Evaluating attack tree analysis using a structured query language-based simulation

Attack tree analysis is a risk assessment methodology used to identify system vulnerabilities and penetration points of a system. Attack trees describe the security or vulnerability of a system based upon the goals of the attacker. This research evaluated the effectiveness of attack tree analysis incorporated into an information system computer security risk assessment methodology by evaluating the effectiveness of using attack tree analysis to assist with costing decisions, probability analysis, and the viability of using a structured query language (SQL) computer program simulation model developed as part of this research. A pre and postassessment instrument was developed to ascertain the effectiveness of using attack tree analysis. The data-gathering technique included a purposeful sample of 56 computer security experts and leading academic authorities of attack tree analysis. The hybrid methodology incorporated quantitative data analysis using the chi-square test of homogeneity and the test for the equality of proportions; qualitative data analysis included the use of grouping of data creating bar graphs, discussions, conclusions, and other narrative components. The quantitative research findings suggested a strong support base for attack tree analysis, ranging from 71.4% to 92.9%, whereas only 21.4% to 28.6% of participants considered implementing attack tree analysis. The qualitative data suggested the transition from theory to implementation may not be achievable. The value of attack trees as a tool to enhance security is not limited to information systems. Many facets of society that utilize complex systems, such as public policy and home land security efforts, may benefit from this research. The findings implied that attack tree analysis may have the potential for positive social change based on a more secure global infrastructure.