ABSTRACT

Event Trees can be used to model the different phases of the attack, while Fault Trees can be associated to model the success/failures of the different phases. In each of the different phases the associated Fault Trees can contain the actions of the external attacker and the conditional component failure events given the attack. In contrast with what is generally done in safety and reliability domains, in security related applications there is the necessity to correctly model the actions of the attacker considering the fact that they can be mutually exclusive and that the probabilities involved in the conditional failure events can be quite high. A possibility to deal with the first aspect would be to increase the size of the event tree and to model explicitly all the attacker actions in it. Fault Trees would hence be limited in size and tackling the modeling of system failure aspects resulting from the related actions. In Cojazzi & al. (2006) it was proposed to limit the size of the ET to the main phases of the attack and to model the actions of the attacker in the FT related to the systems affected by the action. It was further proposed to model the actions of the attacker by splitting the decision to perform an action from the outcome of the performance of that action. The events connected to alternative choices are to be considered as mutually exclusive. The resulting fault tree can be analyzed in different ways, depending on the method used to treat the disjoint events in the fault tree framework.