A review of attack graph and attack tree visual syntax in cyber security

IBM Security, 2018 Valasek, 2015 Ehrenfeld, 2017, Wannacry, cybersecurity and health information technology: a time to act, J. Med. Syst., 41, 104, 10.1007/s10916-017-0752-1 Falliere, 2011 Coffey, 2017, Ameliorating sources of human error in cybersecurity: technological and human-centered approaches, 85 Baftiu, 2017, Cyber security in kosovo, Eur. J. Econ. Law Soc. Sci., 1 DCMS, 2017 Sasse, 2005, Usable security: why do we need it? how do we get it? Payne, 2008, A brief introduction to usable security, IEEE Internet Comput., 12, 10.1109/MIC.2008.50 Nurse, 2011, Trustworthy and effective communication of cybersecurity risks: a review, 60 CSRC, 2016 Odgers Berndtson, 2013 KPMG, 2015 Tanium, 2017 Kasemsri, 2006 Staheli, 2014, Visualization evaluation for cyber security: trends and future directions, 49 Moody, 2007, What makes a good diagram? improving the cognitive effectiveness of diagrams in is development, 481 R. Kang, L. Dabbish, N. Fruchter, S. Kiesler, My data just goes everywhere: user mental models of the internet and implications for privacy and security, in: 2015 Symposium on Usable Privacy and Security, SOUPS2015, 2015. Lallie, 2018, An empirical evaluation of the effectiveness of attack graphs and fault trees in cyber-attack perception, IEEE Trans. Inf. Forensics Secur., 13, 1110, 10.1109/TIFS.2017.2771238 Lallie, 2018, Evaluating practitioner cyber-security attack graph configuration preferences, Comput. Secur., 79, 117, 10.1016/j.cose.2018.08.005 Keller, 2005, Visualizing knowledge and information: an introduction, 1 Homer, 2008, Improving attack graph visualization through data reduction and attack grouping, 68 G. Dondossola, L. Pietre-Cambacedes, J. McDonald, M. Ekstedt, A. Torkilseng, É.d.F. RSE, Modelling of cyber attacks for assessing smart grid security, in: Proceedings Cigré D2 2011 Colloquium, 2011. Roschke, 2011, A new alert correlation algorithm based on attack graph, 58 Hogganvik, 2007 Schweitzer, 2009, Using visualization to teach security, J. Comput. Sci. Coll., 24, 143 Fink, 2009, Visualizing cyber security: usable workspaces, 45 Fithen, 2004, Formal modeling of vulnerability, Bell Labs Tech. J., 8, 173, 10.1002/bltj.10094 Heberlein, 2012 Homer, 2013, Aggregating vulnerability metrics in enterprise networks using attack graphs, J. Comput. Secur., 21, 561, 10.3233/JCS-130475 Ning, 2002, Analyzing intensive intrusion alerts via correlation, 74 Ning, 2003, Learning attack strategies from intrusion alerts, 200 P. Ning, et al. Building attack scenarios through integration of complementary alert correlation method, in: Network and Distributed System Security Symposium (NDSS) Symposium (2004), vol. 4, 2004, pp. 97–111. Ingols, 2006, Practical attack graph generation for network defense, 121 Man, 2008, A method for global attack graph generation, 236 Williams, 2007, Executive and board roles in information security, Netw. Secur., 2007, 11, 10.1016/S1353-4858(07)70073-9 Liu, 2010, Sentiment analysis and subjectivity, 627 Staniford-Chen, 1996, Grids-a graph based intrusion detection system for large networks, 361 Cuppens, 2001, Managing alerts in a multi-intrusion detection environment, 22 Ammann, 2002, Scalable, graph-based network vulnerability analysis, 217 Jha, 2002, Two formal analyses of attack graphs, 49 Braynov, 2003, Representation and analysis of coordinated attacks, 43 Cheung, 2003, Modeling multistep cyber attacks for scenario recognition, 284 Howard, 2005 Jajodia, 2005, Topological analysis of network attack vulnerability, 247 Frigault, 2008, Measuring network security using bayesian network-based attack graphs Idika, 2012, Extending attack graph-based security metrics and aggregating their application, IEEE Trans. Dependable Secure Comput., 9, 75, 10.1109/TDSC.2010.61 Ritchey, 2000, Using model checking to analyze network vulnerabilities, 156 Sindre, 2001, Templates for misuse case description Li, 2007 Wang, 2008, Implementing interactive analysis of attack graphs using relational databases, J. Comput. Secur., 16, 419, 10.3233/JCS-2008-0327 Jha, 2002 Ou, 2005, Mulval: a logic-based network security analyzer S.C. Sundaramurthy, L. Zomlot, X. Ou, Practical IDS alert correlation in the face of dynamic threats, in: Proceedings of the International Conference on Security and Management, 2011. Albanese, 2012, Time-efficient and cost-effective network hardening using attack graphs, 1 Ghosh, 2012, A planner-based approach to generate and analyze minimal attack graph, Appl. Intell., 36, 369, 10.1007/s10489-010-0266-8 Ning, 2004, Techniques and tools for analyzing intrusion alerts, ACM Trans. Inf. Syst. Secur., 7, 274, 10.1145/996943.996947 Cuppens, 2002, Alert correlation in a cooperative intrusion detection framework, 202 Alserhani, 2015, Knowledge-based model to represent security information and reason about multi-stage attacks, 482 Kotenko, 2006, Attack graph based evaluation of network security, 216 Lippmann, 2006, Validating and restoring defense in depth using attack graphs, 1 Wang, 2006, Minimum-cost network hardening using attack graphs, Comput. Commun., 29, 3812, 10.1016/j.comcom.2006.06.018 More, 2012, A knowledge-based approach to intrusion detection modeling, 75 Albanese, 2011, Scalable analysis of attack scenarios, 416 Alhomidi, 2014, Attack graph-based risk assessment and optimisation approach, Int. J. Netw. Secur. Appl., 6, 31 Aguessy, 2016 Ahmed, 2016, Security threat assessment of simultaneous multiple denial-of-service attacks in IEEE 802.22 cognitive radio networks, 1 Daley, 2002, A structural framework for modeling multi-stage network attacks, 5 Rashid, 2014 Tucci, 2017, Cyber risks in the marine transportation system, 113 Kap, 2013 Obes, 2013 M. Barrere, E.C. Lupu, Naggen: a network attack graph generation tool, in: Proceedings of the IEEE Conference on Communications and Network Security, CNS17, Las Vegas, NV USA. Gonzalez-Granadillo, 2017, Attack graph-based countermeasure selection using a stateful return on investment metric, 293 Qin, 2004, Attack plan recognition and prediction using causal networks, 370 Liu, 2010, A goal-oriented approach for modeling and analyzing attack graph, 1 LeMay, 2011, Model-based security metrics using adversary view security evaluation (advise), 191 Gorodetski, 2002, Attacks against computer network: formal grammar-based framework and simulation tool, 219 Shandilya, 2014, Use of attack graphs in security systems, J. Comput. Netw. Commun., 2014 Cuppens, 2000, LAMBDA: a language to model a database for detection of attacks, 197 Kordy, 2014, DAG-Based attack and defense modeling: don’t miss the forest for the attack trees, Comp. Sci. Rev., 13, 1 Sindre, 2005, Eliciting security requirements with misuse cases, Requir. Eng., 10, 34, 10.1007/s00766-004-0194-4 Geib, 2001, Plan recognition in intrusion detection systems, 46 E.J. Byres, M. Franz, D. Miller, The use of attack trees in assessing vulnerabilities in scada systems, in: Proceedings of the International Infrastructure Survivability Workshop, Lisbon, Portugal. R. Dantu, K. Loper, P. Kolan, Risk management using behavior based attack graphs, in: Proceedings of the International Conference on Information Technology: Coding and Computing, ITCC 2004, Las Vegas, NV, USA. Sudit, 2005, Situational awareness of a coordinated cyber attack, 114 Bistarelli, 2006, Strategic games on defense trees, 1 Li, 2006, An approach to model network exploitations using exploitation graphs, Simulation, 82, 523, 10.1177/0037549706072046 den Braber, 2003, The coras methodology: model-based risk assessment using UML and UP, 332 Espedalen, 2007 Holsopple, 2008, Virtual terrain: a security-based representation of a computer network A. Buoni, M. Fedrizzi, J. Mezei, A delphi-based approach to fraud detection using attack trees and fuzzy numbers, in: Proceeding of the IASK International Conferences, Seville, Spain. Ingoldsby, 2010 Karpati, 2010, Visualizing cyber attacks with misuse case maps, 262 Matrosov, 2010 J.P. Landry, J.H. Pardue, T. Johnsten, M. Campbell, P. Patidar, A threat tree for health information security and privacy, in: 17th Americas Conference on Information Systems, AMCIS 2011, 2011. Chokshi, 2012, Efficient generation of exploit dependency graph by customized attack modeling technique, 39 B. Han, Q. Wang, F. Yu, X. Zhang, A vulnerability attack graph generation method based on scripts, in: 3rd International Conference on Information Computing and Applications, ICICA2012, 2012, pp. 45–50. Wang, 2012, Which strategy is better to restrain C&C activities of unstructured p2p botnets?, J. Converg. Inf. Technol., 7 Aslanyan, 2013, Comparative analysis of attack graphs, Math. Probl. Comput. Sci., 40, 85 Buldas, 2013, New efficient utility upper bounds for the fully adaptive model of attack trees, 192 Kotenko, 2013, A cyber attack modeling and impact assessment framework, 1 Marback, 2013, A threat model-based approach to security testing, Softw. - Pract. Exp., 43, 241, 10.1002/spe.2111 Borges, 2014 Herr, 2014, Prep: a framework for malware and cyber weapons, 84 Elkind, 2015 Kaynar, 2016, Distributed attack graph generation, IEEE Trans. Dependable Secure Comput., 13, 519, 10.1109/TDSC.2015.2423682 Lee, 2016 Mæhre, 2005 Baybutt, 2003, Cyber security vulnerability analysis: an asset-based approach, Process Saf. Prog., 22, 220, 10.1002/prs.680220408 Fisk, 2012, Cyber security, building automation, and the intelligent building, Intell. Build. Int., 4, 169, 10.1080/17508975.2012.695277 Sales, 2012, Regulating cyber-security, Northwest. Univ. Law Rev., 107, 1503 Harrington, 2014, Cyber security active defense: playing with fire or sound risk management, Richmond J. Law Technol., 20, 12 Brooke, 2003, Fault trees for security system design and analysis, Comput. Secur., 22, 256, 10.1016/S0167-4048(03)00313-4 Matulevičius, 2007, Visually effective goal models using kaos, 265 K.K. Fletcher, X. Liu, Security requirements analysis, specification, prioritization and policy development in cyber-physical systems, in: 5th International Conference on Secure Software Integration & Reliability Improvement Companion, SSIRI-C-2011, pp. 106–113. Karpati, 2014, Comparing attack trees and misuse cases in an industrial setting, Inf. Softw. Technol., 56, 294, 10.1016/j.infsof.2013.10.004 Daly, 2009, Advanced persistent threat, Usenix, Nov., 4, 2013 Kerr, 2005, Virtual crime, virtual deterrence: a skeptical view of self-help, architecture, and civil liability, J. Law Econ. Policy, 1, 197 Maughan, 2010, The need for a national cybersecurity research and development agenda, Commun. ACM, 53, 29, 10.1145/1646353.1646365 Wall, 2013, Enemies within: redefining the insider threat in organizational security policy, Secur. J., 26, 107, 10.1057/sj.2012.1 Kent, 2016, Cyber security data sources for dynamic network research, 37 Wu, 2006, Adversarial organization modeling for network attack/defense, 90 Moody, 2010, The “physics” of notations: a scientific approach to designing visual notations in software engineering, 485 Scott, 1994, Images in advertising: the need for a theory of visual rhetoric, J. Consum. Res., 21, 252, 10.1086/209396 Kress, 1996 IEC, 1990 Peterson, 1977, Petri nets, ACM Comput. Surv., 9, 223, 10.1145/356698.356702 Dalton, 2006, Analyzing attack trees using generalized stochastic petri nets, 116 Mauw, 2006, Foundations of attack trees, 186 Alexander, 1964 Moody, 2005, Theoretical and practical issues in evaluating the quality of conceptual models: current state and future directions, Data Knowl. Eng., 55, 243, 10.1016/j.datak.2004.12.005 Byres, 2011 Chandra, 2014 Du, 2016 Boston University, 2015 Sanchez, 2015 Vlajic, 2015 Radiflow, 2016 R. Shirey, Internet security glossary, RFC 2828, RFC Editor. Phillips, 1998, A graph-based system for network-vulnerability analysis, 71 Alhomidi, 2012, Attack graphs representations, 83 Jun-chun, 2011, A minimum cost of network hardening model based on attack graphs, Procedia Eng., 15, 3227, 10.1016/j.proeng.2011.08.606 Barik, 2014, A graph data model for attack graph generation and analysis, 239 Swiler, 2001, Computer-attack graph generation tool, 307 Taylor, 2014, Understanding the security of interoperable medical devices using attack graphs, 31 Sommestad, 2008, Combining defense graphs and enterprise architecture models for security analysis, 349 D. Byers, S. Ardi, N. Shahmehri, C. Duma, Modeling software vulnerabilities with vulnerability cause graphs, in: Proceedings of the International Conference on Software Maintenance, 2006. Foo, 2005, ADEPTS: adaptive intrusion response using attack graphs in an e-commerce environment, 508 Barik, 2011, A novel approach to collaborative security using attack graph, 1 Dawkins, 2004, A systematic approach to multi-stage network attack analysis, 48 Sheyner, 2004, Tools for generating and analyzing attack graphs, 344 Lee, 2009, Scalable attack graph for risk assessment, 1 Noel, 2005, Understanding complex network attack graphs through clustered adjacency matrices, 10 Zhu, 2006, Alert correlation for extracting attack strategies, Int. J. Netw. Secur., 3, 244 Abraham, 2015, A predictive framework for cyber security analytics using attack graphs, Int. J. Comput. Netw. Commun., 7, 1, 10.5121/ijcnc.2015.7101 GhasemiGol, 2016, A comprehensive approach for network attack forecasting, Comput. Secur., 58, 83, 10.1016/j.cose.2015.11.005 Johnson, 2016, Pwnpr3d: an attack-graph-driven probabilistic threat-modeling approach, 278 Nanda, 2007, A highly scalable model for network attack identification and path prediction, 663 Bi, 2016, K maximum probability attack paths dynamic generation algorithm, Comput. Sci. Inf. Syst., 13, 677, 10.2298/CSIS160227022B Gao, 2018, Exploring attack graphs for security risk assessment: a probabilistic approach, Wuhan Univ. J. Nat. Sci., 23, 171, 10.1007/s11859-018-1307-0 Murphy, 2010, Clustering of multistage cyber attacks using significant services, 1 Long, 2009 Schuppenies, 2009 Alserhani, 2010, MARS: multi-stage attack recognition system, 753 Chen, 2010, A scalable approach to analyzing network security using compact attack graph, J. Netw., 5, 543 Jajodia, 2010 Sheyner, 2002, Automated generation and analysis of attack graphs, 273 Noel, 2008, Optimal ids sensor placement and alert prioritization using attack graphs, J. Netw. Syst. Manage., 16, 259, 10.1007/s10922-008-9109-x Li, 2016, The optimized attribute attack graph based on apt attack stage model, 2781 Nguyen, 2017, Multi-stage attack graph security games: heuristic strategies, with empirical game-theoretic analysis, 87 Templeton, 2001, A requires/provides model for computer attacks, 31 Sawilla, 2008, Identifying critical attack assets in dependency attack graphs, 18 Hariri, 2003, Impact analysis of faults and attacks in large-scale networks, IEEE Secur. Priv., 99, 49, 10.1109/MSECP.2003.1236235 Pokhrel, 2017, Cybersecurity: a stochastic predictive model to determine overall network security risk using markovian process, J. Inf. Secur., 8, 91 Almohri, 2016, Security optimization of dynamic networks with probabilistic graph modeling and linear programming, IEEE Trans. Dependable Secure Comput., 13, 474, 10.1109/TDSC.2015.2411264 Mehta, 2006, Ranking attack graphs, 127 Artz, 2002 Madan, 2004, Security modeling and quantification of intrusion tolerant systems using attack-response graph, J. High Speed Netw., 13, 297 Schneier, 1999, Attack trees, Dr. Dobb’s J., 24, 21 Baker, 2012 Scully, 2014, The cyber security threat stops in the boardroom, J. Bus. Contin. Emergency Plan., 7, 138 Alexander, 2003, Misuse cases: use cases with hostile intent, IEEE Softw., 20, 58, 10.1109/MS.2003.1159030 Matulevicius, 2008, Alignment of misuse cases with security risk management, 1397 Whittle, 2008, Executable misuse cases for modeling security concerns, 121 Opdahl, 2009, Experimental comparison of attack trees and misuse cases for security threat identification, Inf. Softw. Technol., 51, 916, 10.1016/j.infsof.2008.05.013 Tøndel, 2010, Combining misuse cases with attack trees and security activity models, 438 Katta, 2010, Comparing two techniques for intrusion visualization, 1 Firesmith, 2003, Security use cases, J. Object Technol., 2, 10.5381/jot.2003.2.3.c6 Raptis, 2002, The coras approach for model-based risk management applied to e-commerce domain, 169 Y. Stamatiou, E. Skipenes, E. Henriksen, N. Stathiakis, A. Sikianakis, E. Charalambous, N. Antonakis, K. Stølen, F. den Braber, M.S. Lund, et al. The CORAS approach for model-based risk management applied to a telemedicine service, in: Proceedings of Medical Informatics Europe, MIE2003. Dahl, 2007 Beckers, 2014, Determining the probability of smart grid attacks by combining attack tree and attack graph analysis, 30 Caltagirone, 2013 Kotheimer, 2016 Hutchins, 2011, Intelligence-driven computer network defense informed by analysis of adversary campaigns and intrusion kill chains, Leading Issues in Information Warfare & Security Research, 1, 80 Mihai, 2014, Cyber kill chain analysis, Int. J. Inf. Secur. Cybercrime, 3, 37 Hahn, 2015, A multi-layered and kill-chain based security analysis framework for cyber-physical systems, Int. J. Crit. Infrastruct. Prot., 11, 39, 10.1016/j.ijcip.2015.08.003 Kontio, 1997 Kontio, 1998 Freimut, 2001, An industrial case study of implementing software risk management, 277 Kaplan, 1982, Matrix theory formalism for event tree analysis: application to nuclear-risk analysis, Risk Anal., 2, 9, 10.1111/j.1539-6924.1982.tb01398.x Alberts, 2001 Choo, 2014, A cloud security risk-management strategy, IEEE Cloud Comput., 1, 52, 10.1109/MCC.2014.27 J. Van den Berg, J. van Zoggel, M. Snels, M. van Leeuwen, S. Boeke, L. van de Koppen, J. van der Lubbe, B. van den Berg, T. de Bos, On (the emergence of) cyber security science and its challenges for cyber security education, in: Proceedings of the NATO IST-122 Cyber Security Science and Engineering Symposium, 2014, pp. 13–14. Bialas, 2015, Critical infrastructures risk manager–the basic requirements elaboration, 11 Levy, 2016, Economic disruptions, business continuity planning and disaster forensic analysis: the hawaii business recovery center (hibrc) project, 315 Shachter, 1986, Evaluating influence diagrams, Oper. Res., 34, 871, 10.1287/opre.34.6.871 Agogino, 1987, IDES: influence diagram based expert system, Math. Model., 8, 227, 10.1016/0270-0255(87)90579-3 Sanner, 2010 Ekstedt, 2009, Enterprise architecture models for cyber security analysis, 1 Lagerström, 2007, Extended influence diagram generation, 599 Sommestad, 2009, Cyber security risks assessment with bayesian defense graphs and architectural models, 1 Bistarelli, 2006, Defense trees for economic evaluation of security investments, 8 Ou, 2006, A scalable approach to attack graph generation, 336 Chen, 2009, A scalable approach to full attack graphs generation, 150 Schneier, 2000 Trudeau, 2013 Bhattacharya, 2008, A scalable representation towards attack graph generation, 1 K. Durkota, V. Lisỳ, B. Bošanskỳ, C. Kiekintveld, Optimal network security hardening using attack graph games, in: Proceedings of the 24th International Conference on Artificial Intelligence, IJCAI, 2015, pp. 7–14. Ghosh, 2009, An intelligent technique for generating minimal attack graph Cheng, 2010, Compressing attack graphs through reference encoding, 1026 Dacier, 1996, Models and tools for quantitative assessment of operational security, 177 Feng, 2008, A flexible approach to measuring network security using attack graphs, 426 Hewett, 2008, Host-centric model checking for network vulnerability analysis, 225 Hong, 2012, HARMS: hierarchical attack representation models for network security analysis Khaitan, 2011, Finding optimal attack path using attack graphs: a survey, Int. J. Soft Comput. Eng., 1, 2231 Chen, 2011, Fractional factorial designs, 299 Ingols, 2009, Modeling modern network attacks and countermeasures using attack graphs, 117 Sabaliauskaite, 2015, Aligning cyber-physical system safety and security, 41 Noel, 2004, Managing attack graph complexity through visual hierarchical aggregation, 109 Higuero, 2005, Application of ‘attack trees’ in security analysis of digital contents e-commerce protocols with copyright protection, 57 Patel, 2008, Quantitatively assessing the vulnerability of critical information systems: a new method for evaluating security enhancements, Int. J. Inf. Manage., 28, 483, 10.1016/j.ijinfomgt.2008.01.009 Ralston, 2007, Cyber security risk assessment for SCADA and DCS networks, ISA Trans., 46, 583, 10.1016/j.isatra.2007.04.003 E. Tanu, J. Arreymbi, An examination of the security implications of the supervisory control and data acquisition (scada) system in a mobile networked environment: an augmented vulnerability tree approach, in: Proceedings of the 5th Annual Conference on Advances in Computing and Technology, AC&T, 2010, pp. 228–242. Steffan, 2002, Collaborative attack modeling, 253 Xie, 2009, Evaluating network security with two-layer attack graphs, 127 J.D. Weiss, A system security engineering process, in: Proceedings of the 14th National Computer Security Conference, vol. 249, 1991, pp. 572–581. Opel, 2005 Mirembe, 2008, Threat modeling revisited: improving expressiveness of attack, 93 Bortot, 2011 Wang, 2011, Exploring the network structure and nodal centrality of China’s air transport network: a complex network approach, J. Transp. Geogr., 19, 712, 10.1016/j.jtrangeo.2010.08.012 Bagnato, 2012, Attribute decoration of attack–defense trees, Int. J. Secure Softw. Eng., 3, 1, 10.4018/jsse.2012040101 Vigo, 2014, Automated generation of attack trees, 337 Salter, 1998, Toward a secure system engineering methodolgy, 2 US Nuclear Safety Commission, 1975 Amoroso, 1994 Amor, 2004, Naive bayes vs decision trees in intrusion detection systems, 420 Livadas, 2006, Using machine learning technliques to identify botnet traffic, 967 Fette, 2007, Learning to detect phishing emails, 649 Roberts, 1981 . ECSS, Fault Tree Analysis - Adoption Notice ECSS/IEC 61025, 1997. . BSI, BS EN 61025:2007 - fault tree analysis, 2007. Vesely, 2002 Cheng, 2013, Application of fault tree analysis to assess inventory risk: a practical case from aerospace manufacturing, Int. J. Prod. Res., 51, 6499, 10.1080/00207543.2013.825744 Kornecki, 2013, Fault tree analysis for safety/security verification in aviation software, Electronics, 2, 41, 10.3390/electronics2010041 Senol, 2015, Fault tree analysis of chemical cargo contamination by using fuzzy approach, Expert Syst. Appl., 42, 5232, 10.1016/j.eswa.2015.02.027 Lambert, 2003 Campean, 2008 Dugan, 1992, Dynamic fault-tree models for fault-tolerant computer systems, IEEE Trans. Reliab., 41, 363, 10.1109/24.159800 Manian, 1998, Combining various solution techniques for dynamic fault tree analysis of computer systems, 21 Sahner, 2012 Masera, 2009, Integrating cyber attacks within fault trees, Reliab. Eng. Syst. Saf., 94, 1394, 10.1016/j.ress.2009.02.020 Khand, 2009, System level security modeling using attack trees, 1 Wang, 2008, Betweenness centrality in a weighted network, Phys. Rev. E, 77, 046105, 10.1103/PhysRevE.77.046105 Dacier, 1994 Dacier, 1994, Privilege graph: an extension to the typed access matrix model, 319 IBM DeveloperWorks, 2016 . SANS, Malware FAQ: Sadmind/IIS Worm, Web page, SANS, 2016. http://uk.sans.org/security-resources/malwarefaq/sadmind_iis.php. Sheyner, 2004 Lippmann, 2005 Liu, 2005, Location awareness in unstructured peer-to-peer systems, IEEE Trans. Parallel Distrib. Syst., 163 Noel, 2005, Multiple coordinated views for network attack graphs, 99 Zhang, 2005, An effective method to generate attack graph, 3926 Wang, 2006, Using attack graphs for correlating, hypothesizing, and predicting intrusion alerts, Comput. Commun., 29, 2917, 10.1016/j.comcom.2006.04.001 Sawilla, 2007 Wang, 2007, Measuring the overall security of network configurations using attack graphs, 98 Xie, 2009, A probability-based approach to attack graphs generation, 343 Zhong, 2009, Automatic generation of host-based network attack graph, 93 Ma, 2010, A scalable, bidirectional-based search strategy to generate attack graphs, 2976 Noel, 2010, Measuring security risk of networks using attack graphs, Int. J. Next-generation Comput., 1, 135 Ou, 2011, Attack graph techniques, 5 Keramati, 2013, CVSS-Based security metrics for quantitative analysis of attack graphs, 178 Kotenko, 2014, Fast network attack modeling and security evaluation based on attack graphs, J. Cyber Secur. Mobility, 3, 27, 10.13052/jcsm2245-1439.312 Nandi, 2016, Interdicting attack graphs to protect organizations from cyber attacks: a bi-level defender–attacker model, Comput. Oper. Res., 75, 118, 10.1016/j.cor.2016.05.005 Wu, 2016, A hierarchical security framework for defending against sophisticated attacks on wireless sensor networks in smart cities, IEEE Access, 4, 416, 10.1109/ACCESS.2016.2517321 Zhang, 2016, Generation of cyber-security reinforcement strategies for smart grid based on the attribute-based attack graph, J. Power Technol., 96, 170 Bates, 2017, Transparent web service auditing via network provenance functions, 887 Bopche, 2017, Graph similarity metrics for assessing temporal changes in attack surface of dynamic networks, Comput. Secur., 64, 16, 10.1016/j.cose.2016.09.010 Jabbar, 2017, Diversity-aware, cost-effective network security hardening using attack graph, 1 P. Luckett, J. McDonald, W.B. Glisson, Attack-graph threat modeling assessment of ambulatory medical devices, in: Hawaii International Conference on System Sciences, HICSS-50, 2017. Sen, 2017, Risk assessment in a sensor cloud framework using attack graphs, IEEE Trans. Serv. Comput., 10, 942, 10.1109/TSC.2016.2544307 Sun, 2017, Network security risk assessment system based on attack graph and markov chain, 910, 012005 Zheng, 2017, A quantitative method for evaluating network security based on attack graph, 349 Cheng, 2011, Infotainment and road safety service support in vehicular networking: from a communication perspective, Mech. Syst. Signal Process., 25, 2020, 10.1016/j.ymssp.2010.11.009 Noel, 2004, Correlating intrusion events and building attack scenarios through attack graph distances, 350 Urbanska, 2013, Accepting the inevitable: factoring the user into home computer security, 325 Mukherjee, 2017 Qian, 2017, Social network de-anonymization and privacy inference with knowledge graph model, IEEE Trans. Dependable Secure Comput. Sun, 2017, Towards actionable mission impact assessment in the context of cloud computing, 259 Sgandurra, 2017, Efficient attack graph analysis through approximate inference, ACM Trans. Priv. Secur., 20, 10 R.P. Lippmann, K.W. Ingols, K.J. Piwowarski, Generating a Multiple-prerequisite Attack Graph, US Patent 7,971,252, 2011. Wang, 2008, A graph based approach toward network forensics analysis, ACM Trans. Inf. Syst. Secur., 12, 4, 10.1145/1410234.1410238 Saha, 2008, Extending logical attack graphs for efficient vulnerability analysis, 63 Zhang, 2012, Boosting logical attack graph for efficient security control, 218 Kumar, 2016, Evaluation of network risk using attack graph based security metrics, 91 Prasad, 2016, Generation and risk analysis of network attack graph, 507 Lippmann, 2000, Evaluating intrusion detection systems: the 1998 DARPA off-line intrusion detection evaluation, 12 S. Noel, S. Jajodia, Attack graphs for sensor placement, alert prioritization, and attack response, in: Cyberspace Research Workshop, 2007, pp. 1–8. Noel, 2009 Ortalo, 1999, Experimenting with quantitative evaluation tools for monitoring operational security, IEEE Trans. Softw. Eng., 25, 633, 10.1109/32.815323 Liu, 2007, Properties for security measures of software products, Appl. Math. Inf. Sci. J., 1, 129 Noel, 2003, Efficient minimum-cost network hardening via exploit dependency graphs, 86 Barik, 2016, Attack graph generation and analysis techniques, Defence Sci. J., 66, 559, 10.14429/dsj.66.10795 Chaufette, 2007 Bertin, 1983 Miller, 1956, The magic number seven plus or minus two: some limits on our capacity for processing information, Psychol. Rev., 63, 91, 10.1037/h0043158 Petre, 1995, Why looking isn’t always seeing: readership skills and graphical programming, Commun. ACM, 38, 33, 10.1145/203241.203251 Wertheimer, 1923, A brief introduction to gestalt, identifying key theories and principles, Psychol. Forsch., 4, 301, 10.1007/BF00410640 Hogganvik, 2007 den Braber, 2007, Model-based security analysis in seven steps - a guided tour to the coras method, BT Technol. J., 25, 101, 10.1007/s10550-007-0013-9 Sendi, 2016, Dynamic optimal countermeasure selection for intrusion response system, IEEE Trans. Dependable Secure Comput., 15, 755, 10.1109/TDSC.2016.2615622 Dewri, 2007, Optimal security hardening using multi-objective optimization on attack tree models of networks, 204 Miller, 1994, The magical number seven, plus or minus two: some limits on our capacity for processing information., Psychol. Rev., 101, 343, 10.1037/0033-295X.101.2.343 Rumbaugh, 2004 McLean, 2012, Computer programming in the creative arts, 235 Genon, 2010, Analysing the cognitive effectiveness of the Bpmn 2.0 visual notation, 377 Palmer, 1994, Rethinking perceptual organization: the role of uniform connectedness, Psychon. Bull. Rev., 1, 29, 10.3758/BF03200760 Wiegmann, 1992, Effects of knowledge map characteristics on information processing, Contemp. Educ. Psychol., 17, 136, 10.1016/0361-476X(92)90055-4 Smith, 1964, Color versus shape coding in information displays., J. Appl. Psychol., 48, 137, 10.1037/h0045919 Winn, 1993, An account of how readers search for information in diagrams, Contemp. Educ. Psychol., 18, 162, 10.1006/ceps.1993.1016 Störrle, 2013, Towards an operationalization of the “physics of notations” for the analysis of visual languages, 104 Gane, 1979 De Marco, 1979, Structure analysis and system specification, 255 De Marco, 2002, Structured analysis and system specification, 529 Koffka, 2013 El Kouhen, 2015, On the semantic transparency of visual notations: experiments with UML, 122 Karpati, 2011, Experimental comparison of misuse case maps with misuse cases and system architecture diagrams for eliciting security vulnerabilities and mitigations, 507 Caire, 2013, Visual notation design 2.0: towards user comprehensible requirements engineering notations, 115 Genon, 2010, Analysing the cognitive effectiveness of the ucm visual notation, 221 Masri, 2008, Using iconic graphics in entity-relationship diagrams: the impact on understanding, J. Database Manag., 19, 22, 10.4018/jdm.2008070102 Norman, 1988, The design of everyday things, Psychol. Everyday Things, 20 Lemon, 2000, Constraint matching for diagram design: qualitative visual languages, 74 Cheng, 2001, Cognitive science approaches to understanding diagrammatic representations, 79 Koedinger, 1990, Abstract planning and perceptual chunks: elements of expertise in geometry, Cogn. Sci., 14, 511, 10.1207/s15516709cog1404_2 Halpin, 2005 Barker, 1990 M.H. Diallo, J. Romero-Mariona, S.E. Sim, T.A. Alspaugh, D.J. Richardson, A comparative evaluation of three approaches to specifying security requirements, in: 12th Working Conference on Requirements Engineering: Foundation for Software Quality, RefsQ’06, 2006. Buyens, 2007, Empirical and statistical analysis of risk analysis-driven techniques for threat management, 1034 Stålhane, 2007, A comparison of two approaches to safety analysis based on use cases, 423 O. Flåten, M.S. Lund, How good are attack trees for modelling advanced cyber threats? in: Proceedings of the Norwegian Information Security Conference 2014, 2014. Hogganvik, 2005, On the comprehension of security risk scenarios, 115 Hogganvik, 2006, A graphical approach to risk identification, motivated by empirical investigations, 574 Davis, 1985 Abed, 1991, Cultural influences on visual scanning patterns, J. Cross-Cult. Psychol., 22, 525, 10.1177/0022022191224006 Chokron, 2000, Reading habits influence aesthetic preference, Cogn. Brain Res., 10, 45, 10.1016/S0926-6410(00)00021-5 Ishii, 2011, Lateral biases and reading direction: a dissociation between aesthetic preference and line bisection, Brain Cogn., 75, 242, 10.1016/j.bandc.2010.12.005 ISO, 1985 Bresciani, 2004, Tropos: an agent-oriented software development methodology, Auton. Agents Multi-Agent Syst., 8, 203, 10.1023/B:AGNT.0000018806.20944.ef Fonseca Casas, 2013, Definition of virtual reality simulation models using specification and description language diagrams, vol. 7916, 258 J. Kontio, V.R. Basili, Risk knowledge capture in the riskit method, in: SEW Proceedings, SEL-96-002, University of Maryland, 1996. B.M. Michelson, Event-driven architecture overview, 2006. Parondzhanov, 1995, Visual syntax of the drakon language, Program. Comput. Softw., 21 Omojola, 2016, Using symbols and shapes for analysis in small focus group research, Qual. Rep., 21, 832 Gorn, 2004, Waiting for the web: how screen color affects time perception, J. Mark. Res., 41, 215, 10.1509/jmkr.41.2.215.28668 Benbasat, 1986, An experimental program investigating color-enhanced and graphical information presentation: an integration of the findings, Commun. ACM, 29, 1094, 10.1145/7538.7545 Ghinea, 2005, Quality of perception: user quality of service in multimedia presentations, IEEE Trans. Multimed., 7, 786, 10.1109/TMM.2005.850960 Xin, 2004, Cross-regional comparison of colour emotions part ii: qualitative analysis, Color Res. Appl., 29, 458, 10.1002/col.20063 Xin, 2004, Cross-regional comparison of colour emotions part i: quantitative analysis, Color Res. Appl., 29, 451, 10.1002/col.20062 Kliger, 2012, Red light, green light: color priming in financial decisions, J. Socio-econ., 41, 738, 10.1016/j.socec.2012.07.003 Chan, 2009, Perceptions of implied hazard for visual and auditory alerting signals, Saf. Sci., 47, 346, 10.1016/j.ssci.2008.06.003 Zedda, 2013, Road signs: walking among shapes and colors, Int. J. Res. Eng. Technol., 2, 568, 10.15623/ijret.2013.0210089 Rodriguez, 1991, What makes a warning label salient?, 1029 Colour Blind Awareness, 2018 Ware, 2012 Kosslyn, 1989, Understanding charts and graphs, Appl. Cogn. Psychol., 3, 185, 10.1002/acp.2350030302 Mayer, 1989, Models for understanding, Review of Educational Research, 59, 43, 10.3102/00346543059001043 T.R. Green, Cognitive dimensions of notations, in: Proceedings of the 5th Conference of the British Computer Society, 1989, pp. 443–460. Schuette, 1998, The guidelines of modeling–an approach to enhance the quality in information models, 240 Krogstie, 2006, Process models representing knowledge for action: a revised quality framework, Eur. J. Inf. Syst., 15, 91, 10.1057/palgrave.ejis.3000598 Sweller, 1988, Cognitive load during problem solving: effects on learning, Cogn. Sci., 12, 257, 10.1207/s15516709cog1202_4 Sweller, 1994, Why some material is difficult to learn, Cogn. Instr., 12, 185, 10.1207/s1532690xci1203_1 Moody, 2010, Visual syntax does matter: improving the cognitive effectiveness of the i* visual notation, Requir. Eng., 15, 141, 10.1007/s00766-010-0100-1 Moody, 2008, Evaluating the visual syntax of uml: an analysis of the cognitive effectiveness of the uml family of diagrams, 16 Li, 2006, Cluster security research involving the modeling of network exploitations using exploitation graphs, 26 Xie, 2009, A new method to generate attack graphs, 401 Edge, 2006, Using attack and protection trees to analyze threats and defenses to homeland security, 1 Edge, 2007 Roy, 2010, Cyber security analysis using attack countermeasure trees, 28 Roy, 2012, Attack countermeasure trees (ACT): towards unifying the constructs of attack and defense trees, Secur. Commun. Netw., 5, 929, 10.1002/sec.299 Roy, 2012, Scalable optimal countermeasure selection using implicit enumeration on attack countermeasure trees, 1 Dai, 2015, Exploring risk flow attack graph for security risk assessment, IET Inf. Secur., 9, 344, 10.1049/iet-ifs.2014.0272 Ning, 2008, Design and application of penetration attack tree model oriented to attack resistance test, 622 F. Arnold, H. Hermanns, R. Pulungan, M. Stoelinga, Time-dependent analysis of attacks, in: Third International Conference, POST2014, vol. 14, 2014, pp. 285–305. Arnold, 2015, Sequential and parallel attack tree modelling, 291 Buldas, 2006, Rational choice of security measures via multi-parameter attack trees, Lecture Notes in Comput. Sci., 4347, 235, 10.1007/11962977_19 Buldas, 2012, Upper bounds for adversaries utility in attack trees, 98 Gadyatskaya, 2016, Attack trees for practical security assessment: ranking of attack scenarios with adtool 2.0, 159 Helmer, 2002, A software fault tree approach to requirements analysis of an intrusion detection system, Requir. Eng., 7, 207, 10.1007/s007660200016 Hong, 2013, Performance analysis of scalable attack representation models, 330 Jhawar, 2015, Attack trees with sequential conjunction, 339 Karppinen, 2007 Kordy, 2010, Attack–defense trees and two-player binary zero-sum extensive form games are equivalent, 245 Mishra, 2012, Multi tree view of complex attack–stuxnet, 171 Morakis, 2003, Measuring vulnerabilities and their exploitation cycle, Inf. Secur. Tech. Rep., 8, 45, 10.1016/S1363-4127(03)00006-2 Niitsoo, 2010, Optimal adversary behavior for the serial model of financial attack trees., 354 Pardue, 2010, Towards internet voting security: a threat tree for risk assessment, 1 G.-Y. Park, C.K. Lee, J.G. Choi, D.H. Kim, Y.J. Lee, K.-C. Kwon, Cyber security analysis by attack trees for a reactor protection system, in: Proceedings of the Korean Nuclear Society (KNS) Fall Meeting, 2008. Peine, 2008, Security goal indicator trees: a model of software features that supports efficient security inspection, 9 Pieters, 2015, Calculating adversarial risk from attack trees: control strength and probabilistic attackers, 201 Pinchinat, 2014, Towards synthesis of attack trees for supporting computer-aided risk analysis, 363 Ray, 2005, Using attack trees to identify malicious attacks from authorized insiders, 231 Reddy, 2008, Towards privacy taxonomy-based attack tree analysis for the protection of consumer information privacy, 56 Ten, 2007, Vulnerability assessment of cybersecurity for scada systems using attack trees, 1 M. Tentilucci, N. Roberts, S. Kandari, D. Johnson, D. Bogaard, B. Stackpole, G. Markowsky, Crowdsourcing computer security attack trees, in: 10th Annual Symposium on Information Assurance, ASIA’15, 2015, p. 19. Fall, 2014, Towards a vulnerability tree security evaluation of openstack’s logical architecture, 127 Franke, 2008 . IEC, Code for designation of colours. Cervesato, 2007, One picture is worth a dozen connectives: a fault-tree representation of npatrl security requirements, IEEE Trans. Dependable Secure Comput., 4, 216, 10.1109/TDSC.2007.70206 Marback, 2009, Security test generation using threat trees, 62 Fung, 2005, Survivability analysis of distributed systems using attack tree methodology, 583 Saini, 2008, Threat modeling using attack trees, J. Comput. Sci. Coll., 23, 124 Vidalis, 2003 Ongsakorn, 2010, Cyber threat trees for large system threat cataloging and analysis, 610 Wang, 2007, Toward measuring network security using attack graphs, 49 Wang, 2008 Keramati, 2012, An attack graph based metric for security evaluation of computer networks, 1094 Nichols, 2017, Introducing priority into hybrid attack graphs, 12 Williams, 2008, An interactive attack graph cascade and reachability display, 221 Zhang, 2017, Power system reliability assessment incorporating cyber attacks against wind farm energy management systems, IEEE Trans. Smart Grid, 8, 2343, 10.1109/TSG.2016.2523515 Zhang, 2017, A protocol vulnerability analysis method based on logical attack graph, 309 Wynekoop, 1997, Studying system development methodologies: an examination of research methods, Inf. Syst. J., 7, 47, 10.1046/j.1365-2575.1997.00004.x D.L. Moody, The method evaluation model: a theoretical model for validating information systems design methods, in: Proceedings of the 2013 European Conference on Information Systems, ECIS2013, 2003, p. 79.