Apply STAMP to critical infrastructure protection

Classical risk-based or game theoretic security models rely on assumptions from reliability theory and rational expectations economics that are not applicable for security risks. Additionally, these models suffer from serious deficiencies when they are applied to software-intensive, complex engineering systems. Recent work in the area of system safety engineering has led to the development of a new accident model for system safety that acknowledges the dynamic complexity of accidents. System-Theoretic Accident Models and Processes (STAMP) applies principles from control theory to enforce constraints on hazards and thereby prevent accidents. Appreciating the similarities between safety and security while still acknowledging the differences, this paper introduces the use of STAMP to security problems. In particular, it is applied to identify and mitigate the threats that could emerge in critical infrastructure systems such as the air transportation network.