Developed by: University of Southampton

System Security Modeller


The System Security Modeller (SSM) is a risk assessment tool for socio-economic systems. It combines a drag-and-drop graphical interface for drawing system models with an innovative machine-reasoning engine and detailed domain knowledgebase of threats and countermeasures to create a comprehensive view of the risks to a system and how to mitigate them.

The SSM automates much of the risk assessment procedure described in ISO 27005 and thereby supports ISO 27001 compliance. Through automation, a risk assessment is made methodical and reproducible and a security analyst may do a better job in less time.

To use the System Security Modeller the procedure is:

  1. Draw a model of the system, including relevant assets (networks, hosts, processes, data, people, places) and their relationships (such as which process uses what data).
    • This requires an understanding of the physical/virtual infrastructure (network, hosts), the software and data used by a company and the environment (people, places).
  2. Identify the primary assets for the business (generally data and processes) and indicate the impact on the business that failures in those assets (such as loss of confidentiality) would cause.
    • This requires an understanding of the business.
  3. The SSM then finds the threats to the system automatically using the built-in knowledgebase and through its understanding of attack-paths and threat cascades.
    • This would normally be done (imperfectly) by a trained security analyst.
  4. Specify what control measures are already in place (such as passwords, firewalls, etc).
    • This requires an understanding of the information-security measures already in place.
  5. The SSM then computes the risk of every threat to the system automatically.
    • This is very hard to do by hand and would be done by a security analyst. It involves the use of the specified impacts, the inter-connectedness of the assets (to see how failures in the secondary assets affect the primary assets) and an understanding of how the controls that are in place effect the likelihood of each threat.
  6. Add additional controls suggested by the SSM and recompute the risk until the residual risk is acceptable for the business.
    • This requires an understanding of what information-security measures are possible for implementation.

All together, the ISO 27005 risk assessment procedure is a complex process, requiring knowledge about many aspects of a business.

Such a procedure has at times been considered too difficult for SMEs to manage, hence simpler descriptions of necessary security measures such as the UK’s Cyber-Essentials have been introduced by regulators.

The System Security Modeller goes a long way to automating and simplifying the procedure and in Cyberkit4SME the additional needs of SMEs will be understood and addressed so that SMEs can also be supported in performing risk assessments of their systems and implementing the controls appropriate to their risks.


The System Security Modeller is a Java application with a REST API for client applications. The primary client application is a web-based user interface which utilises ReactJS for a single-page application.

User authentication is handled by an external Keycloak component (using the OpenID Connect Authorization Code Flow). Users are identified as having a “user” role and in addition may have the “admin” role. The role(s) permit access by the SSM to different parts of the API accordingly.

Authorization data is held by the SSM (not Keycloak).

Data for the System Security Modeller is persisted in two different databases:

  1. MongoDB database
    storing authorization data (who has what rights on what system model) and model meta-data (last edit date, etc);
  2. JenaTDB database
    holding the knowledgebases of threats and controls (also known as “domain models”) and the system models drawn by the users.

A high-level component architecture of the System Security Modeller can be found in the Figure below:

Component architecture of the System Security Modeller

The System Security Modeller is deployed in containers using Docker Compose or Kubernetes. The application is split into four containers:

  1. A reverse proxy (nginx)
    through which the client communicates. The proxy also hosts the user documentation website.
  2. The SSM Java application deployed in Tomcat.
    The service also serves the ReactJS client to the user’s web browser. The JenaTDB database is hosted in the same container and communication with JenaTDB is done in-process.
  3. Keycloak deployed in JBoss.
  4. MongoDB


In addition, the prototype software to provide a risk analysis of an operational model is currently implemented (in Python) in a separate micro-service called the “SSM-adaptor”.

When deployed in Kubernetes, data persistence must be provided by Kubernetes persistent volumes.

A deployment diagram may be found in the Figure below:

Deployment diagram for the System Security Modeller.