A Comparison of Security Modelling Languages used for Security Risk

Tänapaeval kõik firmad, mis omavad väärtuslikke varasid, püüavad oma aktiva ja pasiva kaitsta. Kahjuks ei ole võimalik reageerida kõikidele varade turvalisust puudutavaid ähvardustele. Selliste võimalike ohtude leevendamiseks olid laiendatud modelleerimiskeeled turvariskide halduse kasutamiseks. Sobiva keele valik võib aga olla keeruline otsus, kuna see on iseenesest ränk küsimus, kuidas need keeled omavahel võrrelda ning otsustada kumb lahendus on rentaabel. Iga turvateenusel on oma hind, kuigi firmad on oma eelarvega piiratud. Konkreetne valitud keel turvariski haldamiseks peab vastama firma vajadustele, kuna see on tähtis positiivse “ROI” (investeeringu risk) suhtes. Samas turvariski haldus asub infosüsteemi arendamise varajasel staadiumil ja keele valik, mis ei vasta firma vajadustele, võib viita aja kaotusele või isegi süsteemi turvaaukudele. Selle probleemi lahenduseks on meie tehniline panus võrrelda modelleerimiskeel: “BPMN”, “Secure Tropos”, “Misuse case” ja “Mal-activity” diagramm. On tähtis määratlema, kuidas need keeled toimivad infosüsteemi turvariskide haldamine (ingl. ISSRM) domeeni mudeliga. Juhtumisel ja empiitilisel analüüsil põhinev võrdlus oli tehtud selleks, et selgust saada turvalisuse probleeme puudutavatest keeltest ja nende semiootilisest selgusest. Empiiriline analüüs juhtumi analüüsiga võimaldab välja selgitada, mismoodi üks keel toimib paremini kui teine “ISSRM” suhtes. Valitud modeleerimiskeeled turvariskide halduseks on mingil määral piiratud semiootilise selguse suhtes, kuna need pole olnud esialgu mõeldud tegelema turvariskide haldusega, pigem “ISSRM” kasutamiseks ning selleks, et aidata ohud leevendada infosüsteemi arendamise varajasel staadiumil.Nowadays, every company that has valuable assets has an urge to protect them. Unfortunately, it is impossible to act on every single security threat. To mitigate these threats Security Modelling Languages were extended to use for Security Risk Management. However, choosing suitable language can be a difficult decision, because it can be a problem to compare those languages and decide which one would bring the most cost-effective solution. Every security solution has its cost and companies have limited resources. The chosen language that will be used for Security Risk Management must suit the company’s needs, as it is important in terms of getting positive ROI (Risk on investment). In addition, Security Risk Management takes place on early stages of IS development and choosing security modelling language that does not suit the company’s needs will result in a loss of time as well as possible system vulnerabilities. Our technical contribution to the solution to this problem is a comparison of these Security Modelling Languages: BPMN, Secure Tropos, Misuse cases and Mal-activity diagrams. It is important to determine how these languages act with Information System Security Risk Management (ISSRM) domain model. The comparison is made based on the case study and empirical research in order to understand the semiotic clarity of these languages used to express the security concerns. The empirical research within the case study will allow us to point out in which ways one language acts better than another regarding ISSRM. The chosen security modelling languages contain limitations regarding the semiotic clarity, as they were not designed to deal with the security risk management at the first place, but used in terms of ISSRM, they help to mitigate risks starting from early stages of IS development

Cross-Layer Optimization in OFDM Wireless Communication Network

The wide use of OFDM systems in multiuser environments to overcome problem of communication over the wireless channel has gained prominence in recent years. Cross-layer Optimization technique is aimed to further improve the efficiency of this network. This chapter demonstrates that significant improvements in data traffic parameters can be achieved by applying cross-layer optimization tech- niques to packet switched wireless networks. This work compares the system capacity, delay time and data throughput of QoS traffic in a multiuser OFDM system using two algorithms. The first algorithm, Maximum Weighted Capacity, uses a cross-layer design to share resources and schedule traffic to users on the network, while the other algorithm (Maximum Capacity) simply allocates resources based only on the users channel quality. The results of the research shows that the delay time and data throughput of the Maximum Weighted Capacity algorithm in cross layer OFDM system is much better than that of the Maximum Capacity in simply based users channel quality system. The cost incurred for this gain is the increased complexity of the Maximum Weighted Capacity scheme

Pattern Based Security Requirement Derivation with Security Risk-aware Secure Tropos

Informatsioonisüsteem (IS) toetab suurt hulka modernse ühiskonna jaoks olulisi funktsioone. IS sisaldab üha suurenevat hulka andmeid ja informatsiooni, sealhulgas per-sonaalseid pilte ja andmeid tervise või finantstehingute kohta. Üha suurenev küberrünna-kute arv on tinginud vajaduse turvaliste infosüsteemide kiiremaks loomiseks. Et arendada turvalist IS-i, tuleb tuvastada turbe-eesmärgid ning need vastavalt ellu viia. Tulemuspõhine arendus tagab turbe-eesmärkide tulemuslikkuse, pakkudes metodoloogiat, mis võimaldab turvalisuse nõuete induktsiooni läbi kogu informatsioonisüsteemi arenduse protsessi. See on saavutatav, kui võtta igat süsteemikomponenti kui eesmärgile orienteeritud osa. Olgugi, et tulemuspõhine modelleerimine on kasulikuks osutunud, on sellel ka mõningaid puudu-seid. Peamine puudus peitub detailsuses, mille tõttu see protsess võib lühikese ajaga muu-tuda komplekseks, tõstes ka kogu ülejäänut protsessi keerukusetaset. Seetõttu on oluline kasutada struktureeritud lähenemisviisi, mis võimaldab kogu protsessi jooksul samm-sammulist juhendit rakendada. Turvalisuse mustrid on korduvkasutatavadja võimaldavad lahendada tarkvaraarenduse protsessi käigus sagedasti ilmnevaid probleeme. Käesolevas magistritöös uuritakse mustripõhise turvanõuete kogumise protsessi integreerimist, tule-muspõhise IS-i arendamisel. Selle eesmärgiks on SRP’d (Security Risk-oriented Patterns) kasutades pakkuda protsessi, mis võimaldab turvanõuete induktsiooni RAST (Security Risk-aware Secure Tropos) mudelis. RAST on turvalisuse tulemuspõhise modelleerimise keel, mis on kohaldatav läbi kogu tarkvaraarenduse protsessi nii varasematele kui hilisema-tele nõudlustele, arhitektuurile, üksikasjalikule projekteerimisele kui ka lõplikule rakenda-misele. Käesoleva magistritöö panus on viie SRP avaldamine, kasutades selleks RAST mo-delleerimise keelt. Töös tuuakse välja sammud, mida väljapakutud turvalisuse mustrite ra-kendamiseks kasutada. Töö autor annab omapoolse panuse viies läbi juhtumiuuringu, mis kinnitab autori poolt pakutud mustrite üldise kasutamisest selle rakenduse protsessist. Juh-tumiuuringust selgus ka, et töös välja pakutud mustreid on võimalik kasutada süsteemi analüüsi alguspunktina, et kiirendada turvalisuse nõuete väljaselgitamisprotsessi ning seda efektiivsemaks muuta.Information systems (IS’s) support a multitude of functions vital to the modern society. IS’s carry an ever increasing volume of data and information, including personal pictures, health data or financial transactions. Continuously increasing rates of cyber-attacks have led to the subsequent need to rapidly develop secure IS. To develop secure IS’s, security goals need to be identified and fulfilled accordingly. Goal-oriented development fulfils the achievement of security goal by providing a methodology that enables security requirement elicitation throughout the entire development of an information system. This is achieved by considering every component of a system as an actor that is driven by goals that the actor strives to achieve. Nevertheless goal-oriented modeling has proven itself to be valid it maintains multiple shortcomings. The main disadvantage lays in the high granularity of the process making it complex very fast and subsequently raising the level of complexity of the overall process. Therefore a structured approach that would provide a step-by-step guide throughout the application of the process would be essential. Security patterns are proven to be reusable solutions that address recurring security problems which are commonly faced during the process of software development. In this master thesis we investigate the integration of a pattern based security requirement elicitation process in the goal-oriented IS development. By performing this integration we aim at providing a process that enables the elicitation of security requirements from Security Risk-aware Secure Tropos (RAST) models. RAST is a security goal-oriented modeling language that is applicable throughout the complete process of software development from early to late requirements, architecture, detailed design and final implementation. The contribution of this thesis are five Security Risk-aware Patterns expressed using RAST. The thesis outlines the steps to be executed to apply the proposed security patterns. We validated our contribution by performing a case study that confirmed the overall usability of our proposed patterns and the pattern application process. Additionally the case study determined that the provided patterns can be used as a starting point for a faster and more efficient in identifying security requirements

Role-Based Access-Control for Databases

Liikudes üha enam paberivaba ari suunas, hoitakse üha enam tundlikku informatsiooni andmebaasides. Sellest tulenevalt on andmebaasid ründajatele väärtuslik sihtmärk. Levinud meetod andmete kaitseks on rollipõhine ligipääsu kontroll (role-based access control), mis piirab süsteemi kasutajate õiguseid vastavalt neile omistatud rollidele. Samas on turvameetmete realiseerimine arendajate jaoks aeganõudev käsitöö, mida teostatakse samaaegselt rakenduse toimeloogika realiseerimisega. Sellest tulenevalt on raskendatud turva vajaduste osas kliendiga läbirääkimine projekti algfaasides. See omakorda suurendab projekti reaalsete arenduskulude kasvamise riski, eriti kui ilmnevad turvalisuse puudujäägid realisatsioonis. Tänapäeva veebirakendustes andmebaasi ühenduste puulimine (connec-tion pooling ), kus kasutatakse üht ja sama ühendust erinevate kasutajate teenindamiseks, rikub vähima vajaliku õiguse printsiipi. Kõikidel ühendunud kasutajatel on ligipääs täpselt samale hulgale andmetele, mille tulemusena võib lekkida tundlik informatsioon (näiteks SQLi süstimine (SQL injection ) või vead rakenduses). Lahenduseks probleemile pakume välja vahendid rollipõhise ligipääsu kontorolli disainimiseks tarkvara projekteerimise faasis. Rollipõhise ligipääsu kontorolli modelleerimiseks kasutame UML'i laiendust SecureUML. Antud mudelist on võimalik antud töö raames valminud vahenditega genereerida koodi, mis kontrollib ligipääsu õiguseid andmebaasi tasemel. Antud madaltasemekontroll vähendab riski, et kasutajad näevad andmeid, millele neil ligipääsu õigused puuduvad. Antud töös läbiviidud uuring näitas, et mudelipõhine turvalisuse arendamise kvaliteet on kõrgem võrreldes programmeerijate poolt kirjutatud koodiga. Kuna turvamudel on loodud projekteerimise faasis on selle semantiline täielikkus ja korrektsus kõrge, millest tulenevalt on seda kerge lugeda ja muuta ning seda on lihtsam kasutada arendajate ja klientide vahelises suhtluses.With the constant march towards a paperless business environment, database systems are increasingly being used to hold more and more sensitive information. This means they present an increasingly valuable target for attackers. A mainstream method for information system security is Role-based Access Control (RBAC), which restricts system access to authorised users. However the implementation of the RBAC policy remains a human intensive activity, typically, performed at the implementation stage of the system development. This makes it difficult to communicate security solutions to the stakeholders earlier and raises the system development cost, especially if security implementation errors are detected. The use of connection pooling in web applications, where all the application users connect to the database via the web server with the same database connection, violates the the principle of minimal privilege. Every connected user has, in principle, access to the same data. This may leave the sensitive data vulnerable to SQL injection attacks or bugs in the application. As a solution we propose the application of the model-driven development to define RBAC mechanism for data access at the design stages of the system development. The RBAC model created using the SecureUML approach is automatically translated to source code, which implements the modelled security rules at the database level. Enforcing access-control at this low level limits the risk of leaking sensitive data to unauthorised users. In out case study we compared SecureUML and the traditional security model, written as a source code, mixed with business logic and user-interface statements. The case study showed that the model-driven security development results in significantly better quality for the security model. Hence the security model created at the design stage contains higher semantic completeness and correctness, it is easier to modify and understand, and it facilitates a better communication of security solutions to the system stakeholders than the security model created at the implementation stage

Revision of Security Risk-oriented Patterns for Distributed Systems

Turvariskide haldamine on oluline osa tarkvara arendusest. Arvestades, et enamik tänapäeva ettevõtetest sõltuvad suuresti infosüsteemidest, on turvalisusel oluline roll sujuvalt toimivate äriprotsesside tagamisel. Paljud inimesed kasutavad e-teenuseid, mida pakuvad näiteks pangad ja haigekassa. Ebapiisavatel turvameetmetel infosüsteemides võivad olla soovimatud tagajärjed nii ettevõtte mainele kui ka inimeste eludele.\n\rTarkvara turvalisusega tuleb tavaliselt tegeleda kogu tarkvara arendusperioodi ja tarkvara eluea jooksul. Uuringute andmetel tegeletakse tarkvara turvaküsimustega alles tarkvara arenduse ja hooldus etappidel. Kuna turvariskide vähendamine kaasneb tavaliselt muudatustena informatsioonisüsteemi spetsifikatsioonis, on turvaanalüüsi mõistlikum teha tarkvara väljatöötamise algusjärgus. See võimaldab varakult välistada ebasobivad lahendused. Lisaks aitab see vältida hilisemaid kulukaid muudatusi tarkvara arhitektuuris.\n\rKäesolevas töös käsitleme turvalise tarkvara arendamise probleemi, pakkudes lahendusena välja turvariskidele orienteeritud mustreid. Need mustrid aitavad leida turvariske äriprotsessides ja pakuvad välja turvariske vähendavaid lahendusi. Turvamustrid pakuvad analüütikutele vahendit turvanõuete koostamiseks äriprotsessidele. Samuti vähendavad nad riskianalüüsiks vajalikku töömahtu. Oma töös joondame me turvariskidele orienteeritud mustrid vastu hajussüsteemide turvaohtude mustreid. See võimaldab meil täiustada olemasolevaid turvariski mustreid ja võtta kasutusele täiendavaid mustreid turvariskide vähendamiseks hajussüsteemides.\n\rTurvariskidele orienteeritud mustrite kasutatavust on kontrollitud lennunduse äriprotsessides. Tulemused näitavad, et turvariskidele orienteeritud mustreid saab kasutada turvariskide vähendamiseks hajussüsteemides.Security risk management is an important part of software development. Given that majority of modern organizations rely heavily on information systems, security plays a big part in ensuring smooth operation of business processes. Many people rely on e-services offered by banks and medical establishments. Inadequate security measures in information systems could have unwanted effects on an organization’s reputation and on people’s lives. Security concerns usually need to be addressed throughout the development and lifetime of a software system. Literature reports however, that security is often considered during implementation and maintenance stages of software development. Since security risk mitigation usually results with changes to an IS’s specification, security analysis is best done at an early phase of the development process. This allows an early exclusion of inadequate system designs. Additionally, it helps prevent the need for fundamental and expensive design changes later in the development process. In this thesis, we target the secure system development problem by suggesting application of security risk-oriented patterns. These patterns help find security risk occurrences in business processes and present mitigations for these risks. They provide business analysts with means to elicit and introduce security requirements to business processes. At the same time, they reduce the efforts needed for risk analysis. We confront the security risk-oriented patterns against threat patterns for distributed systems. This allows us to refine the collection of existing patterns and introduce additional patterns to mitigate security risks in processes of distributed systems. The applicability of these security risk-oriented patterns is validated on business processes from aviation turnaround system. The validation results show that the security risk-oriented patterns can be used to mitigate security risks in distributed systems

Management of Security Risks in the Enterprise Architecture using ArchiMate and Mal-activities

Turvalisuse tase on ettevõtte üks peamisi elemente, mida tuleb organisatsioonis kontrollida. Kui ettevõtte äri arengut modelleeritakse on eesmärgiks katkematu ettevõtlus, aga tihti ei võeta sellega arvesse turvanõudeid. Selliselt on aga infosüsteemi kõrget turvalisuse taset väga raske säilitada. Selles dokumendis käsitletakse lähenemisviisi, mis parandab julgeoleku vastumeetmeid, et selleläbi aidata ettevõtte arhitektuuri turvalisemaks muuta. Ettevõtte arhitektuurimudeli ja turvariski juhtimise vaheliste soeste leidmine toimub läbi Infosüsteemi turvariskide juhtimise domeeni mudeli (ISSRM). Ettevõtte arhitektuuri modelleerimiseks on kasutatud ArchiMate modelleerimiskeelt. Paljudest riskide kirjeldamise keeltest on sobilikum mal-activity (pahatahtlikute tegevuste) diagrammid, sest see aitab julgeoleku riskide juhtimist kõige paremini visualiseerida. Struktureeritud joondus aitab ülalnimetatud keelte vahelisi seoseid näidata ning annab informatsiooni kõige haavatavamate punktide kohta süsteemis. Turvalisuse taseme säilitamine aitab ettevõttel äritegevust viia sõltumatuks infosüsteemist. Selle dokumendi tulemuseks on ArchiMate ja Mal-activity diagrammide vahelised seostetabelid ja reeglid. Nende kahe keele vaheliseks seoseks on ISSRM. Kirjeldatud lähenemise valideerimine on läbi viidud ühe näite põhjal, mis on võetud CoCoME juhtumiuuringust. Näite põhjal on loodud mitmeid illustreerivaid pilte valideerimise kohta. Kõige viimasena on kirjeldatud meetodiga saadud tulemust võrreldud Grandy et.al. (2013) poolt arendatud lähenemisega. Võtmesõnad: Infosüsteem, Infosüsteemi turvariskide juhtimine, ettevõtte arhitektuur, ettevõtte arhitektuuri mudel, julgeoleku vastumeetmed, turvariskide juhtimine, riskidele orjenteeritud modelleerimiskeeled, ArchiMate, mal-activity diagrammid.Security level of the enterprise is one of the main elements that should be taken under control in the organization. It is difficult to maintain high security level of Information System. Since development of enterprise architecture is targeted on continues business flow modeling, it sometimes does not take into account security requirements. The paper provides an approach to improve security countermeasures to contribute with secure Enterprise Architecture. Filling the gap between Enterprise Architecture model and Security Risk Management is done through Information System Security Risk Management domain model (ISSRM). To build the Enterprise Architecture model, ArchiMate modelling language is being used. Among different risk-oriented languages, selection was done in favor of Mal-activity diagrams, which help to provide visual concept of Security Risk Management. Structured alignment can show the mapping between aforementioned terms and provide the information about most vulnerable points of the system. The maintenance of security level will help to make business flow independent from the state of Information System. The outcome of this paper is an alignment tables and rules between ArchiMate and Mal-activity diagrams. The mapping link between these two languages is ISSRM. Validation of our approach is done on the example, which is taken from CoCoME case study. It is shown on number of illustrative pictures. After getting the results, there is a comparison of the output between presented method and approach developed by Grandry et.al. (2013). Keywords: Information System, Information System Security Risk Management, Enterprise Architecture, Enterprise Architecture model, security countermeasures, Security Risk Management, risk-oriented modelling languages, ArchiMate, Mal-activity diagrams

Managing Security Risks Using Attack-Defense Trees

Nagu mujal valdkondades, kasvab tänapäeval vajadus turvalisuse järele, nii ka ärimaailmas. Käesolev magistritöö üritab seda probleemi lahendada kasutades riskianalüüsi diagrammi mudelit, mida inglise keeles nimetatakse Attack Tree.ISSRM (Information System Security Risk Managment) on mudel, mis käsitleb kõiki olulisi riskianalüüsi aspekte, on lihtsalt arusaadav ja annab olukorrast kiire ülevaate. Laiendustena on olemas mõned sellised riskianalüüsi diagrammid, kuid ükski neist pole võimeline käsitlema kõiki võimalikke ohuolukordi. See paneb diagrammi kasutamisele piirid, kuna ei arvesta võimalikke vastumeetmeid ohtudele, ega ohuallika profiili.Antud magistritöö pakub sellele probleemile kolmeosalist lahendust.1. luua sild riskianalüüsi puu osast, mis käsitleb kaitsetehnikaid (Attack Defence Tree), kuni ISSRM mudelini;2. arvestades minevikus ette tulnud riske, riskifaktorite tõenäolisuse ja nendega seotud kulutuste mõõteparameetrite väljatöötamine;3. tööriista kasutamine, mis on välja töötatud antud riskianalüüsipuu abil.Selliselt loodud sild aitab leida veel avastamata aspekte riskianalüüsi puus. Lisades sellise laienduse, on riskianalüüsi puu täielikum ja muudab ISSRM-i mudeli mitmekülgsemaks. Selleks, et riske paremini analüüsida, on kasulik arvestada ka minevikus ette tulnud ohte ning neid matemaatiliselt uurida tõenäolisuse aspektist, et minimeerida sarnaste ohuolukordade taastekkimise tõenäosust. Magistritöö tegemise käigus välja töötatud tööriist (Aligned Attack-Defense Tree or A-ADTree) on võimekam riski tõenäosusele hinnangu andmisel teistest juba olemasolevatest versioonidest. Antud tööriist annab riskianalüüsi hindajatele rohkem võimalusi võimalike ohuolukordade lahendamiseks ja ennetamiseks. Kuna siin kasutatud modelleerimiskeeled on juba sobitatud ISSRM mudeliga, võimaldab antud töös välja töötatud laiendus luua enam seoseid selle ning teiste modelleerimiskeelte (nt Secure BPMN, Misuse-case diagram, Secure TROPOS, and Mal-Activity diagram) vahel ka tulevikus.Nowadays there is an increasing demand for answering the security needs in systematic ways. The In this thesis, we have addressed risk management using Attack Tree.Information System Security Risk Management (ISSRM) is a model which covers all the important concepts in risk management. Also, attack trees are simple and efficient tools for showing the risks. There are few extensions of attack trees, but none of them covers all risk concepts. The said problem limited the usage of attack tree model since it does not consider important measures such as countermeasures, or threat agent’s profile.The contribution to resolve the problem in this thesis includes three steps. Obtaining an alignment from Attack-Defense trees to ISSRM. Measurement of the metrics of the nodes of tree using historical dataImplementation of a tool based on obtained tree.Using the alignment, we have detected the uncovered concepts in Attack-Defense tree. Then we tried to add these concepts to the current Attack-Defense tree. Therefore, the new Attack-Defense tree (called Aligned Attack-Defense tree or A-ADTree) covers most important concepts of ISSRM. In order to measure the risk, we have proposed a mathematical model to evaluate the probability of the nodes in the tree, based on historical data. Then, implemented tool helps to materialize the effect of threat agent’s profile, and countermeasures on the risks. The result of implemented tool shows, the obtained A-ADTree has more capabilities (in the evaluation of the probability of risk) in comparison to previous versions. This solution is capable of giving more hints for the project managers when they are deciding about possible solutions in industries. Additionally, this alignment helps to obtain another alignment between A-ADTree and the other modeling languages in future, since these modeling languages are already aligned to ISSRM

Modeling security and privacy requirements: A use case-driven approach

Context: Modern internet-based services, ranging from food-delivery to home-caring, leverage the availability of multiple programmable devices to provide handy services tailored to end-user needs. These services are delivered through an ecosystem of device-specific software components and interfaces (e.g., mobile and wearable device applications). Since they often handle private information (e.g., location and health status), their security and privacy requirements are of crucial importance. Defining and analyzing those requirements is a significant challenge due to the multiple types of software components and devices integrated into software ecosystems. Each software component presents peculiarities that often depend on the context and the devices the component interact with, and that must be considered when dealing with security and privacy requirements. Objective: In this paper, we propose, apply, and assess a modeling method that supports the specification of security and privacy requirements in a structured and analyzable form. Our motivation is that, in many contexts, use cases are common practice for the elicitation of functional requirements and should also be adapted for describing security requirements. Method: We integrate an existing approach for modeling security and privacy requirements in terms of security threats, their mitigations, and their relations to use cases in a misuse case diagram. We introduce new security-related templates, i.e., a mitigation template and a misuse case template for specifying mitigation schemes and misuse case specifications in a structured and analyzable manner. Natural language processing can then be used to automatically report inconsistencies among artifacts and between the templates and specifications. Results: We successfully applied our approach to an industrial healthcare project and report lessons learned and results from structured interviews with engineers. Conclusion: Since our approach supports the precise specification and analysis of security threats, threat scenarios and their mitigations, it also supports decision making and the analysis of compliance to standards

A replication of a controlled experiment with two STRIDE variants

To avoid costly security patching after software deployment, security-by-design techniques (e.g., STRIDE threat analysis) are adopted in organizations to root out security issues before the system is ever implemented. Despite the global gap in cybersecurity workforce and the high manual effort required for performing threat analysis, organizations are ramping up threat analysis activities. However, past experimental results were inconclusive regarding some performance indicators of threat analysis techniques thus practitioners have little evidence for choosing the technique to adopt. To address this issue, we replicated a controlled experiment with STRIDE. Our study was aimed at measuring and comparing the performance indicators (productivity and precision) of two STRIDE variants (element and interaction). We conclude the paper by comparing our results to the original study

DAG-Based Attack and Defense Modeling: Don't Miss the Forest for the Attack Trees

This paper presents the current state of the art on attack and defense modeling approaches that are based on directed acyclic graphs (DAGs). DAGs allow for a hierarchical decomposition of complex scenarios into simple, easily understandable and quantifiable actions. Methods based on threat trees and Bayesian networks are two well-known approaches to security modeling. However there exist more than 30 DAG-based methodologies, each having different features and goals. The objective of this survey is to present a complete overview of graphical attack and defense modeling techniques based on DAGs. This consists of summarizing the existing methodologies, comparing their features and proposing a taxonomy of the described formalisms. This article also supports the selection of an adequate modeling technique depending on user requirements