Thesis (S.M.)--Massachusetts Institute of Technology, Engineering Systems Division, 2007.This electronic version was submitted by the student author. The certified thesis is available in the Institute Archives and Special Collections.Includes bibliographical references (p. 129-132).Classical risk-based or game-theoretic security models rely on assumptions from reliability theory and rational expectations economics that are not applicable to security threats. Additionally, these models suffer from serious deficiencies when they are applied to software-intensive, socio-technical systems. Recent work by Leveson in the area of system safety engineering has led to the development of a new accident model for system safety that acknowledges the dynamic complexity of accidents. Systems-Theoretic Accident Models and Processes (STAMP) applies principles from control theory to enforce constraints on hazards and thereby prevent accidents. Appreciating the similarities between safety and security while still acknowledging the differences, this thesis extends STAMP to security problems. In particular, it is applied to identify and mitigate the threats that could emerge in critical infrastructures such as the Air Transportation System. Furthermore, recommendations are provided to assist systems engineers and policy makers in securely transitioning to the Next Generation Air Transportation System (NGATS).by Joseph R. Laracy.S.M
