Heuristics for scalable compound exposure analysis: A foundation for a comprehensive security risk assessment

Network and data protection requires continuous improvements in response to changing technologies and threats. Security risk assessments embody quantitative and qualitative processes that systematically review risks, threats, and concerns and evaluate countermeasures commensurate with risk. Information assurance hinges on an administrator's knowledge and understanding of threats posed to their network. This knowledge must account for the consequences and implications of threat and vulnerability interactions that yield compound, coordinated threats.; Attack graphs provide an automated means of realizing these compound threats. However, techniques employed to construct attack graphs are plagued with a combinatorial search space, making their generation impractical. This research presents a framework for modeling complex networks that reduces the complexity associated with attack graph construction. The framework provides a comprehensive, extensible, and scalable solution for organizing security relevant information about enterprise network capabilities and establishes a basis for improved network analysis.