Existing risk analysis techniques are often hard to handle in real world contexts without the use of appropriate software because of their computational complexity. This makes managers and security analysts use simplified methods to... more
Existing risk analysis techniques are often hard to handle in real world contexts without the use of appropriate software because of their computational complexity. This makes managers and security analysts use simplified methods to evaluate security investments. However, these methods have been shown to be inefficient in most cases. Therefore, an automated tool for risk management would be of great interest, provided that it allows reasoning on attacks and helps building security decisions. This paper provides an algebraic specification of network security risk management activities. It constitutes a helpful mean to reason about automating the risk assessment process without taking into consideration implementations issues.