Attack Trees Notes

Page Contents



Output of AT: list of actions that need to be done to appropriately secure the subject of the AT for the here and now. If any of the countermeasures aren't going to be implemented, the AT should reflect that (either by simply omitting the countermeasures from the attack tree, or adding a counter-countermeasure that identifies the mitigation as a roadmap item (and make sure it's in the roadmap!).

Nothing considered should be thought of as "out of scope". If it is called "out of scope" it becomes an assumption on which the security model is built, and to assume can make an ass out of u and me!

When using low (L), medium (M), hard (H), extremely hard (E), trees in the node combine in the following way. For nodes with 'AND' children, the node score is the highest of the child scores. For nodes with or 'OR' children, the node score is the lowest of the child scores.