Fredrik Vraalsen

Specifying legal risk scenarios using the CORAS threat modelling language

The paper makes two main contributions: (1) It presents experiences from using the CORAS language for security threat modelling to specify legal risk scenarios. These experiences are summarised in the form of requirements to a more expressive language providing specific support for the legal domain. (2) Its second main contribution is to present ideas towards the fulfilment of these requirements. More specifically, it extends the CORAS conceptual model for security risk analysis with legal concepts and associations. Moreover, based on this extended conceptual model, it introduces a number of promising language constructs addressing some of the identified deficiencies.

Experiences from Using the CORAS Methodology to Analyze a Web Application

During a field trial performed at the Norwegian telecom company NetCom from May 2003 to July 2003, a methodology for model-based risk analysis was assessed. The chosen methodology was the CORAS methodology (CORAS, 2000), which has been developed in a European research project carried out by 11 European companies and research institutes partly funded by the European Union. The risk analysis and assessment were carried out by the Norwegian research institute SINTEF in cooperation with NetCom. NetCom (www.netcom.no) is one of the main mobile phone network providers in Norway. Their ‘MinSide’ application offers their customers access to their personal account information via the Internet, enabling them to view and change the properties of their mobile phone subscription. ‘MinSide’ deals with a lot of sensitive customer information that needs to be secure, while at the same time being easily available to the customer in order for the service to remain usable and competitive. The goal of the analysis was to identify risks in relation to the use of the ‘MinSide’ application and, where possible, suggest treatments for these risks. This was achieved through two model-driven brainstorming sessions based on system documentation in the form of UML sequence diagrams and data flow diagrams.

The CORAS tool for security risk analysis

The CORAS Tool for model-based security risk analysis supports documentation and reuse of risk analysis results through integration of different risk analysis and software development techniques and tools. Built-in consistency checking facilitates the maintenance of the results as the target of analysis and risk analysis results evolve.

Legal Risk Analysis with Respect to IPR in a Collaborative Engineering Virtual Organization

Establishing and operating a virtual organization implies a number of challenges from many different perspectives, including socio-economic, organizational, legal and computational issues. This paper focuses on the legal aspects with a particular view on legal risks with respect to intellectual property rights. A risk analysis with respect to legal issues can either be based on abstract legal reasoning or it can focus on the business reality and the specific characterizations of the virtual organization. This paper follows the latter approach; it presents selected findings of a legal risk analysis of a business scenario in the collaborative engineering field. The legal risk analysis was performed in collaboration between lawyers and other professionals in order to highlight how different legal and non-legal aspects relate to each other. Graphical models of risks and treatments were utilized in order to reduce communicational barriers between experts in this multidisciplinary setting.

A Multimodal Context Aware Mobile Maintenance Terminal for Noisy Environments

Maintenance workers in the oil and process industry have typically had minimal IT support, relying on paper-based solutions both for the information they need to bring into the field and for data capture. This paper proposes a mobile context aware system for maintenance work based on electronically tagged equipment and handheld wireless terminals with a multimodal user interface. Particular attention has been given to voice interaction in noisy industrial scenarios, utilising the PARAT earplug. A proof-of-concept demonstrator of the system has been developed. The paper presents the demonstrator architecture and experiences gained through this work.