Professional Documents
Culture Documents
The Attack Tree method allows the risk assessor to compile various reports and
presenting them to stakeholders in a more manageable and/or graphical format. The
manipulation of the results/data enables stakeholders and risk assessors to test the
potential effectiveness of any proposed countermeasure prior to outlaying any funds
or resources in order to defeat or deter any potential attack.
One of the drawbacks to using bespoke software is that the user needs to receive a
degree of training to ensure that they have the ability to fully utilise the software. As
with all software and training requirements there is an associated cost which has to
be considered by the organisation. There is also the danger that the organisation
becomes reliant upon a limited number of personnel being trained/familiar in the use
of the software resulting in the possibility of a select few individuals within the
organisation being able to produce Attack Trees.
A major benefit to using the Attack Tree methodology is that the same risk
assessment results can be presented numerous ways to different stakeholders easily
highlighting any potential risk to the organisation. This can be either from a
perspective of financial loss, likelihood of attack or cost to the attacker etc.
It is the opinion of the author that although the Attack Tree methodology has a great
deal to offer and has the potential to be more useful to organisations; however the
cost of the software and time taken for individuals to be trained and become familiar
with the methodology should be considered before organisations jump into the
unknown.
At present there are numerous organisations who are continuing to use the HMG IS
1& 2 methodology to carryout risk assessments. As there is no longer a mandated
methodology to be followed it is of the opinion of the author that organisations
should consider seeking a more manageable, repeatable, understandable and
business orientated methodology.
Currently there is no approved or recommended risk assessment methodology being
highlighted by CESG National Technical Authority for Information Assurance, which
is the technical arm of GCHQ; although there is still the potential for CESG to
recommend a specific methodology potentially resulting in organisations having to
realign themselves to this approved method after investing heavily in Attack
Trees. Obviously there is the possibility that the Attack Tree methodology is adopted
by CESG and being recognised as the standard for which all HMG systems are to be
risk assessed against. At present no decision has been made by CESG on any
methodology and there are no timescales for any decision to be made.