Middle East Technical University
In order to perform the analysis and mitigation efforts related with the information security risks there exists quantitative and qualitative approaches, but the most critical shortcoming of these methods is the fact that the outcome mainly addresses the needs and priorities of the technical community rather than the management. For the enterprise management, this information is essentially required as a decision making aid for the asset allocation and the prioritization of mitigation efforts. so, ideally the outcome of an information security risk method must be in synchronization with the enterprise objectives to act as a useful decision tool for the management. also, in the modeling of the threat domain, attack trees are frequently utilized.