A Tool-Based Security Analysis – Part 2: Damage Classes And Potentials

In Part 1 of this blog series, we have seen how the attack potential of an attacking agent can be modeled. For our system, we also want to model the parts and aspects that we want to protect and the damage that can be done by an attacker.  So as a next step, we will model damage classes and damage potential.

Damage Potential

Damage potential is a categorization of the damage that could be done to the system. It maps damage potential values to numerical values. These values are then later used in calculations of combined and derived damage potentials. The list of damage potentials and their values can be defined freely according to the security analysis method that is being used.

2018-02-13_15h22_142018-02-13_15h22_14

Damage Classes

The kind of damage that can be done do the system can be categorized into classes and then further refined. In our example we have the following coarse classes:

2018-02-13_15h25_10-1


2018-02-13_15h22_14In a further step, these classes are refined into subclasses and assigned damage potential values (example given for the Safety class):

2018-02-13_15h27_05
Note that the first column of the table contains the damage potential that is assigned to each subclass.

Combining damage classes

In some calculations, we might encounter a combination of damage classes and we want to be able to prioritize damage classes over each other. So we can freely define formulas that are to be used in the system to calculate combinations. In this case, we consider safety and financial damage to be 10 times more important than other damage:

2018-02-13_15h34_28

Preview: Security Goals

We now have almost all building blocks to describe security goals, which will be the content of the next part of this series. Note the following example:

2018-02-13_15h38_54


The damage assigned to this criteria is Safety, whith a subclass that has a "high" damage potential. But the overall damage potential of the security goal is calculated by applying the formula, i.e. multiplying the safety value by 10, resulting in a critical damage potential. 

About Andreas Graf

I am working at itemis as a project manager and business development manager (automotive) supporting and promoting the use of Eclipse and Open Source tooling for the implementation of integrated tool chains and the support of model driven (software) engineering.