|
| Category | Subcategory | Method | Brief description | Characteristics | Coanalysis |
|
| Model-based | Graph-based | STRIDE (Microsoft) | STRIDE is a threat modeling method that abstracts component elements in the system. | It extends the original confidentiality, integrity, and availability model and is suitable for identifying the relationship between threats, assets, and security attributes. | No |
| PASTA [23] | The goal of the PASTA method is to have a risk-centric framework and rely on an attacker-centric perspective to generate asset-centric output. | PASTA uses risk and impacts analysis to improve the weakness of the STRIDE method. | No |
| LINDDUN [23] | LINDDUN stands for linkability, identifiability, nonrepudiation, detectability, disclosure of data, unawareness, and noncompliance. | It can ensure data security and privacy protection. However, when the number of threats in the system increases rapidly, the complexity of the system will also increase, which is not conducive to large-scale system analysis. | No |
| VAST [23] | VAST stands for visual, agile, and simple threats. | It is extensible and suitable for large system analysis. | No |
| Markov chain [24, 25, 26] | Markov chain is a stochastic process with Markov property in probability theory and mathematical statistics and exists in discrete index set and state space. | It is able to make a quantitative analysis of threats. The concept of time is introduced to make the process of threat analysis dynamic. It can model and analyze the attack process and defense process at the same time. | No |
| GTS (graph transformation system) [29] | This method is a rule-based modeling approach that allows capturing the structural as well as behavioral aspects of a system. | Its structure is simple, and its logic is clear. It is easy to understand and able to split and combine the structure quickly, facilitating cooperative development. | No |
| Bayesian network [27, 28] | Bayesian network is an extension of the Bayesian method. It is one of the most effective theoretical models in the field of uncertain knowledge expression and reasoning, and it is a probabilistic graphical model. | It can realize the quantitative analysis of threat risk. It can be combined with threat analysis methods such as EIVTA and CVSS. | No |
| UML-based model [30] | This method proposes a formal framework to detect attack surfaces automatically on systems modeled in UML. | The formal expression is clear and will not cause ambiguity. UML makes the system structure intuitively displayed and easy to understand, but UML language is difficult for nonprofessional engineers. | No |
| SysML-Sec [31] | SysML-Sec is a SysML-based model-oriented approach. | It is a coanalysis method that considers safety and is capable of covering all design and development phases. | Yes |
| STPA-Sec [32] | STPA-Sec is a top-down safety and security risk analysis method. | This method can analyze the safety and security scenario in the concept phase. However, this method does not consider the network and system architecture. It is difficult for some important terms in this method to take into account both safety and security scenarios. | Yes |
| STPA-SafeSec [33] | STPA-SafeSec inherits STPA’s technical achievements in system theory, attribution models, safety constraints, and hazard control activity analysis. It refines the analysis process framework for information-physical systems and expands the integration of physical security and information security requirements. | Security constraints are added, and the attribution mapping between the control layer and component layer is provided. | Yes |
| Tree-based | ATA (attack tree analysis) [34, 35] | Attack tree analysis is a formal and clear method used to describe the security threats faced by the system and the various attacks that the system may be subjected to. | It is able to describe the complex attack process in the form of a tree, but this method requires more details of the system design. Detailed system design is required, so it is not suitable for concept evaluation. In addition, for large systems, the refinement of the attack tree may be a tedious task and error-prone. | No |
| RISKEE (risk tree) [36] | RISKEE is based on attack graphs and the diamond model in combination with the FAIR method for assessing and calculating risk. | The RISKEE method can realize the quantitative calculation of risk, but it did not consider the dynamic impact of mitigation measures on the system. | Yes |
| BDMP (Boolean-logic Driven Markov Processes) [5, 6] | BDMP is an approach where fault tree and attack tree analysis are combined and extended with temporal connections. | It expands the ability of fault tree analysis and attack tree analysis to describe threats. Nevertheless, BDMP is inappropriate for an early development phase of threat analysis and risk assessment. | Yes |
|
