Xinming Ou is an associate professor at the University of South Florida. He earned his Ph.D. from Princeton University in 2005. His research interest are in cyber defense technologies, cyber physical system security, human factors in security, and mobile system security.
Analyzing risk is critical throughout the software acquisition lifecycle. System risk is assessed by conducting a penetration test, where ethical hackers portray realistic threat on real systems by exploiting vulnerabilities. These tests are very costly, limited in duration, and do not provide stakeholders with “what-if” analyses. To alleviate these issues, system models are used in emulation, simulation, and attack graph generators to enhance test preparation, execution, and supplementary post-test analyses.
This article describes a method for developing models that can be used to analyze risk in mixed tactical and strategic networks, which are common in the military domain.