Reliable and Efficient Determination of the Likelihood of Rational Attacks

We live in the world in which the society is highly dependent on advanced diverse IT infrastructures which people use for performing daily activities and improving quality of life, private sector enterprises use it to provide services and operate, while governments rely on it to provide public services and ensure the welfare of the citizens. Such big and complex infrastructures are not vulnerability-free. Increasing numbers of IT security incidents all over the world have drawn attention to risk analysis methods capable of deciding whether the considered organization or infrastructure is sufficiently protected against relevant threats. The security controls are often costly and each security investment must be reasonable and properly justified. The security professionals have to justify the need for a security investment to their management and to explain them what are the benefits and what will an organization get for the money invested into security. There are no reliable and effective methods to assess whether the considered enterprise or infrastructure is secure or not – the existing computational methods are too complex to be a realistic candidate for practical use, while some of the existing methodologies place unnatural restrictions on the adversary and thus making the analysis results unreliable as they are capable of producing false-positive results. The objectives of the research are: • to improve the existing quantitative risk analysis models • to create new computational methods which would not produce false-positive results – e.g. when the result of the computational method shows that the model is secure w.r.t. the definition of security, while in reality it is not • to create robust computational methods capable of analyzing attack scenarios of practical size in reasonable time • to create tools supporting the developed analysis methods