A major, huge, missing thing in ‘attack trees’ [aren’t they related to access path analysis?] is that they only depict the ‘opportunity’ part of perpetration, and have nothing on the Motivation of Rationalisation parts (as in this easy explanation). And hey, the latter points at insiders, too, that are so often not to be found in attack trees. Why?
That’s two things that broaden the context to anything realistic. So that, e.g., the following can be applied better:
Which goes way back to the physical realm. Allowing for controls to be seen not only as lines of defence [indeed, not the outright stupid kind], but also being of various categories, for differing purposes. To enrich your protection beyond mere data-oriented classical (info)sec which is but an operational subset of what one want, qua information security in its broader scope for the enterprise; figuratively and literally, when combined with this masterpiece method, as rightfully and correctly promoted by this peer.
So, attack trees yes, but why only now, and weren’t you using them already for a long time, implicitly? When not if, not, how can you ever have given any serious opinion about the Design of the control system (being the opinion of its potential Operating Effectiveness!), let alone its Actual Operating Effectiveness which is a mere afterthought when the Design and Implementation are A-OK. If either of the latter isn’t tip-top, actual operating effectiveness is theoretically impossible.
Also, include the various costs of control figures [introducing reasons you can’t achieve perfection by this reason of needing infinite budgets for achieving that, throwing out the baby with the
bandwidth bathwater], and Time, as in trend analysis and second-order errors in that.
The more detailed your model, the more rigid it will be. The more comprehensive, the more … it may be inexact but that’s the price of ‘de-modelling’ i.e. making something applicable in reality. Either your model is perfect [into analysis paralysis] OR it makes sense [better be roughly right than a rabbit in the headlights].