Automatic Generation of Security Argument Graphs
This work addresses the need for automated security assessment tools for stakeholders in safety-critical domains, but it appears incremental as it builds on existing graph-based formalisms.
The authors tackled the problem of constructing security argument graphs by proposing methods to automatically generate them using logical relationships among diverse security information, and demonstrated the approach in a prototype tool for the electric power sector.
Graph-based assessment formalisms have proven to be useful in the safety, dependability, and security communities to help stakeholders manage risk and maintain appropriate documentation throughout the system lifecycle. In this paper, we propose a set of methods to automatically construct security argument graphs, a graphical formalism that integrates various security-related information to argue about the security level of a system. Our approach is to generate the graph in a progressive manner by exploiting logical relationships among pieces of diverse input information. Using those emergent argument patterns as a starting point, we define a set of extension templates that can be applied iteratively to grow a security argument graph. Using a scenario from the electric power sector, we demonstrate the graph generation process and highlight its application for system security evaluation in our prototype software tool, CyberSAGE.