ABSTRACT
Security modelling technique is based around a software tool and draws upon ideas from reliability engineering, risk analysis and spreadsheets. Security modelling relates to risk analysis in much the same way that using a spreadsheet relates to making a business plan. Risk analysis is a key component of any policy on risk. It enables management to balance security against cost by understanding specific risks to the organisation springing from threats to the availability, integrity and confidentiality of its information technology assets. Many risk analysis methodologies have been proposed, using a variety of different techniques. These have in common the aims of: evaluating the effectiveness of existing computing security measures. There are three key ideas on which the proposed method of security modelling is based: iterative modelling; the automatic consideration of every possible disaster scenario; and the prevention of misclassification errors by unifying the key concepts of Asset, Threat, Vulnerability and Countermeasure into a common terminology.
