Fabrizio baiardi is a
professor in the Department
of Computer Science at the
University of Pisa, Italy.
Haruspex—Simulation-driven
Risk Analysis for Complex Systems
Claudio Telmon, CISA,
CISSP, is a freelance
consultant in ICT security and
risk management. He also
cooperates with the University
of Pisa’s Department of
Computer Science on the
same topics. He is a member
of the ISACA Milan Chapter.
Daniele Sgandurra, Ph.D.,
is a postdoctorate researcher
at the Institute of Informatics
and Telematics, National
Research Council (CNR),
Pisa, Italy.
Do you have something
to say about
this article?
Visit the Journal
pages of the ISACA
web site ( www.isaca.
org/journal), find the
article, and choose
the Comments tab to
share your thoughts.
Go directly to the article:
Haruspex1 is a risk evaluation methodology
defined and implemented by the research group
on risk management in the Department of
Computer Science at the University of Pisa, Italy.
It may be adopted in various risk assessment
and management frameworks to evaluate the
probability that an intelligent threat agent could
successfully implement a multistep attack. The
framework should be paired with others to
discover these threats, the vulnerabilities they can
exploit and the assets to be protected.
THe PrObLem
A well-known problem with risk evaluation in IT
security is that the estimation of the probabilistic
component of risk is currently very difficult and
highly subjective. 2
When dealing with IT security risk, intelligent
threats (or intelligent threat agents) trying to
violate the security policies of an organization
are usually considered. Each agent has some
goals to achieve (e.g., some system components
to control) and aims to minimize the effort to
achieve these goals. The risk posed by each
threat agent is a monotone, increasing function
of both the impact of his/her attacks and the
probability that these attacks are successfully
implemented. In other words, in general one can
assume that the risk posed by a threat increases
with the impact of an attack implemented by the
threat and/or the probability that the threat can
successfully implement the attack. The Haruspex
methodology is not focused on a detailed
definition of risk; instead, it is a methodological
framework with supporting tools intended to
evaluate the probability that an intelligent threat
can select and implement an attack against a
system that results in an impact, e.g., a loss, for
the owner of the systems. Haruspex computes
this probability as a function of elementary
factors that can be more easily evaluated in an
assessment. The analyst can use the probability
returned by Haruspex to compute the resulting
risk, according to the adopted definition, and to
evaluate and select effective and cost-effective
countermeasures to reduce this risk.
HAruSPex me THODOLOgy
Haruspex deals with the aforementioned problem
by applying a divide-and-conquer approach
that decomposes the probability of interest in
its components and deals with each of them
separately. While this decomposition simplifies
the evaluation of the factors that influence the
success probability of attacks, it introduces a
problem: how to define and implement the