Home' RTCA Documents for Review : DO-356A Contents 253
© RTCA, 2018
Threat Trees are generalizations of fault trees to evaluate the potentiality of a particular
threat based on a system architecture and relevant threat conditions and vulnerabilities.
Threat trees are particularly useful for modeling those threats which involve more than
a simple conjunction of threat conditions and vulnerabilities in complex systems.
It is important to note that the metrics that appear in threat trees are used only for
qualitative evaluation and do not represent probabilities. They are developed as
objectives associated with criticality levels for safety assurance, and are useful for
distinguishing relative sensitivities of portions of the threat tree – that is, a branch of a
tree with one or more orders of magnitude difference from another branch is less
sensitive from a security threat perspective.
There are four general classes of events in the Threat Tree shown in Table 6-72. Each
is also associated with a qualitative classification. The granularity of the nodes is based
on the level and stage of the assessment – during preliminary assessment, most
vulnerabilities will be inherent or potential.
TABLE 6-72: THREAT TREE EVENTS
Type of Event Factor
The event that an attacker
launches an attack.
Failure of Measure The event that vulnerability
A particular operational
event or error has occurred.
The event that a threat
condition has occurred.
Level of Threat
The event that an attack
succeeds in compromising
An attack event is the basic event that an attack is underway. Since a single attacker
can undertake multiple actions as part of a single attack sequence, the attack event is
viewed as a single cause event which will feed multiple threat conditions.
Attacker characteristics are modeled by the trust relationships of the attacker population
If another attacker characterization model is being used, an additional modeling step to
express the factors in terms of trust and exposure is necessary.
Assets are modeled in terms of their threat conditions- the event that they are
compromised. If attackers vary by asset type (as when the attacker is characterized as
being motivated to attack certain desirable assets), then separate threat trees may be
created for the assets as classified by their effect on the level of threat.
Vulnerability or operational events are the conditions of the system that allows an attack
to succeed. They are commonly basic events, but there are instances where an analyst
may wish to break up a particularly complex contingent event into simpler events. So a
compound operational event can consist of multiple basic operational events, and a
compound vulnerability can consist of multiple basic vulnerabilities and operational
events. A compound vulnerability or operational event will never include an attack event
or a threat condition as an antecedent event.
A threat condition will be made up of a combination of attacks, vulnerabilities, and other
threat conditions. See Section 2.2.2.
An operational event in the Threat Tree analysis may be used to model
when a vulnerability will be exposed to attack.
The following event values are used in the threat tree analysis. The numbers represent
a qualitative metric. These numbers are not meaningful as probabilities, but are used
as a means of managing numerical values in a way that allows the use of the analytic
Links Archive Navigation Previous Page Next Page