Chapter 2. Decision Trees—Making Attacker Math Work for You

Thinking through how attackers make choices during their operations is essential for informing security strategy at all stages of the software delivery life cycle. Understanding the attacker decision-making process can save you from excess engineering efforts to stop a niche threat and instead focus your efforts on plucking off the low-hanging fruit in your systems that attackers will try to compromise first.

As Phil Venables said, “Attackers have bosses and budgets too.”¹ Just like any other project, an attack campaign is expected to generate a positive return on investment (ROI). This attacker ROI is colloquially referred to as “attacker math.” Understanding the attacker math related to your individual systems and services is invaluable in helping you prioritize what security controls to implement.

In the context of SCE, attacker math additionally provides a blueprint for the type of game-day scenarios you should conduct. By thinking through the highest ROI options of an attacker, you’re discovering which actions they are most likely to take—and thus illuminating what types of failure you should inject into your systems to test their resilience.

Decision Trees for Threat Modeling

A threat model enumerates the characteristics of a system, product, or feature that could be abused by an adversary, and sets up systems for security success when implemented during the design phase. The model covers all issues relevant ...