US Election Assistance Commission - Voluntary Voting System Guidelines Vote
EAC Home
Introduction
View Guidelines
View Comments
Glossary

View Comments

Section CommentsGeneral CommentsGlossary Comments
 
Name :   Matt Bishop
Organization :   University of California Davis
Post Date :   9/30/2005

Section Comments
Section :  20.1.5
Page no. :  
Line no.:  
Comment :  *Note: Comment referring to threat modeling section of author's document

Only vendors have sufficient information—a detailed model and a working system—to perform a good attack
tree analysis. The standards should force the vendor to do so: they should require vendors to produce elaborated
attack trees that contain no unmitigated paths since each path is either annotated with the countermeasures or prohibitively expensive. The standards can and should guide the vendor’s analysis by providing partially
expanded attack trees that contain known threats to election systems. The standards might require vendors to
use these partial trees as the starting point of their own vulnerability analysis.