How to Generate Security Cameras: Towards Defence Generation for Socio-Technical Systems
This work addresses the need for automated risk analysis in security for practitioners, though it appears incremental as it builds on prior automated attack tree generation.
The paper tackles the problem of automating security control selection for socio-technical systems by proposing an attack-defence model that generates attack-defence bundles, enabling synthesis of attack-defence trees and maintenance of security controls not handled by existing models.
Recently security researchers have started to look into automated generation of attack trees from socio-technical system models. The obvious next step in this trend of automated risk analysis is automating the selection of security controls to treat the detected threats. However, the existing socio-technical models are too abstract to represent all security controls recommended by practitioners and standards. In this paper we propose an attack-defence model, consisting of a set of attack-defence bundles, to be generated and maintained with the socio-technical model. The attack-defence bundles can be used to synthesise attack-defence trees directly from the model to offer basic attack-defence analysis, but also they can be used to select and maintain the security controls that cannot be handled by the model itself.