Security continues to be a critical issue in the safe operation of electronic voting machines. Risk assessment is the process of determining if a particular voting system is at risk and what steps can be taken to mitigate the risk. We propose an iterative risk assessment process using threat trees. This process involves using a voting system risk taxonomy to categorize a threat, a schema to express logical hypothesis about a threat, generating a threat tree through functional decomposition, expressing threat instance semantics as nodal properties with metrics, validating the threat instance through independent representations, and finally pruning the tree for enhanced usability and understandability. This process provides guidance to an analyst in using threat trees to conduct risk assessment of electronic voting systems. Because this process is based on abstract and extendable structures, it facilitates the comparison and validation of independent risk evaluations. Prospective voting system risk assessment metrics are provided.
展开▼
