Risk management is a fundamental process to ensure the reliable operation of systems, services, processes, and missions in our society. Examples range from self-driving cars, power grids, credit card payments, and military missions. Proper risk management techniques enable organizations to achieve their goals in an effective way and take effective mitigating measures.

Risk models support the risk management process in the identification, priorisation, and quantification of risks via effective preventive and corrective actions. Numerous industrial risk models exist. In this talk, I will focus on fault trees and attack trees, which are both top-down models that break high-level system risks into their causes, until the root causes are found. While fault trees focus on safety risks, i.e., unintended failures, attack trees take into account security risks, i.e., disruptions due to malicious attacks.

In this talk, I will take a graph-theoretic perspective on fault trees, attack trees, and their combination.

• First, I will present a formal semantics, which is surprisingly intricate given the fact that there are only a handful of logical gates to propagate failures and attacks.
• Next, I will propose several algorithms to analyse quantitative attack trees, based on BDDs and stochastic model checking, highlighting the role of graph transformations to make this process more efficient.
• Finally, I will present risk query logics, which allows engineers to query large attack and fault tree models.

Together these ingredients allow organisations to make better decisions on mitigating measures, making decisions more systematic, transparent and evidence-based–the increased constraints imposed by international standards, together with the ever-growing penetration of AI components in high-tech systems make rigorous and powerful risk management more important than ever.