Security Congress Abstract
Most security choices made by security professionals are based on experience and intuition. This approach does not always yield the best selection of controls and can make it difficult to gain management's support. Attack tree analysis is a more objective, risk-based method for identifying the areas of greatest risk and providing persuasive evidence that proposed controls will be effective at reducing that risk to an acceptable level. Attendees will be shown the steps for creating and analyzing an attack tree. An example will be provided from an actual assessment of a critical infrastructure industrial control system. Attack tree analysis has long been used in aerospace and defense for the protection of critical aviation control systems. It is now being adopted by IT and OT operators.