SMART: security model adversarial risk-based tool for systems security design evaluation

As development and deployment of secure systems continue to grow at scale, there is an equal need to evaluate these systems for vulnerabilities and other problems. However, the process of evaluating these designs is complicated and mainly proprietary to the group performing the evaluation. Generally, one follows the generic risk equation of probability and impact. In addition, one should examine the costs related to the adversary and the defender of a system. Without accounting for all of these different aspects, one cannot expect to properly assess the security of a system model or design. This work presents a security model adversarial risk-based tool (SMART) for systems security design evaluation. Our tool reads in a systems security model an attack graph and collects the necessary information for the purpose of determining the best solution based on a calculated security risk represented as a monetary amount. The advantage of the tool is the level of automation provided in the evaluation of security attack trees while providing meaningful metrics that are effortless to compare and contrast.