Mass Soldal Lund

Model-Driven Risk Analysis

The term risk is known from many fields, and we are used to references to contractual risk, economic risk, operational risk, legal risk, security risk, and so forth. We conduct risk analysis, using either offensive or defensive approaches to identify and assess risk. Offensive approaches are concerned with balancing potential gain against risk of investment loss, while defensive approaches are concerned with protecting assets that already exist.In this book, Lund, Solhaug and Stlen focus on defensive risk analysis, and more explicitly on a particular approach called CORAS. CORAS is a model-driven method for defensive risk analysis featuring a tool-supported modelling language specially designed to model risks. Their book serves as an introduction to risk analysis in general, including the central concepts and notions in risk analysis and their relations. The authors aim is to support risk analysts in conducting structured and stepwise risk analysis. To this end, the book is divided into three main parts. Part I of the book introduces and demonstrates the central concepts and notation used in CORAS, and is largely example-driven. Part II gives a thorough description of the CORAS method and modelling language. After having completed this part of the book, the reader should know enough to use the method in practice. Finally, Part III addresses issues that require special attention and treatment, but still are often encountered in real-life risk analysis and for which CORAS offers helpful advice and assistance. This part also includes a short presentation of the CORAS tool support.The main target groups of the book are IT practitioners and students at graduate or undergraduate level. They will appreciate a concise introduction into the emerging field of risk analysis, supported by a sound methodology, and completed with numerous examples and detailed guidelines.

Risk analysis of changing and evolving systems using CORAS

Risk analysis is the identification and documentation of risks with respect to an organisation or a target system. Established risk analysis methods and guidelines typically focus on a particular system configuration at a particular point in time. The resulting risk picture is then valid only at that point in time and under the assumptions made when it was derived. However, systems and their environments tend to change and evolve over time. In order to appropriately handle change, risk analysis must be supported with specialised techniques and guidelines for modelling, analysing and reasoning about changing risks. In this paper we introduce general techniques and guidelines for managing risk in changing systems, and then instantiate these in the CORAS approach to model-driven risk analysis. The approach is demonstrated by a practical example based on a case study from the Air Traffic Management (ATM) domain.

A Guided Tour of the CORAS Method

This chapter presents a guided tour of the CORAS method. The method is divided into eight steps, and a separate section is devoted to each of them. The guided tour familiarises the reader with the main features of CORAS, and demonstrates the use of the CORAS risk modeling language as a means for facilitating the analysis, for supporting communication and interaction, and for documenting the analysis results. The chapter serves both as a brief introduction to CORAS, and as a good basis for the subsequent chapters in which the CORAS language and method are presented in detail.

Specifying legal risk scenarios using the CORAS threat modelling language

The paper makes two main contributions: (1) It presents experiences from using the CORAS language for security threat modelling to specify legal risk scenarios. These experiences are summarised in the form of requirements to a more expressive language providing specific support for the legal domain. (2) Its second main contribution is to present ideas towards the fulfilment of these requirements. More specifically, it extends the CORAS conceptual model for security risk analysis with legal concepts and associations. Moreover, based on this extended conceptual model, it introduces a number of promising language constructs addressing some of the identified deficiencies.

Reducing the Effort to Comprehend Risk Models: Text Labels Are Often Preferred Over Graphical Means

Risk analysis involves people with different roles and competences. The validity of the outcome depends on that they are able to communicate; ideally between themselves, but at least with or via a risk analyst. The CORAS risk modeling language has been developed to facilitate communication between stakeholders involved in the various stages of risk analysis. This article reports the results from an empirical investigation among professionals, where the purpose was to investigate how graphical effects (size, color, shape) and text labels introduced in the CORAS risk modeling language affected the understanding. The results indicate that if graphical effects are used to illustrate important information, they should also be accompanied by informative textual labels.

Maintaining results from security assessments

Security assessments are cosily and lime consuming and cannot be carried out from scratch each lime a system is updated or modified This motivates the need for specific methodology addressing the maintenance Of assessment results, in particular, and a component-oriented approach to security assessment in general This paper presents such a methodology in the selling of model-based security assessment as developed by the EU-project CORAS. The main focus is on the maintenance part.

A Conceptual Model for Service Availability

Traditionally, availability has been seen as an atomic property asserting the average time a system is “up” or “down”. In order to model and analyse the availability of computerized systems in a world where the dependency on and complexity of such systems are increasing, this notion of availability is no longer sufficient. This paper presents a conceptual model for availability designed to handle these challenges. The core of this model is a characterization of availability by means of accessibility properties and exclusivity properties, which is further specialized into measurable aspects of availability. We outline how this conceptual model may be refined to a framework for specifying and analysing availability requirements.

An architectural pattern for enterprise level monitoring tools

Requirements from laws and regulations, as well as internal business objectives and policies, motivate enterprises to implement advanced monitoring tools. For example, a company may want a dynamic picture of its operational risk level, its performance, or the extent to which it achieves its business objectives. The widespread use of information and communication technology (ICT) supported business processes means there is great potential for enterprise level monitoring tools. In this paper we present an architectural pattern to serve as a basis for building such monitoring tools that collect relevant data from the ICT infrastructure, aggregate this data into useful information, and present this in a way that is understandable to users.

4 Semantics of UML Models for Dynamic Behavior

Models are used for a number of different purposes, from the requirements capture and design of a new system, to the testing of an existing system. Many different modeling languages are available, and the semantics given for the languages vary from informal natural language descriptions to various kinds of mathematical or logical definitions. When choosing a modeling language and accompanying semantics, a number of things need to be taken into consideration, such as who are the users of the models, what is the purpose of the models, what kind of application is being modeled, and what are the essential features that must be captured. When modeling embedded systems, an essential aspect is the interaction between hardware and software. Hence, we need to capture the behavior of the hardware and software components. For capturing the dynamic behavior of components, modeling languages like UML sequence diagrams, state machines and similar notations are often used. This paper surveys different approaches to formally capturing the semantics of models expressed using languages of this kind.

The CORAS tool for security risk analysis

The CORAS Tool for model-based security risk analysis supports documentation and reuse of risk analysis results through integration of different risk analysis and software development techniques and tools. Built-in consistency checking facilitates the maintenance of the results as the target of analysis and risk analysis results evolve.