Approximately 25% (according to http://verifiedvoting.com/) of voting jurisdictions use direct recording electronic systems to record votes. Accurate tabulation of voter intent is critical to safeguard this fundamental act of democracy: voting. Electronic voting systems are known to be vulnerable to attack. Assessing risk to these systems requires a systematic treatment and cataloging of threats, vulnerabilities, technologies, controls, and operational environments. This paper presents a threat tree for direct recording electronic (DRE) voting systems. The threat tree is organized as a hierarchy of threat actions, the goal of which is to exploit a system vulnerability in the context of specific technologies, controls, and operational environment. As an abstraction, the threat tree allows the analyst to reason comparatively about threats. A panel of elections officials, security experts, academics, election law attorneys, representatives from governmental agencies, voting equipment vendors, and voting equipment testing labs vetted the DRE threat tree. The authors submit that the DRE threat tree supports both individual and group risk assessment processes and techniques.
