Atle Refsdal

Modular analysis and modelling of risk scenarios with dependencies

The risk analysis of critical infrastructures such as the electric power supply or telecommunications is complicated by the fact that such infrastructures are mutually dependent. We propose a modular approach to the modelling and analysis of risk scenarios with dependencies. Our approach may be used to deduce the risk level of an overall system from previous risk analyses of its constituent systems. A custom made assumption-guarantee style is put forward as a means to describe risk scenarios with external dependencies. We also define a set of deduction rules facilitating various kinds of reasoning, including the analysis of mutual dependencies between risk scenarios expressed in the assumption-guarantee style.

Extending UML sequence diagrams to model trust-dependent behavior with the aim to support risk analysis

UML sequence diagrams are intuitively simple and can be understood by most stakeholders, including end-users, decision makers, engineers and other parties involved in a risk analysis. Building on UML sequence diagrams and trying to maintain their intuitive simplicity, we propose a language for modeling systems where the trust considerations of actors play a major role. Trust considerations are integrated with behavioral descriptions in order to facilitate analysis of the trust considerations of the actors, as well as their resulting behavior. We claim that our language allows trust dependent behavior to be described at a level of abstraction suitable for communication between different groups of stakeholders in a risk analysis situation. Furthermore, we argue that the increased expressiveness is required to facilitate the kind of analysis necessary to properly weigh and treat trust dependent risk behavior.

Underspecification, Inherent Nondeterminism and Probability in Sequence Diagrams

Nondeterminism in specifications may be used for at least two different purposes. One is to express underspecification, which means that the specifier for the same environment behavior allows several alternative behaviors of the specified component and leaves the choice between these to those responsible for implementing the specification. In this case a valid implementation will need to implement at least one, but not necessarily all, alternatives. The other purpose is to express inherent nondeterminism, which means that a valid implementation needs to reflect all alternatives. STAIRS is an approach to the compositional and incremental development of sequence diagrams supporting underspecification as well as inherent nondeterminism. Probabilistic STAIRS builds on STAIRS and allows probabilities to be included in the specifications. Underspecification with respect to probabilities is also allowed. This paper investigates the use of underspecification, inherent nondeterminism and probability in sequence diagrams, the relationships between these concepts, and how these are expressed in STAIRS and probabilistic STAIRS.

Employing Key Indicators to Provide a Dynamic Risk Picture with a Notion of Confidence

A security risk analysis will only serve its purpose if we can trust that the risk levels obtained from the analysis are correct. However, obtaining correct risk levels requires that we find correct likelihood and consequence values for the unwanted incidents identified during the analysis. This is often very hard. Moreover, the values may soon be outdated as the system under consideration or its environment changes. It is therefore desirable to be able to base estimates of risk levels on measurable indicators that are dynamically updated. In this paper we present an approach for exploiting measurable indicators in order to obtain a risk picture that is continuously or periodically updated. We also suggest dynamic notions of confidence aiming to capture to what extent we may trust the current risk picture.

Specification and refinement of soft real-time requirements using sequence diagrams

Soft real-time requirements are often related to communication in distributed systems. Therefore it is interesting to understand how UML sequence diagrams can be used to specify such requirements. We propose a way of integrating soft real-time requirements in sequence diagram specifications by adding probabilities to timed sequence diagrams. Our approach builds on timed STAIRS, which is an approach to the compositional and incremental development of sequence diagrams supporting specification of mandatory as well as potential behavior.

A Conceptual Model for Service Availability

Traditionally, availability has been seen as an atomic property asserting the average time a system is “up” or “down”. In order to model and analyse the availability of computerized systems in a world where the dependency on and complexity of such systems are increasing, this notion of availability is no longer sufficient. This paper presents a conceptual model for availability designed to handle these challenges. The core of this model is a characterization of availability by means of accessibility properties and exclusivity properties, which is further specialized into measurable aspects of availability. We outline how this conceptual model may be refined to a framework for specifying and analysing availability requirements.

Idea: a feasibility study in model based prediction of impact of changes on system quality

We propose a method, called PREDIQT, for model based prediction of impact of architecture design changes on system quality. PREDIQT supports simultaneous analysis of several quality attributes and their trade-offs. This paper argues for the feasibility of the PREDIQT method based on a comprehensive industrial case study targeting a system for managing validation of electronic certificates and signatures worldwide. We give an overview of the PREDIQT method, and present an evaluation of the method in terms of a feasibility study.

A UML-based Method for the Development of Policies to Support Trust Management

Most of the existing approaches to trust management focus on the issues of assessing the trustworthiness of other entities and of establishing trust between en- tities. This is particularly relevant for dynamic, open and distributed systems, where the identity and intentions of other entities may be uncertain. These approaches of- fer methods to manage trust, and thereby to manage risk and security. The methods are, however, mostly concerned with trust management from the viewpoint of the trustor, and the issue of mitigating risks to which the trustor is exposed. This paper addresses the important, yet quite neglected, challenge of understanding the risks to which a whole system is exposed, in cases where some of the actors within the system make trust-based decisions. The paper contributes by proposing a method for the modeling and analysis of trust, as well as the identification and evaluation of the associated risks and opportunities. The analysis facilitates the capture of trust policies, the enforcement of which optimizes the trust-based decisions within the system. The method is supported by formal, UML-based languages for the model- ing of trust scenarios and for trust policy specification.

Extending UML Sequence Diagrams to Model Trust-dependent Behavior With the Aim to Support Risk Analysis

UML sequence diagrams are intuitively simple and can be understood by most stakeholders, including end-users, decision makers, engineers and other parties involved in a risk analysis. Building on UML sequence diagrams and trying to maintain their intuitive simplicity we propose a language for modeling systems where the trust considerations of actors play a major role. Trust considerations are integrated with behavioral descriptions in order to facilitate analysis of the trust considerations of the actors as well as their resulting behavior. We claim that our language allows trust dependent behavior to be described at a level of abstraction suitable for communication between different groups of stakeholders in a risk analysis situation. Furthermore, we argue that the increased expressiveness is required to facilitate the kind of analysis necessary to properly weigh and treat trust dependent risk behavior.

Towards Safety Risk Assessment of Socio-Technical Systems via Failure Logic Analysis

A thorough understanding of the safety risks of a system requires an understanding of its human and organizational factors, as well as its technical components. Analysis approaches that focus only on the latter without considering, for example, how human decision makers may respond to a technical failure, are not able to adequately capture the wide variety of safety risk scenarios that need to be considered. In this paper, we propose a model-based analysis approach that allows analysts to interpret humans and organizations in terms of components and their behavior in terms of failure logic. Our approach builds on top of CHESS-FLA, which is a tool-supported failure logic analysis technique that supports analysis of component-based system architectures to understand what can go wrong at the system level and to identify the causes (i.e. Faulty components). However, CHESS-FLA currently deals only with hardware and software components and thus it is not adequate to reason about socio-technical systems. We therefore provide an extension based on a pre-existing classification of socio-failures and combine it with the one used in CHESS-FLA for technical failures, thereby giving birth to a novel approach to analysis of socio-technical systems. We demonstrate our approach on an example from the petroleum domain.