This paper addresses the critical limitation in cybersecurity research that attack trees lack joint structural and semantic comparability. To resolve this, we propose a novel dissimilarity measurement framework integrating structural distance and node-level semantic similarity. Our method innovatively introduces radical distance and, for the first time, incorporates word-embedding–driven semantic similarity into node label comparison; it further combines tree edit distance to formulate three complementary distance metrics. Evaluation on a manually annotated real-world attack tree dataset (n = 39) demonstrates that semantic similarity substantially enhances label-matching robustness, while radical distance and tree edit distance achieve superior performance across most scenarios. The proposed framework effectively supports attack tree clustering, similarity identification, and threat model evolution analysis. It establishes a reproducible and interpretable technical foundation for standardized evaluation of attack trees.

CONTEXT. Attack treesare a recommended threat modeling tool, but there is no established method to compare them. OBJECTIVE. We aim to establish a method to compare"real"attack trees, based on both the structure of the tree itself and the meaning of the node labels. METHOD. We define four methods of comparison (three novel and one established) and compare them to a dataset of attack trees created from a study run on students (n = 39). These attack trees all follow from the same scenario, but have slightly different labels. RESULTS. We find that applying semantic similarity as a means of comparing node labels is a valid approach. Further, we find that treeedit distance (established) and radical distance (novel) are themost promising methods of comparison in most circumstances. CONCLUSION. We show that these two methods are valid as means of comparing attack trees, and suggest a novel technique for using semantic similarity to compare node labels. We further suggest that these methods can be used to compare attack trees in a real-world scenario, and that they can be used to identify similar attack trees.