Date of Award

Spring 3-1-2009

Document Type


Degree Name

Doctor of Science in Information Systems


Business and Information Systems

First Advisor

Josh Pauli

Second Advisor

Kevin Streff

Third Advisor

Tom Halverson

Fourth Advisor

Rich Avery

Fifth Advisor

Surendra Sarmikr


The inability to gather, analyze and share various aspects of an attack has made it difficult to effectively counter real-world information system attacks. The lack of a formally defined vocabulary which can express an “attacker‟s-perspective” makes collaboration of academic research difficult. These problems lead to significant confusion by security managers and decision makers who are constantly bombarded by the media and security vendors attempting to describe or prevent the latest attack (Hoglund & McGraw, 2004). The Common Attack Pattern Enumeration Classification (CAPEC) Release 1 Dictionary defines attack patterns as a formalized representation of a computer attacker‟s tools, methodologies, and perspective (, 2007). CAPEC provides a formal definition of each attack by providing descriptive textual fields. These fields, defined as elements, provide explicit details for each identified attack pattern. The current CAPEC release includes a list of 101 specific information system attacks. Each attack pattern may include up to 30 elements to describe attack details. While CAPEC has addressed the need to create a standard for representing and defining attacks from an attacker‟s perspective, issues pertaining to usability and consistency exist. The goal of this research is to further refine and extend the CAPEC framework in order to provide usability and consistency. Issues of usability arise when CAPEC adopters attempt to leverage the Release 1 dictionary because of the sheer amount of information presented (Engebretson, Pauli, & Streff, 2008). Furthermore, while the details of each attack pattern are extremely valuable, CAPEC does not provide a consistent level of documentation for each element among the 101 attack patterns. Our approach includes three distinct processes to take the vast repository of CAPEC information and create a usable and consistent model for leveraging attack pattern details in system security configurations. Process one creates a framework for general parent mitigations for each attack pattern. Parent mitigations are abstracted directly from the “solutions and mitigation” element in CAPEC and adds the appropriate National Institute of Standards and Technology (NIST) based Parent Mitigation element (Engebretson et al., 2008). These solutions and mitigations improve the resistance of the target software and reduce the likelihood of the attack‟s success. They also improve the resilience of the target software and reduce the impact of the attack if it is successful. Process two re-includes a Parent level Threat as an attack pattern element. The Parent Threat element places all 101 of the attack patterns into context without having to manually interact with both the full Release 1 dictionary and the CAPEC Classification Tree, thus ridding our approach of this manual research. We also use the Parent Threat element to provide structure in our hierarchy-based graphical models. Textual attack descriptions for viewing attack patterns are created to provide additional details about each attack pattern in a consistent manner. Process three creates two security metrics, Knock-Out Effect (KOE) and Parent Mitigation Power (PMP), to provide usability to CAPEC. The addition of security metrics to our approach allows adopters to quickly and accurately leverage the vast amount of information provided by the CAPEC standard from both the individual attack pattern and parent mitigation perspectives. The result of this dissertation is an approach for increasing the usability and consistency of the CAPEC standard. The use of a taxonomy for cataloging and organizing attacks can increase awareness and communication about attacks as well as provide a framework for collecting consistent data about each attack (Hansman & Hunt, 2005). Process one abstracts nearly 400 unique mitigation strategies into one of 17 commonly accepted, Parent Mitigations. Process two re-includes the “Parent Threat” element into the dictionary to provide consistency and context to each attack pattern. The creation of graphical hierarchies and textual attack descriptions are used to provide CAPEC with visual and textual representations for each attack without becoming overwhelming to the user. The introduction of a defined hierarchy between descriptive elements assists with learning and processing attack patterns. The significance of this process is a much clearer and less convoluted picture of the attack, resulting in a more usable and appropriate element set. Process three creates security metrics derived from defined mitigation strategies, which creates a measurable numeric value which can allow security personnel to make more informed security decisions, play "what-if" security scenarios, and quickly analyze the cost-benefit for mitigation strategies.