Attack Trees part two #RiskMethodology

News and information from the Advent IM team.

Del Brazil re-visits the Attack Tree methodology

The author has recently published an article about the use of Attack Trees for undertaking Information Risk Assessments. This follow up article is designed to invoke discussion on the current changes to risk management methodologies. Attack Trees have been highlighted as one of the potential candidates for replacing the HMG IS 1 tool kit. Previously thought to be a cumbersome method, the IS 1 tool kit generated a substantial amount of documentation. This would often be shelved and remain un-reviewed.

Schneier (1999) wrote, “Attack trees provide a formal, methodical way of describing the security of systems, based on varying attacks. Basically, you represent attacks against a system in a tree structure, with the goal as the root node and different ways of achieving that goal as leaf nodes.”

Despite engaging with numerous organisations regarding the potential use of the Attack Tree methodology, in the author’s experience, it has not yet been fully embraced. Organisations continue to use their own internal risk management methodology or they use the tried and tested IS1 & 2 toolkit. Although no longer supported, the latter is still widely used. That is not to say that organisations haven’t considered the Attack Tree methodology. However, in the current economic climate and with recruitment restrictions, the additional cost of staff training is a burden.
Attack Trees do provide a different view of the potential threats and risks posed to an organisation. The question more often heard is ‘How complicated is it and what’s the difference?’ As with all new methodologies, once you have grasped the basics the more in-depth workings soon become clear. However, it’s stepping into the unknown that alarms some organisations. Given the choice, the majority of organisations will vote for the tried and tested methodology. With the economy supposedly on its knees, who has the time, money and desire to take on a new challenge?

‘What’s the difference?’ I hear you shout, ‘if the end result is the same?’

Well, in the author’s opinion, the use of Attack Trees gives the Risk Management team great visibility in how and where the risk is manifested. This aids the decision making process, taking the onus away from the Risk Assessor explaining how and where they assessed the risk. Attack Trees are also great for identifying a risk and treating it at a certain point on any one branch. In turn, this has the advantage of potentially treating multiple risks, concurrently; as there may be other smaller branches further down the tree.

It’s understandable why organisations haven’t adopted or even dipped their toe into the Attack Tree world. When correctly presented and supported, organisations have the ability to streamline their risk management process, enabling them to identify risks sooner rather than later.

Are Attack Trees the Risk Assessment methodology of the future? Only organisations can be the judge of that. Unless however, the National Cyber Security Centre, of which CESG now forms a part, mandates that HMG organisations follow a specific risk management methodology. This may then influence the private sector. It is the author’s opinion this is unlikely to happen since, every risk management methodology has the same objectives and results. However, it’s how they get to the end result that is different. Some methods are simple and straight forward such as, the 5 x 5 method, some are more in-depth such as Attack Trees or the HMG IS1 tool kit.

The bottom line is this. If organisations are carrying out scalable and repeatable risk assessments in plain English, with each risk being captured on risk registers, highlighting whether they are being Treated, Tolerated, Terminated or Transferred, it doesn’t really matter what methodology is followed.

Share this Post