Fault-tree modelling of computer system security

Abstract

Quantitative assessment of the effect of security breaches on a computer system can be based on the following: specification of all foreseeable types of basic events and estimation of their probabilities of occurrence over a stated period of time; observation of the various types of security measures employed by the system; definition of the undesired top events resulting from security breaches, and estimation of the system’s vulnerability to each of these events as the cost incurred by the system if that event took place; mathematical modelling of the logical relations between the aforementioned entities. In this paper we adapt the fault-tree methodology of reliability engineering to the quantification of security exposure of computer systems. In this new context, a fault tree can be described as a logic diagram whose input represents breach events at various system levels, and whose vertices represent logic operations or gates. The root or output of the fault tree can be any of the undesired top events. We briefly survey algorithms for converting the switching (Boolean) expression of the indicator variable for the top event into a probability expression. Once the top event probability is determined, it can be multiplied by the system’s vulnerability to that event to yield a quantified value of the system’s exposure to it. We also handle the doubly stochastic problem of estimating the uncertainty in the top event probability by using an analytic exact formula relating the variance of the top event probability to the variances of the basic event probabilities. An example of a typical computer system is presented wherein numerical estimates are obtained for the top event probabilities and their variances and for the importance ranking of the various breach events.