Information and Communications Technology (ICT) infrastructure failures and cyber attacks are realities that can have catastrophic societal effects. Information Assurance (IA) can be defined as the operations undertaken to protect and defend ICT systems by ensuring their dependability and security. There is a critical need for systematic IA methods that enable ICT systems to adapt and survive any type of disruption or attack. A major hurdle in the development of IA techniques is the lack of models and metrics which enable one to determine the effectiveness of IA mechanisms. This exploratory project seeds a collaborative effort between three PIs at different institutions: Duke University, University of Missouri Kansas-City, and the University of Pittsburgh focused on the development of metrics and models that will allow one to quantitatively study the technical aspects of information assurance (IA) for the network component of the ICT infrastructure. The basis of the approach is to unify attack trees, attack graphs, privilege graphs and fault trees into a common scalable framework with a well defined set of metrics and application scenarios. Extensions of the basic model that include state information, stochastic properties and rewards via Markov chains and stochastic Petri nets, enabling a wider variety of attack and fault scenarios are being studied. The impact of the models and metrics developed is that they provide the techniques and tools necessary to determine the effectiveness of IA mechanisms and allow one to detect bottlenecks and to evaluate the tradeoffs between levels of information assurance, performance and cost.
