Risk Assessment Graphs: Utilizing Attack Graphs for Risk Assessment

Abstract: Risk assessment plays a crucial role in ensuring the security and resilience of modern computer systems. Existing methods for conducting risk assessments often suffer from tedious and time-consuming processes, making it challenging to maintain a comprehensive overview of potential security issues. In this paper, we propose a novel approach that leverages attack graphs to enhance the efficiency and effectiveness of risk assessment. Attack graphs visually represent the various attack paths that adversaries can exploit within a system, enabling a systematic exploration of potential vulnerabilities. By extending attack graphs with capabilities to include countermeasures and consequences, they can be leveraged to constitute the complete risk assessment process. Our method offers a more streamlined and comprehensive analysis of system vulnerabilities, where system changes, or environment changes can easily be adapted and the issues exposing the highest risk can easily be identified. We demonstrate the effectiveness of our approach through a case study, as well as the applicability by combining existing risk assessment standards with our method. Our work aims to bridge the gap between risk assessment practices and evolving threat landscapes, offering an improved methodology for managing and mitigating risks in modern computer systems.