Bjørnar Solhaug

Model-Driven Risk Analysis

The term risk is known from many fields, and we are used to references to contractual risk, economic risk, operational risk, legal risk, security risk, and so forth. We conduct risk analysis, using either offensive or defensive approaches to identify and assess risk. Offensive approaches are concerned with balancing potential gain against risk of investment loss, while defensive approaches are concerned with protecting assets that already exist.In this book, Lund, Solhaug and Stlen focus on defensive risk analysis, and more explicitly on a particular approach called CORAS. CORAS is a model-driven method for defensive risk analysis featuring a tool-supported modelling language specially designed to model risks. Their book serves as an introduction to risk analysis in general, including the central concepts and notions in risk analysis and their relations. The authors aim is to support risk analysts in conducting structured and stepwise risk analysis. To this end, the book is divided into three main parts. Part I of the book introduces and demonstrates the central concepts and notation used in CORAS, and is largely example-driven. Part II gives a thorough description of the CORAS method and modelling language. After having completed this part of the book, the reader should know enough to use the method in practice. Finally, Part III addresses issues that require special attention and treatment, but still are often encountered in real-life risk analysis and for which CORAS offers helpful advice and assistance. This part also includes a short presentation of the CORAS tool support.The main target groups of the book are IT practitioners and students at graduate or undergraduate level. They will appreciate a concise introduction into the emerging field of risk analysis, supported by a sound methodology, and completed with numerous examples and detailed guidelines.

A Guided Tour of the CORAS Method

This chapter presents a guided tour of the CORAS method. The method is divided into eight steps, and a separate section is devoted to each of them. The guided tour familiarises the reader with the main features of CORAS, and demonstrates the use of the CORAS risk modeling language as a means for facilitating the analysis, for supporting communication and interaction, and for documenting the analysis results. The chapter serves both as a brief introduction to CORAS, and as a good basis for the subsequent chapters in which the CORAS language and method are presented in detail.

The CORAS Tool

This chapter presents the CORAS tool, which is a graphical editor for making any kind of CORAS diagram. The CORAS tool is well-suited for creating risk models on-the-fly during brainstorming sessions, and moreover facilitates the documentation and presentation of risk analysis results. On the one hand, this chapter presents the CORAS tool and gives a description of its functionality. On the other hand, the chapter explains how the tool may be used during a CORAS risk analysis to facilitate and support the various analysis tasks, with particular focus on the task of risk identification as a selected example.

The CORAS Risk Modelling Language

This chapter gives a careful and more detailed presentation of the CORAS risk modeling language, including its syntax and its semantics. The CORAS language is tightly interwoven with the CORAS risk analysis method, and is furthermore firmly based on the central underlying concepts of risk analysis. We explain this by introducing and defining the core risk related concepts, and by demonstrating how these concepts are reflected in the language by specific language constructs. The chapter introduces the five basic kinds of CORAS diagrams and explains their use in the practical setting of risk analysis, both to support communication and to facilitate the various tasks of the risk analysis process.

Risk Treatment Using Treatment Diagrams

This chapter presents Step 8, which is the last step of the CORAS method, and is concerned with the identification and analysis of treatments. The risks that are found to be unacceptable are evaluated to find means to reduce them. A treatment should contribute to reduced likelihood and/or consequence of an unwanted incident. Since treatments can be costly, they are assessed with respect to their cost-benefit, before a final treatment plan is made.

Risk Evaluation Using Risk Diagrams

This chapter presents Step 7 of the CORAS method. The objective is to decide which of the identified risks are acceptable, and which of the risks must be further evaluated for possible treatment. Whether or not the risks are acceptable is determined by using the already defined risk evaluation criteria and the results of the risk estimation. Step 7 furthermore involves estimating and evaluating risks with respect to indirect assets.

Risk Estimation Using Threat Diagrams

This chapter presents Step 6 of the CORAS method. The objective of the risk estimation is to determine the risk level of the risks that are represented by the identified unwanted incidents. The unwanted incidents were documented in threat diagrams during Step 5, and these diagrams serve as the basis for the risk estimation. Step 6 is conducted as a brainstorming involving personnel with various backgrounds, and basically involves the estimation of the likelihoods and consequences of the unwanted incidents. These values in combination yield the risk level for each of the identified risks. The CORAS threat diagrams facilitate the likelihood estimation by supporting the estimation of the likelihood for threats and threat scenarios to cause the unwanted incidents.

Risk Identification Using Threat Diagrams

This chapter presents Step 5 of the CORAS method, which is the risk identification. To identify risks, CORAS makes use of structured brainstorming. Structured brainstorming is a step-by-step walkthrough of the target of analysis and is carried out as a workshop led by the analysts. The main idea of structured brainstorming is that since the workshop participants represent different competences, backgrounds and interests, they will view the target from different perspectives and consequently identify more, and possibly other, risks than individuals or a more homogeneous group would have managed. The risk identification involves a systematic identification of threats, unwanted incidents, threat scenarios and vulnerabilities with respect to the identified assets. The activities are supported by the CORAS language, and the results are documented on-the-fly by means of CORAS threat diagrams.

Approval of the Target Description

This chapter presents Step 4 of the CORAS method. The main objective of this analysis step is to ensure that the background documentation for the rest of the analysis, including the target, focus and scope is correct and complete as seen by the customer. The step involves presenting a more refined description of the target to be analysed, including assumptions and preconditions being made. Typically, the analysts describe the target using a formal or semi-formal notation. Before the actual risk analysis starts at the next step of the analysis process, the description of the target should be approved by the customer. Step 4 furthermore includes defining the scales that will be used for estimating likelihoods, consequences and risk levels, as well as deciding the risk evaluation criteria for each asset. This analysis step concludes the context establishment.

Refining the Target Description Using Asset Diagrams

This chapter presents Step 3 of the CORAS method, the main objective of which is to ensure a common understanding of the target of analysis, including its focus, scope and main assets. The analysis team presents its understanding of what they learned at the first meeting and from studying documentation that has been made available to them by the customer. The target models presented by the analysis team are corrected and amended. Based on interaction with the customer, the analysis team will also identify the main assets to be protected. The analysis team furthermore conducts a rough, high-level analysis to identify major threat scenarios, vulnerabilities and enterprise level risks that should be investigated further. The outcome of Step 3 is a refined and more detailed understanding of the target description and the objectives of the analysis, which at this point are documented by the analysts.