Software Engineering Institute

Over the past five years, we at the SEI used the SERA Method to conduct multiple SoS cyber-risk analyses for DoD and federal system acquisition programs. Based on our pilot experiences, we identified the development of cyber-risk scenarios as the key to a successful assessment. At the same time, we observed that scenario development can be a time-consuming and difficult task since analysts must have sufficient knowledge, skills, and abilities to develop and evaluate cyber-risk scenarios. When analysts do not understand the ways in which software, hardware, and firm-ware can be compromised, important scenarios can be poorly constructed or even overlooked.

An overarching goal of our research is to teach others to apply the SERA Method. To facilitate the transition of the SERA Method to adopters throughout the cybersecurity community, we explored more systematic ways of developing scenarios. As a result, we chartered a research task to explore the concept of using patterns of threats, called threat archetypes, to facilitate the process of scenario development.