Security Engineering (SE) Workbench

Return to the SE-Workbench Project Page

Security Analysis Tool Design

The goal of the SE-Workbench Project is to develop tools that aid in the gathering and analysis of information for Security Analysis. This page explains: the Security Analysis process, the Security Information Sources useful for various forms of security analyses, and the capabilities and underlying technologies on which the current tools are based.

Basic Security Analysis Process

The basic Security Analysis Process shown in Table #1 below. The left side of the table illustrates to inputs and outputs of a Security Analysis, where the Security Engineer gathers information about the problem to be analysed, to include environment, business and technical parameters and variables, etc. Part of the analysis process includes processing reference information in relation to the problem at hand. The reference information is drawn from authoritative information sources.

The right side of the table lists the basic steps that the Security Engineer follows in Security Analysis process, to include learning about the problem at hand, gathering information relevant to the system or problem being analyzed, performing the analysis or evaluation using critical thinking, situation analysis and deductive reasoning, and documenting results and opinions. The process inherently relies on iteration creating, testing and revising hypotheses along the way.

Table #1. Basic Security Analysis Process

Security Analysis Process Graphic
Security Analysis Process Steps
Security Analysis Process
Security Analysis can be described as a four step process.
  1. learn about the requirements for the security analysis through discussion with the interested parties, or research on the issues
  2. gather information about a system by collecting specifications, artifacts and measurements that relate to the security of the system
  3. evaluate a system or its specifications, artifacts or measurements based on the requirements and established security principles and practices
  4. document findings and/or initiate actions to adapt the system architecture or remediate defects and weaknesses in operational systems in order to meet the requirements for trustworthiness and goals of risk management

Applied Security Analysis Process

The basic Security Analysis process is adapted for use depending on the task at hand, and the reference information needed to perform the activity. There are three important variations of Security Analysis: Security Control Analysis, Security Vulnerability Analysis and Security Attack Analysis. Each activity requires a specific set of reference information.

Table #2 below shows the relationship of three tools for Security Analysis: Security Control Analysis, Security Vulnerability Analysis and Security Attack Analysis to the diagram depicting Security as a Function.

Table #2. Security as a Function

Security as a function of Trustworthiness, Protections and Risk

Security Function

Security Control Analysis

Security Control Analysis, also referred to as Security Risk Analysis is a Security Engineering activity that is used to: (1) establish a baseline assertion of business and/or technical risk for an organization or computer information system, (2) establish a baseline set of security controls to address business and/or technical risk for an organization or computer information system, (3) assess current organizational and information technology controls and practices against a previously established baseline, or (4) document a plan for improvement of organizational and information technology controls and practices, in consideration of identified gaps, or as a result of security incident(s).

In Table #3, the left side provides a general flow of work, where Security Engineers analyze or assess risk in Information Systems, Information Services and/or Assets per practices outlined in the Cybersecurity Workforce Framework or other reference. The Security Engineers advise on, and/or provision, updated security controls that will reduce risk in Information Systems and Assets.

Security Engineers routinely refer to authoritative reference information for Security Controls, to include: NIST SP800-53R5, ISO/IEC 27001 and other sources.

Table #3. Security Control Analysis


Security Control Analysis Process
Security Control Analysis Process


Security Control Analysis Reference Information
Security Control Analysis Reference Information

Authoritative Information Sources

  1. NIST SP800-53R5
  2. ISO/IEC 27002:2013
  3. Common Criteria for Information Security Evaluation.
  4. Mitre Attack
  5. Mitre Common Attack Patterns (CAPEC)
  1. Mitre Common Weakness Enumeration (CWE)
  2. Mitre Common Vulnerability Enumeration (CVE)
  3. NIST SP800-30 Guide for Risk Assessment
  4. NIST Cybersecurity Framework
  5. NIST SP 1800-5 Asset Management
  6. Cybersecurity workforce framework

Security Vulnerability Analysis

Security Vulnerability Analysis is a Security Engineering activity that is used to: (1) examine and evaluate computer information systems for defects and weaknesses that may increase risk and/or enable Threats and Attacks, (2) develop a testing plan to identify and evaluate vulnerabilities in organizational practices or computer information system design, development, operation or maintenance, or (3) evaluate testing plans and practices to document a plan for improvement of for detection and remediation of vulnerabilities in accorgance with organizational policies security controls.

In Table #4, the left side provides a general flow of work, where Security Engineers analyze or model threats and attacks to Information Systems, Information Services and/or Assets per practices outlined in the Cybersecurity Workforce Framework or other references. Security Engineers advise on, and/or provision, updated security controls that will mitigate threats and attacks on Information Systems and Assets.

Security Engineers routinely refer to authoritative reference information for Mitre CWE, National Vulnerability Database (NVD), Mitre CAPEC and other sources.

Table #4. Security Vulnerability Analysis


Security Vulnerability Analysis Process
Security Vulnerability Analysis Process


Security Vulnerability Analysis Reference Information
Security Vulnerability Analysis Reference Information

Authoritative Information Sources

  1. NIST SP800-53R5
  2. ISO/IEC 27002:2013
  3. Common Criteria for Information Security Evaluation.
  4. Mitre Attack
  5. Mitre Common Attack Patterns (CAPEC)
  1. Mitre Common Weakness Enumeration (CWE)
  2. Mitre Common Vulnerability Enumeration (CVE)
  3. NIST SP800-30 Guide for Risk Assessment
  4. NIST Cybersecurity Framework
  5. NIST SP 1800-5 Asset Management
  6. Cybersecurity workforce framework

Security Threat Analysis

Threat Analysis is a Security Engineering activity that considers the events and conditions that affect the reliability and correct operation of a system.

Threat Analysis is used to: (1) establish a baseline assertion of about threats relevant to a business, organization or computer information system, (2) establish an action plan to mitigate threats to an organization or computer information system, (3) assess current organizational and information technology practices to mitigate threats against a previously established baseline, or (4) document a plan for improvement of organizational and information technology controls and practices, in consideration of identified gaps, or as a result of security incident(s).

Threat Analysis is fundamentally different from Control Analysis and Vulnerability Analysis. The process and recommendations for Security Control Analysis and Security Vulnerability Analysis are prescriptive, that is, both have finite sets of options and alternatives to consider. Threat Analysis, on the other hand, requires consideration of combinations and permutations of a wide range of events and conditions that need to be evaluated and prioritized based on severity and likelihood that meets the risk management objectives of a given organization or owners of a specific computer system.

Terms associated with Threat Analysis include:

  • A threat is defined as any circumstance or event with the potential to adversely impact. Threats may include: an act against a computer system, system failures not associated with an attack, failure or outage of system infrastructure, human error, weather, natural phenomena, natural disasters and more.
  • An attack is a specific type of threat that is instigated by threat actors, and may include technology that abuses organizations or information technology systems.
  • A vulnerability is a defect or weakness in a system or in the security controls in a system. Vulnerabilities are related to threats and attacks in that vulnerabilities create the conditions that enable threats and increase the likelihood of attack.

Note: Comprehensive Threat Analysis is beyond the scope of the SE-Workbench Project, because of the limits of the Security Information Base used in the project.

Security Attack Analysis

Attack Analysis is a type of Threat Analysis that focuses on an act against a computer system. Attack Analysis is supported by the security reference information described previously.

In Table #5, the left side provides a general flow of work, where Security Engineers analyze or model threats and attacks to Information Systems, Information Services and/or Assets per practices outlined in the Cybersecurity Workforce Framework or other references. Security Engineers advise on, and/or provision, updated security controls that will mitigate threats and attacks on Information Systems and Assets.

Security Engineers routinely refer to authoritative reference information for Mitre Attack, Mitre CAPEC, Mitre CWE, and other sources.

Table #5. Security Attack Analysis


Security Attack Analysis Process
Security Attack Analysis Process


Security Attack Analysis Reference Information
Security Attack Analysis Reference Information

Authoritative Information Sources

  1. NIST SP800-53R5
  2. ISO/IEC 27002:2013
  3. Common Criteria for Information Security Evaluation.
  4. Mitre Attack
  5. Mitre Common Attack Patterns (CAPEC)
  1. Mitre Common Weakness Enumeration (CWE)
  2. Mitre Common Vulnerability Enumeration (CVE)
  3. NIST SP800-30 Guide for Risk Assessment
  4. NIST Cybersecurity Framework
  5. NIST SP 1800-5 Asset Management
  6. Cybersecurity workforce framework

Composition of Security Attacks

Table #6 offers a way to think of and analyze security attacks, where a security attack is a single act that can be described as an array of information elements. A group of one or more security attacks can be organized into an "attack scenario". The entirety of attack scenarios that are relevant to a computer system represents an "attack surface".

Table #6. Composition of Security Attacks

Components of Security Attacks
Security Attacks

SE-Workbench Tools

The SE-Workbench tools server two purposes: (1) to enable students and professionals to build skills and better understand the topic of cyber and information security, and (2) to provide easy and consistent access to information needed by security engineering roles who perform various forms of security analysis.

The SE-Workbench tools are designed with a consistent look and intuitive operation. Each SE-Workbench tool operates on machine readable versions of security reference documents that relate to the focus of the tool.

The function and capability of a given tool follows the Capability Model that was presented in the project introduction:

  • Manual Methods: to include, using internet searches and common client/server tools to gather and correlate reference information from authoritative sources
  • Explorers: Visualization of Multiple Data Sources, to include, Data Aggregation and Data Manipulation, etc.
  • Advisors: i.e., Exploration with Augmented Data, to include, Resolution of Missing Values, Cross Reference & Cross Correlation, Relationship Identification and Affinity Grouping, etc.
  • Assistants: Cooperative Computing using advanced analytics, to include, Comparative Analysis between Baselines, Benchmarks versus Local Parameters and Values
  • Experts: Autonomous Computing using advanced analytics, to include, System Modeling, System Optimization, Scenario Creation and Testing, Constraint Analysis, etc.

SE-Workbench Explorers

The current SE-Workbench tools are "Explorers", providing visualization, data aggregation and data manipulation for a cluster of information sources relevant to the function of the tool. The tools also implement some capabilities of "Advisors", where the source data is augmented to resolve missing values, to identify affinity groups and create cross references.

All of the "SE-Workbench Explorers" have a web-browser user interface. They are built on a common technology base to include: html, javascript, XML, XSLT, datatables and jquery. Tables #7 and #8 below show an example of a Security Explorer tool. This particular image is representative of the Security Control Explorer, or SCE Tool , that was introduced in Table #3 above. The user interface for the tool is a web browser. Table #7 shows the layout of the web browser page for the tool.

Table #7 - Explorer Tool Layout

SCE Tool User Interface Web Browser
Tool Layout

Table #8 identifies the user controls for the web browser page. The display can be divided into sections: the upper section is the header portion and the lower portion is the data portion. The Upper Section documents the name, version and owner of the tool, basic navigation instructions as well as notices and disclaimers. The lower portion of the tool contains the data table, as well as, filtering, navigation, display and data export options.

Table #8 - Explorer Tool User Interface

Explorer Tool User Interface
Tool Layout

The image in Table #8 above calls out eleven (11) areas of interest:

  1. Banner Area: Identifes the tool.
  2. Information Page Toggle: provides a means to show/hide the Tool Information Table.
  3. Tool Information Table: Identifies key information about the tool, to include: tool version, revision date, contact information, general description of the tool, general usage tips, source documents, terms of use, and disclaimers.
  4. Page and Data Format Buttons: provide the ability to show and hide specific data columns, otions for selecting and deselecting data, and options for exporting data to the computer's clipboard, or external files in CSV, PDF or Print format.
  5. Data Filters: provide the ability to filter the data to be displayed based on a number of predefined parameters.
  6. Text Search Data Entry Field: provide the ability to filter the data to be displayed using operator entered text string.
  7. Column Headers: Identifies the content in each column, also provides the ability to sort selected columns in ascending or descending order.
  8. Tool Data Content: one or more rows of data that is grouped by column.
  9. Row Selectors: provide the ability to select undividual rows. May be use in combination with the Select Data button in #4 to select groupings of rows from filtered data.
  10. Page Footer: describes the number of visible rows.
  11. Page Navigator: provides the ability to select the page shown, if there are multiple pages of data in the active display.

For More Information...

The SE-Workbench project page provides links to each tool, along with a tutorial for the tool and a set of Sample Problems.

top of the page

Copyright © 2021, 2022 Jim Whitmore.

LAST UPDATE: 16 May 2022