Unifying traditional risk assessment approaches with attack trees

As software-intensive systems become more and more complex, so does the assessment of the risks that these systems may have on people's businesses, privacy, livelihoods, and very lives. For very large long-lived industrial programmes, such as the Galileo programme of the European Space Agency (ESA), or the French Pentagon programme for the Ministry of Defence, traditional risk management approaches are now reaching their limit. This is true for tooling, but even more so for humans. This paper proposes novel techniques to deal with cognitive scalability issues in risk assessment studies, amongst which graphical extensions to traditional risk management approaches, such as chain diagrams, and the seamless integration of attack trees. Feedback and results were collected from security experts and other stakeholders, in a large industrial context (namely, the Galileo risk assessment programme) and through dedicated research and development demonstrations. The feedback and results show effective improvements with respect to standard practices, even though fine tuning is still needed to reach an adequate and financially acceptable equilibrium between: (i) dealing with a large number of small independent problems; and (ii) maintaining an overall understanding of the system’s risks and risks treatment.