Are Deeper Levels of Risk Analysis a Requirement for Enabling Optimal Tactical Responses in INFOSEC Alert Correlation Systems?

As network speeds and complexities increase, the development of automated systems that enact optimal tactical responses will be required. INFOSEC (information security) alert correlation systems provide a natural home for such capabilities. It can be asked whether the current generation of these systems has the technical capabilities required to enact optimal tactical responses. Specifically, is there a requirement to incorporate deeper levels of risk analysis within correlation systems? Currently, correlation systems only model attack risk via the generic attack severity metrics. Hence, these systems implicitly assume that: (a) all attacks are uniquely identifiable, or (b) the risk associated with the attacks is uniformly distributed across the set of plausible attacks. This work provides formal support for the intuitive supposition that such assumptions may not be supportable in the real-world and, hence, that integrated risk modeling is likely a necessity if optimal tactical attack response sub-systems are to be added.