?What is the scenario?
An enterprise and its IT system
Dipartimento di Scienze, 22 dicembre 2015
1
?What are the players?
Attacker
Dipartimento di Scienze, 22 dicembre 2015
Defender
2
?What is the game?
Dipartimento di Scienze, 22 dicembre 2015
3
?What is the game?
Dipartimento di Scienze, 22 dicembre 2015
4
agenda
1
2
3
4
Defence trees + indexes
Strategic games
Three novel indicators
……
1Risk Management process
1. Risk Assessment
identification of the:
 assets,
 threats and vulnerabilities,
 countermeasures
Defence
trees
Economic
Indexes
2. Risk Analysis
determination of the acceptable risk threshold.
3. Risk Mitigation
prioritize, evaluate and implement the countermeasure recommended.
Dipartimento di Scienze, 22 dicembre 2015
6
1Defence tree
Defence trees are an extension of attack trees [Schneier00].
Attack tree:
 the root is an asset of an IT system
 the paths from the root to the leaf
are the way to attack the root
 the non-leaf nodes can be:
 and-nodes
 or-nodes
root
or-nodes
and-nodes
Defence tree:
 attack tree
 a set of countermeasures
Dipartimento di Scienze, 22 dicembre 2015
7
An enterprise server is used to store
information about customers…
An attacker wants
to steal this server…
1An example:
(1)
Steal the
server
a2
a1
Break down
the door
c1
Install a
security door
Go out
unobserved
c2
Install a video
surveillance
equipment
c3
Assume
a security
guard
Dipartimento di Scienze, 22 dicembre 2015
Have the
keys
c4
Install a
safety lock
Go out
unobserved
c2
Install a video
surveillance
equipment
c3
Assume
a security
guard
9
1Estimate the cost of investment
 the annual loss produced by an attack
 the effectiveness of a countermeasure in mitigating the risks
 the cost of a countermeasure
Steal the
server
a2
a1
Break down
the door
Go out
unobserved
c1
Install a
security door
c2
Install a video
surveillance
equipment
c3
Assume
a security
guard
Dipartimento di Scienze, 22 dicembre 2015
Have the
keys
c4
Install a
safety lock
Go out
unobserved
c2
Install a video
surveillance
equipment
c3
Assume
a security
guard
10
1Economic index: SLE
The Single Loss Exposure (SLE) represents a measure of an
enterprise's loss from a single threat event and can be computed by
using the following formula:
where:
 the Asset Value (AV) is the cost of creation, development, support,
replacement and ownership values of an asset,
 the Exposure Factor (EF) represents a measure of the magnitude of
loss or impact on the value of an asset arising from a threat event.
Dipartimento di Scienze, 22 dicembre 2015
11
1Economic index: ALE
The Annualized Loss Expectancy (ALE) is the annually
expected financial loss of an enterprise that can be ascribed to a
threat and can be computed by using the following formula:
where:
 the Annualized Rate of Occurrence, (ARO) is a number that
represents the estimated number of annual occurrences of a
threat.
Dipartimento di Scienze, 22 dicembre 2015
12
1Economic index: ROI
The Return on Investment (ROI) indicator can be computed by
using the following formula:
where:
 MR is the risk mitigated by a countermeasure and represents the
effectiveness of a countermeasure in mitigating the risk of loss
deriving from exploiting a vulnerability
 CSI is the cost of security investment that an enterprise must face
for implementing a given countermeasure.
Dipartimento di Scienze, 22 dicembre 2015
13
1Economic index: ROI
Attack
EF
ARO
a1
0,9
0,1
a2
Break down
the door
and go out
unobserved
Open the
door with
keys and go
out
unobserved
0,93
0,1
Dipartimento di Scienze, 22 dicembre 2015
Countermeasures
RM
CSI
c1
Install a security door
0,7
1500
c2
Install a video surveillance ...
0,1
3000
c3
Employ a security guard
0,5
12000
c4
Install a security lock
0
300
c1
Install a security door
0
1500
c2
Install a video surveillance …
0,1
3000
c3
Employ a security guard
0,5
12000
c4
Install a security lock
0,2
300
14
1Economic index: ROI
AV
Asset Value
EF
Exposure Factor
SLE
Single Loss
Exposure
ARO
Annualized Rate
of Occurrence
ALE
Annualized Loss
Expectancy
RM
Risk Mitigated
CSI
Cost Security
Investment
AV=100.000 €
SLE=90.000 €
ALE=9.000 €
Break down
the door
Install a
security door
RM=70%
CSI=1.500€
ROI=3,20
EF=90%
ARO=0,10
Steal the
server
Have the
keys
Go out
unobserved
Install a video
surveillance
equipment
Assume
a security
guard
EF=93%
ARO=0,10
RM=10%
CSI=3.000€
ROI= - 0,70
RM=50%
CSI=12.000€
ROI= - 0,62
Dipartimento di Scienze, 22 dicembre 2015
Install a
safety lock
RM=20%
CSI=300€
ROI=5,20
SLE=93.000 €
ALE=9.300 €
Go out
unobserved
Install a video
surveillance
equipment
RM=10%
CSI=3.000€
ROI= - 0,69
Assume
a security
guard
RM=50%
CSI=12.000
€
ROI=
- 0,61
15
1Estimate the cost of the attack
 the expected gain from the successful attack on the target
 the cost sustained by the attacker to succeed,
 the additional cost brought by a possible countermeasure
Steal the
server
a2
a1
Break down
the door
Go out
unobserved
c1
Install a
security door
c2
Install a video
surveillance
equipment
c3
Assume
a security
guard
Dipartimento di Scienze, 22 dicembre 2015
Have the
keys
c4
Install a
safety lock
Go out
unobserved
c2
Install a video
surveillance
equipment
c3
Assume
a security
guard
16
1Economic index: ROA
Return On Attack (ROA)
measures the gain that an attacker expects from a successful attack
over the losses that he sustains due to the adoption of security
measures by his target
 GI is the expected gain from the successful attack on the specified
target
 costa is the cost sustained by the attacker to succeed,
 costac is the additional cost brought by the countermeasure
c adopted by the defender to mitigate the attack a.
Dipartimento di Scienze, 22 dicembre 2015
17
1Economic index: ROA
Attack
Costa
Countermeasures
a1
4000
c1
Install a security door
2000
c2
Install a video surveillance equip.
1000
c3
Employ a security guard
1500
c4
Install a security lock
0
c1
Install a security door
0
c2
Install a video surveillance equip.
1000
c3
Employ a security guard
1500
c4
Install a security lock
a2
Break down the
door and go out
unobserved
Open the door
with keys and go
out unobserved
4200
Dipartimento di Scienze, 22 dicembre 2015
Costac
200
18
1Economic index: ROA
Install a
security door
costac= 2.000 €
ROA=5,00
RM
Risk Mitigated
costac Additional cost
produced by a
countermeasure
Steal the
server
Break down
the door
Asset Value
costa Cost of the attack
GI=30.000 €
costa=4.000 €
GI
costa=4.200 €
Have the
keys
Go out
unobserved
Install a video
surveillance
equipment
Assume
a security
guard
costac=1.000€
ROA=6
costac= 1.500 €
ROA=5,45
Dipartimento di Scienze, 22 dicembre 2015
Go out
unobserved
Install a
safety lock
Install a video
surveillance
equipment
costac= 1.000 €
ROA=5,77
costac=200€
ROA=6,82
Assume
a security
guard
costac= 1.500 €
ROA=5,26
19
1Evaluation
Steal the
server
a2
a1
Break down
the door
ROI=3.20
ROA=0.50
Go out
unobserved
c1
c2
Install a
security door
Install a video
surveillance
equipment
Have the
keys
c4
ROI=-0.70
ROA=4.40
c3
Assume
a security
guard
ROI=5.20
ROA=4.45
Install a
safety lock
Go out
unobserved
c2
Install a video
surveillance
equipment
ROI=-0.69
ROA=4.19
c3
ROI=-0.63
ROA=1.73
Dipartimento di Scienze, 22 dicembre 2015
Assume
a security
guard
ROI=-0.61
ROA=1.63
20

Future Works: attack graphs
Steal the
server
a2
a1
Break down
the door
Go out
unobserved
Have the
keys
c1
c2
Install a
security door
Install a video
surveillance
equipment
Dipartimento di Scienze, 22 dicembre 2015
c3
Assume
a security
guard
Go out
unobserved
c4
Install a
safety lock
21

Future Works: journal version?
New version of ROI
Old ROI
 1 attack 1 countermeasure
 1 attack n countermeasures
where f is fC=max(c) or fC=sum(c) and CRMc 1
Dipartimento di Scienze, 22 dicembre 2015
22

Future Works: journal version?
New version of ROI
Old ROI
 m attacks 1 countermeasure
where g is gA=sum(a) and gA AV
 m attacks, n countermeasures
Dipartimento di Scienze, 22 dicembre 2015
23

Future Works: journal version?
New version of ROA
Old ROA
 1 attack 1 countermeasure
 1 attack n countermeasures
where f is fC=max(c) or fC=sum(c) and CRMc 1
Dipartimento di Scienze, 22 dicembre 2015
24

Future Works: journal version?
New version of ROA
Old ROA
 m attacks 1 countermeasure
where g is gA=sum(a) and
 m attacks, n countermeasures
Dipartimento di Scienze, 22 dicembre 2015
25

Future Works: min set cover
c1
a1
c1
c2
a1
c2
a2
a2
c3
a3
a3
c4
c3
c4
RM=[max(c1,c2), min(1, c1+c2)]
Dipartimento di Scienze, 22 dicembre 2015
26

Future Works: intervals
Intervals to represent the possible values of the exposure
factor (EF), and risk mitigated (RM)
20%
40%
20%
40%
30%
80%
Devo ridefinire tutte le formule considerando adesso gli intervalli!
Ad se x<EF<y  AV ottengo che anche SLE è un intervallo! E
quindi anche ALE e anche ROI
Dipartimento di Scienze, 22 dicembre 2015
27
1Paper
Defense trees for economic
evaluation of security investments
S. Bistarelli, F. Fioravanti, P. Pamela
In: 1st International Conference on Availability,
Reliability and Security (ARES 2006).
Vienna, Austria, April 20-22 2006.
Dipartimento di Scienze, 22 dicembre 2015
28
2Strategic game
We consider a strategic game:
2 players: the defender and the attacker of a system.
 Sd: the set of defender's strategies (the countermeasures)
 Sa: the set of attacker's strategies (the vulnerability)
 ROI and ROA: payoff functions for the defender and the attacker

Dipartimento di Scienze, 22 dicembre 2015
29
2Strategic game: an example
Sa={a1, a2}
 Sd={c1, c2, c3}
 payoff: ud(ci,ai) and ua(ci,ai)

a1
a2
Ud=1
Ua=1
Ud=0
Ua=2
Dipartimento di Scienze, 22 dicembre 2015
c2
c3
c3
c1
Ud=1
Ua=2
Ud=1
Ua=0
30
2Nash equilibrium
Nash Equilibrium
The combination of strategy (s1*,s2*) with s1* S1 and s2* S2 is a
Nash Equilibrium if and only if, for each player i, the action si* is the
best response to the other player:
This game admits two
different Nash Equilibrium:
the couple of strategies
{c1,a1} and {c3,a2}.
Dipartimento di Scienze, 22 dicembre 2015
Dip. Scienze, 22 dicembre 2015
31
2Mixed strategy: an example
If a player does not know the
behaviour of the other player?
pa1
pa2
Mixed
strategies
1
pc1
½
pc2
½
pc3
Dipartimento di Scienze, 22 dicembre 2015
32
2Our game
 Selection of a single countermeasure/attack
Steal the
server
a2
a1
The set of strategies for
the defender and the
attacker is composed by
a single action.
Break down
the door
c1
Install a
security door
Go out
unobserved
c2
Install a video
surveillance
equipment
c3
Assume
a security
guard
Dipartimento di Scienze, 22 dicembre 2015
Have the
keys
c4
Install a
safety lock
Go out
unobserved
c2
Install a video
surveillance
equipment
c3
Assume
a security
guard
33
2Our game
 Selection of a single countermeasure/attack
The set of strategies for
the defender and the
attacker is composed by
a single action.
Dipartimento di Scienze, 22 dicembre 2015
34
2Our game
 Selection of a single countermeasure/attack
31
52
There is one
Nash Equilibrium
with mixed
strategies.
Dipartimento di Scienze, 22 dicembre 2015
21
52
205
769
564
769
35
2Our game
 Selection of a set of countermeasures/attack
Steal the
server
a2
a1
Each player can
play any set of
countermeasures
attacks together.
Break down
the door
c1
Install a
security door
Go out
unobserved
c2
Install a video
surveillance
equipment
c3
Assume
a security
guard
Dipartimento di Scienze, 22 dicembre 2015
Have the
keys
c4
Install a
safety lock
Go out
unobserved
c2
Install a video
surveillance
equipment
c3
Assume
a security
guard
36
2Our game
 Selection of a set of countermeasures/attack
Dipartimento di Scienze, 22 dicembre 2015
37
2Our game
 Selection of a set of countermeasures/attack
5
21
There is one
Nash Equilibrium
with mixed
strategies.
16
21
39
55
16
55
Dipartimento di Scienze, 22 dicembre 2015
38

Future Works
Considerare giochi con 1 attaccante e n-1 difensori
Cooperazione tra attaccanti
Tipi di attaccanti (giochi bayesiani)
Giochi dinamici, giochi ripetuti
Dipartimento di Scienze, 22 dicembre 2015
39
2Papers
Strategic game on defense trees
S. Bistarelli, M. Dall’Aglio, P. Pamela
In: 4th International Workshop on Formal
Aspects in Security and Trust (FAST2006).
Hamilton, ON, Canada, August 26-27 2006.
Dipartimento di Scienze, 22 dicembre 2015
41
3Three novel indicators
 Critical time
 Retaliation
 Collusion
Dipartimento di Scienze, 22 dicembre 2015
42
3Critical time
Dipartimento di Scienze, 22 dicembre 2015
43
3Critical time
Exposure Factor during Critical Time
expresses the influence that the criticality of a specific time instance
plays on the EF as follows:
CTF being the Critical Time Factor that expresses the percentage of
criticality of a specific time instance.

If CTF=0, then EFCT = EF
If CTF=1, then EFCT = 1
Dipartimento di Scienze, 22 dicembre 2015

If EF=0, then EFCT=CTF
If EF=1, then EFCT=1
44
3Critical time: the indicators
 Annualized Rate of Occurrence, AROCT, is the rate of occurrence
of an attack at a specific CTF per year.
 Single Loss Exposure, SLECT, is the cost of a single attack at a
specific CTF:
 Annualized Loss Expectancy, ALECT, is the cost per year of an
attack at a specific CTF:
 Return On Investment, ROICT, is the economic return of an
enterprise's investment against an attack mounted at a specific CTF:
Dipartimento di Scienze, 22 dicembre 2015
45
3Critical time: an example
Asset
Demo machine
Simulation Infrastructure
Researcher's machine
Asset
Demo machine
Simulation Infrastructure
Researcher's machine
AV
EF
ARO
SLE
ALE
5000 $
30%
55%
1500 $
825$
30000 $
40%
60%
12000 $
7200$
3000 $
15%
20%
450 $
90$
AV
CTF
EFCT
AROCT
SLECT
ALECT
5000 $
95%
96,5%
25%
4825 $
1206,25 $
30000 $
98%
98,8%
60%
29640 $
17784 $
3000 $
90%
91,5%
20%
2745 $
549 $
Dipartimento di Scienze, 22 dicembre 2015
46
3Retaliation
Dipartimento di Scienze, 22 dicembre 2015
47
3Retaliation
Exposure Factor under Retaliation
expresses the influence that the chance of retaliating an attack to an
asset plays on the EF as follows:
RF being the Retaliation Factor that expresses the percentage of
retaliation that can be performed.

If RF=0, then EFR = EF
If RF=1, then EFR = 0
Dipartimento di Scienze, 22 dicembre 2015

If EF=0, then EFR=0
If EF=1, then EFR=1-RF
48
3Retaliation: the indicators
 Annualized Rate of Occurrence, AROR, is the rate of occurrence per
year of an attack that can be retaliated.
 Single Loss Exposure, SLER, is the cost of a single attack that can
retaliated:
 Annualized Loss Expectancy, ALER, is the cost per year of an
attack that can be retaliated:
 Return On Investment, ROIR, is the economic return of an
enterprise's investment against an attack that can be retaliated:
Dipartimento di Scienze, 22 dicembre 2015
49
3Retaliation : an example
Asset
Demo machine
Simulation Infrastructure
Researcher's machine
Asset
Demo machine
Simulation Infrastructure
Researcher's machine
AV
EF
ARO
SLE
ALE
5000 $
30%
55%
1500 $
825$
30000 $
40%
60%
12000 $
7200$
3000 $
15%
20%
450 $
90$
AV
RF
EFR
AROR
SLER
ALER
5000 $
25%
23%
15%
1150 $
172,50 $
30000 $
25%
30%
60%
9000 $
5400 $
3000 $
130%
-4,5%
20%
-135 $
-27 $
Dipartimento di Scienze, 22 dicembre 2015
50
3Collusion
Dipartimento di Scienze, 22 dicembre 2015
51
3Collusion
Mitigated Risk against Collusion
expresses the influence that collusion of attackers plays on the MR
(mitigated risk) as follows:
CF being the Collusion Factor that expresses the percentage of
collusion of the attackers.

If CF=0, then MRC = MC
If CF=1, then MRC = 0
Dipartimento di Scienze, 22 dicembre 2015

If MR=0, then MRC=0
If MR=1, then MRC=1-CF
52
3Collusion: the indicators
The Return On Investment against Collusion
is the economic return of an enterprise's investment against an attack
mounted by one or more colluding attackers:
Dipartimento di Scienze, 22 dicembre 2015
53
3Collusion: an example
Asset
Demo machine
Simulation Infrastructure
Researcher's machine
Asset
Demo machine
Simulation Infrastructure
Researcher's machine
AV
ALE
CSI
MR
ROI
5000 $
825 $
600 $
85%
16,87%
30000 $
7200 $
4500 $
75%
20%
3000 $
90 $
70 $
90%
15,71%
AV
ALE
CSI
CF
MRC
ROIC
5000 $
825 $
600 $
45%
46,75%
-35,71%
30000 $
7200 $
4500 $
35%
45%
-22%
3000 $
90 $
70 $
10%
81%
4,14%
Dipartimento di Scienze, 22 dicembre 2015
54
3Paper
Augmented Risk Analysis
G. Bella, S. Bistarelli, P. Peretti, S. Riccobene
In: 2nd Workshop in Views On Designing
Complex Architectures (VODCA2006).
Bertinoro (FC), September 16-17 2006.
Dipartimento di Scienze, 22 dicembre 2015
55

Future Works
 ….
 …..
 ….
Dipartimento di Scienze, 22 dicembre 2015
56

CP-nets
Sv > Su
Dipartimento di Scienze, 22 dicembre 2015
Su  Wr
S
Su  Ww
W
Sv  Ww
Sv
Wr > W w
Su
Ww > Wr
Sv  Wr
57

CP-nets
a4>a3>a5>a6>a1>a2
A
C
a1
a1
c1>c2>c3
a2
c5>c3>c4
a3
a2
a3
a4
a5
c1
c3
c6
c8
c6>c7
c2
c4
c7
c9
a4
c8>c9
c3
c5
a5
c11>c10
a6
c13>c12
Dipartimento di Scienze, 22 dicembre 2015
c1
0
c1
1
a6
c1
2
c1
3
58

CP-nets
Steal data
stored in a
server
Attack the
system with a
remote login
Obtain root
privileges
a1
a2
Steal access
to a user with
root priv.
c2
Change the
password
periodically
c3
Log out the
pc after the
use
c3
Add an
identification
token
Corrupt a
user with
root priv.
a3
c6
Update the
system
periodically
c4
Distribute
responsibilities
among users
a4
Exploit an
on-line
vulnerability
c3
Add an
identification
token
Steal the
server
c7
Separate the
contents on
the server
Exploit a
web server
vulnerability
c8
Use an
anti-virus
software
c9
Stop
suspicious
attachment
a5
a6
Access to
the server’s
room
c10
Install a
security door
c11
Install a
safety lock
Go out
unobserved
c12
Install a video
surveillance
equipment
c13
Employ a
security
guard
c5
Motivate
employees
Dipartimento di Scienze, 22 dicembre 2015
59

CP-nets: and-composition
The and-composition of the preference tables described by the
partial orders (D(xi), fui) and (D(xi), fvi), is described by the partial
order (D(xi), fu  vi) where fu  vi represents the conditional
preference of the instantiations of variable xi given an instantiation u
 v. So given a,b  D(xi) and xj=Pa(xi):
Dipartimento di Scienze, 22 dicembre 2015
60

CP-nets: and-composition
a
a
b
a
b
c
c
x
y
Dipartimento di Scienze, 22 dicembre 2015
z
a
a
a
b

b
c

c
c
y>x>z
x>z>y
b

61

CP-nets: or-composition
Given two sets of countermeasure C={c1,…,ck} and C'={c'1…,c'k'}
covering the attacks u1, …, uk, the or-composition conditional
preference table (D(x),fu1 …  uk) is defined as follows:
Dipartimento di Scienze, 22 dicembre 2015
62

CP-nets: or-composition
a
a
b
a
b
c
c
x
y
Dipartimento di Scienze, 22 dicembre 2015
a
a,b
a,b,c
a,c
b,c
z
63
Orange book
A system can be used to simultaneously store:
 unclassified information (U),
 secret information (S),
 top-secret information (T).
The information may flow from U to T
CST
Dipartimento di Scienze, 22 dicembre 2015
64
Red book: level of assurance
Considering the type of information stored into a system
we have different level of assurance
Dipartimento di Scienze, 22 dicembre 2015
65
Quantitative level of assurance
We want to define a quantitative
level of assurance as a function of:
f(data; device; environment)
Dipartimento di Scienze, 22 dicembre 2015
66
Quantitative level of assurance
Cost of compromise:
.
The costs associated to a system depend on the type of
attack and the type of countermeasure:
Cost(attack; countermeasures).
The asset value, AV[info], is the value of the information
stored in a system.
Dipartimento di Scienze, 22 dicembre 2015
67
Quantitative level of assurance
 The asset value, AV[info], is the value of the information
stored in a system.
 Given an information flow a<b the cost of a flow (Cf) is:
NOTICE: the cost of a flow can be reduced considering the
percentage of risk mitigated by a countermeasure.
Dipartimento di Scienze, 22 dicembre 2015
68
Quantitative level of assurance
The level of assurance:
Given a defence tree, the level of assurance of a system depends on:
 the asset's value, AV[info],
 the damage produced by an attack (flow),
 the type of countermeasure, Cost(attack, countermeasures).
Dipartimento di Scienze, 22 dicembre 2015
69
Quantitative level of assurance
Dipartimento di Scienze, 22 dicembre 2015
70
Cascade?
Se due sistemi A e B hanno un livello di sicurezza economicamente
accettabile, cosa succede se li collego tra loro?
Il nuovo sistema così creato può essere ancora considerato sicuro?
Dipartimento di Scienze, 22 dicembre 2015
71
Confronto
Data una configurazione di sistema A, come faccio a dire che una
nuova configurazione B non è economicamente meno vantaggiosa
della precedente?
Dipartimento di Scienze, 22 dicembre 2015
72
Analisi
Quando costruisco l’albero e cerco di raggruppare le contromisure,
devo stare attenta che non si creino conflitti!!
Dipartimento di Scienze, 22 dicembre 2015
73