<![CDATA[The increasing reliance of higher education institutions on information systems has significantly expanded the cyber attack surface, making academic environments attractive targets for cyber threats. This study proposes an attack tree–based approach to model and simulate potential cyber attacks against an academic information system managed by an ICT department. The research employs a controlled case study design, combining technical attack simulation and analytical modeling to identify realistic attack paths and prioritize mitigation strategies. Cyber attack simulations were conducted in a staging environment using Nmap for network reconnaissance, OWASP ZAP for dynamic web application security testing, and SQLMap for controlled verification of potential SQL injection vulnerabilities. The results of these simulations were systematically mapped into an attack tree model, representing hierarchical attack paths from initial reconnaissance to exploitation and potential impact. Each node in the attack tree was evaluated based on likelihood and impact to support risk prioritization. The findings indicate that the most critical attack paths are associated with web application vulnerabilities and weaknesses in authentication mechanisms, which may lead to unauthorized access and data exposure if left unmitigated. The attack tree model effectively integrates technical evidence from multiple tools into a structured analytical framework, enabling clearer visualization of attack feasibility and mitigation priorities. This study demonstrates that attack tree–based modeling can serve as a practical and systematic approach to strengthening cybersecurity posture in academic ICT departments..]]>
