Abstract
Information technology (IT) security risk analysis preventatively helps organizations in identifying their vulnerable systems or internal controls. Some researchers propose expert systems (ES) as the solution for risk analysis automation since risk analysis by human experts is expensive and timely. By design, ES need a knowledge base, which must be up to date and of high quality. Manual creation of databases is also expensive and cannot ensure stable information renewal. These facts make the knowledge base automation process very important. This paper proposes a novel method of converting attack trees to a format usable by expert systems for utilizing the existing attack tree repositories in facilitating information and IT security risk analysis. The method performs attack tree translation into the Java Expert System Shell (JESS) format, by consistently applying ATTop, a software bridging tool that enables automated analysis of attack trees using a model-driven engineering approach, translating attack trees into the eXtensible Markup Language (XML) format, and using the newly developed ATES (attack trees to expert system) program, performing further XML conversion into JESS compatible format. The detailed method description, along with samples of attack tree conversion and results of conversion experiments on a significant number of attack trees, are presented and discussed. The results demonstrate the high method reliability rate and viability of attack trees as a source for the knowledge bases of expert systems used in the IT security risk analysis process.
Highlights
It is well known that Information technology (IT) security risk assessment is a vital and sometimes regulatorily mandated process which helps in identifying risks; prioritizing protective measures; and protecting customers, businesses, and private information
Once the universal metamodel for attack trees (UATS) file is returned from ATTop, the ATES program is ready to accept the file for translation
The vast amounts of data about possible attacks against information systems collected in the form of attack trees can be seen as prospective sources of data for the automatic creation of knowledge bases for expert systems, dedicated for IT security risk analysis, thereby minimizing the knowledge base creation process’s expenses and ensuring process reliability
Summary
It is well known that IT security risk assessment is a vital and sometimes regulatorily mandated process which helps in identifying risks; prioritizing protective measures; and protecting customers, businesses, and private information. Expert systems play a crucial role in taking the knowledge from a security expert, expressed as rules, and allowing it to be shared effortlessly. Many authors [1,2,3]. Emphasize that expert systems are adequate for automating risk assessments, thereby minimizing the need for a company to have a security expert. This is of great importance for small–medium sized enterprises that lack human and financial resources.
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
