A survey of fault and attack tree modeling and analysis for cyber risk management

Cyber security is of great concern to the Department of Homeland Security (DHS) and other organizations within government, as cyberspace is the gateway to services and infrastructure, making them vulnerable to a wide range of software-based attacks that could result in physical and cyber threats and hazards. It is extremely difficult to secure these cyber-physical systems (CPS) due to the complexity of their interfaces, which often leaves them exposed to elevated levels of risk to severe disruptions, including information security violations that could threaten national and economic security. Therefore, many researchers have dedicated substantial effort to model and analyze cyber-physical systems through red teaming in order to identify various potential strategies an attacker may take to hack into the system so that they can develop effective countermeasures. Reliability and risk modeling approaches discussed in the literature include fault trees (FT), event trees (ET), binary decision diagrams (BDD), Petri nets (PN), Markov modeling (MM), and attack trees (AT) to systematically characterize the risks latent in cyber-physical systems. This paper provides a survey of the two most popular modeling approaches including fault and attack trees, discussing their benefits and potential limitations. This survey should be beneficial to security professionals who wish to apply techniques from reliability and risk modeling to ensure the cyber security of their systems as well as researchers seeking to identify new modeling opportunities.