Affiliation:
1. Department of Computer Science, University of Oxford, Oxford OX1 3QD, UK
Abstract
Security threat and risk assessment of systems requires the integrated use of information from multiple knowledge bases. Such use is typically carried out ad-hoc by security experts in an unstructured manner. Also, this ad-hoc use of information often lacks foundations that allow for rigorous, disciplined applications of policy enforcement and the establishment of a well-integrated body of knowledge. This hinders organisational learning as well as the maturation of the threat modelling discipline. In this article, we uncover a newly developed extension of a state-of-the-art modelling tool that allows users to integrate and curate security-related information from multiple knowledge bases. Specifically, we provide catalogues of threats and security controls based on information from CAPEC, ATT&CK, and NIST SP800-53. We demonstrate the ability to curate security information using the designed solution. We highlight the contribution to improving the communication of security information, including the systematic mapping between user-defined security guidance and information derived from knowledge bases. The solution is open source and relies on model-to-model transformations and extendable threat and security control catalogues. Accordingly, the solution allows prospective users to adapt the modelling environment to their needs as well as keep it current with respect to evolving knowledge bases.
Reference24 articles.
1. (2024, March 07). Victoria Drake Threat Modeling (The OWASP Foundation). Available online: https://owasp.org/www-community/Threat_Modeling.
2. Messe, N., Chiprianov, V., Belloir, N., El-Hachem, J., Fleurquin, R., and Sadou, S. (2020–1, January 29). Asset-Oriented Threat Modeling. Proceedings of the 2020 IEEE 19th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom), Guangzhou, China.
3. Automated Security Risk Identification Using AutomationML-Based Engineering Data;Eckhart;IEEE Trans. Dependable Secur. Comput.,2022
4. Threat Modeling—A Systematic Literature Review;Xiong;Comput. Secur.,2019
5. Maunero, N., De Rosa, F., and Prinetto, P. (2023, January 14–17). Towards Cybersecurity Risk Assessment Automation: An Ontological Approach. Proceedings of the 2023 IEEE International Conference on Dependable, Autonomic and Secure Computing, International Conference on Pervasive Intelligence and Computing, International Conference on Cloud and Big Data Computing, International Conference on Cyber Science and Technology Congress (DASC/PiCom/CBDCom/CyberSciTech), Abu Dhabi, United Arab Emirates.