How to Generate Security Cameras: Towards Defence Generation for Socio-Technical Systems

Recently security researchers have started to look into automated generation of attack trees from socio-technical system models. The obvious next step in this trend of automated risk analysis is automating the selection of security controls to treat the detected threats. However, the existing socio-technical models are too abstract to represent all security controls recommended by practitioners and standards. In this paper we propose an attack-defence model, consisting of a set of attack-defence bundles, to be generated and maintained with the socio-technical model. The attack-defence bundles can be used to synthesise attack-defence trees directly from the model to offer basic attack-defence analysis, but also they can be used to select and maintain the security controls that cannot be handled by the model itself.

💡 Research Summary

The paper addresses a gap in current automated risk analysis for socio‑technical systems: while prior work has focused on automatically generating attack trees or graphs from system models, the subsequent step of automatically selecting and integrating security controls (defences) has been largely ignored. The authors argue that existing socio‑technical models, such as the TREsPASS graph‑based model, are too abstract to capture the full spectrum of security controls recommended by practitioners and standards. To bridge this gap, they propose an attack‑defence (AD) model that operates in parallel with the socio‑technical model. The core of the proposal is the notion of attack‑defence bundles (AD‑bundles), which are compact, asset‑centric structures that encapsulate both the possible attacks on a given asset and the corresponding defensive mechanisms derived from the model’s access‑control policies.

The paper first reviews the role of models throughout the security lifecycle—from requirements elicitation to compliance auditing—and highlights the need for automated transformation of models into security artefacts. It then contrasts socio‑technical models with attack‑defence models, emphasizing that the former typically capture only a subset of defensive mechanisms (mainly access‑control policies) while the latter must represent a richer defence landscape. The authors formulate two key requirements for the AD model: (1) any defence already represented in the socio‑technical model must be explicitly reflected in the AD model, preserving a faithful view of the system’s security state; and (2) the AD model must be updatable with additional controls while maintaining traceability back to concrete model objects, ensuring consistency across both representations.

The technical contribution begins with a concise formalisation of the TREsPASS model. Nodes are partitioned into physical locations (N_i), actors (N_a), and objects (N_o). Directed edges E capture various relationships: location‑to‑location adjacency, actor placement, object placement, object‑carried‑by‑actor, and object‑contained‑in‑object. Access‑control policies are defined as tuples (Cred, atLocation, EM), where Cred is a set of required credentials, atLocation denotes the point from which access is attempted, and EM identifies the enforcement mechanism (e.g., a lock, a guard, or a software component).

Building on this foundation, the authors describe how to generate AD‑bundles for each asset n. Attack nodes are typed as:

• access_n (gain access to n),
• access_from_n,l (gain access to n from a specific location l),
• break_n (disable the enforcement mechanism at n),
• attack_pol_p (overcome a specific policy configuration p), and
• sat_pol_p (satisfy a policy by collecting required credentials).

Corresponding defence nodes are typed as EM_n,l, representing the enforcement mechanism that protects n at location l. By combining these nodes with logical AND/OR operators, a self‑contained bundle is produced that captures both the attacker’s possible strategies (satisfying versus circumventing policies) and the defender’s existing controls. Because bundles are asset‑centric and attacker‑agnostic, they can be composed to form full‑scale attack‑defence trees for the entire system.

The paper demonstrates the approach with a simplified TREsPASS model that includes only reachability information. It walks through a scenario where a sensitive document is stored in a locked cabinet. The generated AD‑bundle reveals two attack strategies: (1) obtain the key (sat_pol) and open the lock, or (2) socially engineer the manager who already has access (attack_pol). The analysis shows how the bundle can be used to compute quantitative metrics such as attack cost or probability, and to identify missing defences—e.g., if no lock exists, the tool would recommend introducing one.

Limitations are acknowledged. The current socio‑technical model only captures access‑control policies, so many real‑world controls (CCTV, intrusion detection, security training) are absent. Incorporating such controls requires a knowledge base of expert‑encoded circumvention techniques, which the authors suggest could be represented hierarchically as in prior work. Moreover, maintaining synchronization between the socio‑technical model and the AD model in dynamic environments remains an open challenge.

Future work outlined includes: (a) extending the AD model to encompass a broader taxonomy of controls, (b) building a structured repository of policy‑circumvention knowledge to enrich bundle generation, and (c) developing automated pipelines that keep the socio‑technical model and AD bundles consistent as the system evolves.

In conclusion, the paper presents a novel methodology for automatically extracting defence information from socio‑technical models, structuring it into attack‑defence bundles, and using these bundles to synthesize comprehensive attack‑defence trees. This approach moves automated risk analysis beyond mere attack enumeration toward a more balanced, defence‑aware perspective, offering a practical pathway for integrating security controls into model‑driven security engineering processes.