplementioning

confidence: 99%

Security risk management using internal controls

Foley

2009

Proceedings of the First ACM Workshop on Information Security Governance

Self Cite

View full text Add to dashboard Cite

Rather than treating security as an independent technical concern, it should be considered as just another risk that needs to be managed alongside all other business risks. An Internal Controls approach to security risk management is proposed whereby automated catalogues are built in order to provide information about security controls used to mitigate risk in business processes. Real-time evaluation and measurement of control efficacy in this model become essential to the management of risk using these catalogues and a risk-profile based approach to measuring security risk is described.

show abstract

An Approach to Security Policy Configuration Using Semantic Threat Graphs

Cited by 9 publications

References 15 publications

A move in the security measurement stalemate

A move in the security measurement stalemate

Management of heterogeneous security access control configuration using an ontology engineering approach

Security risk management using internal controls

Contact Info

Product

Resources

About