Calculating Adversarial Risk from Attack Trees: Control Strength and Probabilistic Attackers

Wolter Pieters*, Mohsen Davarynejad

*Corresponding author for this work

    Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

    8 Citations (Scopus)
    39 Downloads (Pure)


    Attack trees are a well-known formalism for quantitative analysis of cyber attacks consisting of multiple steps and alternative paths. It is possible to derive properties of the overall attacks from properties of individual steps, such as cost for the attacker and probability of success. However, in existing formalisms, such properties are considered independent. For example, investing more in an attack step would not increase the probability of success. As this seems counterintuitive, we introduce a framework for reasoning about attack trees based on the notion of control strength, annotating nodes with a function from attacker investment to probability of success. Calculation rules on such trees are defined to enable analysis of optimal attacker investment. Our second result consists of the translation of optimal attacker investment into the associated adversarial risk, yielding what we call adversarial risk trees. The third result is the introduction of probabilistic attacker strate- gies, based on the fitness (utility) of available scenarios. Together these contributions improve the possibilities for using attack trees in adversarial risk analysis.
    Original languageEnglish
    Title of host publicationData Privacy Management, Autonomous Spontaneous Security, and Security Assurance
    Subtitle of host publication9th International Workshop, DPM 2014, 7th International Workshop, SETOP 2014, and 3rd International Workshop, QASA 2014, Wroclaw, Poland, September 10-11, 2014. Revised Selected Papers
    EditorsJoaquin Garcia-Alfaro, Jordi Herrera-Joancomartí, Emil Lupu, Joachim Posegga
    Place of PublicationBerlin
    Number of pages15
    ISBN (Electronic)978-3-319-17016-9
    ISBN (Print)978-3-319-17015-2
    Publication statusPublished - 28 Mar 2015
    Event3rd International Workshop on Quantitative Aspects in Security Assurance, QASA 2014 - Wraclaw, Poland
    Duration: 10 Sept 201411 Sept 2014
    Conference number: 3

    Publication series

    NameLecture Notes in Computer Science
    ISSN (Print)0302-9743
    ISSN (Electronic)1611-3349


    Workshop3rd International Workshop on Quantitative Aspects in Security Assurance, QASA 2014
    Abbreviated titleQASA


    • EC Grant Agreement nr.: FP7/318003
    • SCS-cybersecurity
    • EC Grant Agreement nr.: FP7/2007-2013
    • Control strength
    • Security metrics
    • Adversarial risk analysis
    • Attack trees
    • Attacker models
    • Fitness functions
    • Simulation


    Dive into the research topics of 'Calculating Adversarial Risk from Attack Trees: Control Strength and Probabilistic Attackers'. Together they form a unique fingerprint.

    Cite this