Skip to main content
Springer Nature Link
Log in

Specifying Legal Risk Scenarios Using the CORAS Threat Modelling Language

Experiences and the Way Forward

  • Conference paper
Trust Management (iTrust 2005)

Part of the book series: Lecture Notes in Computer Science ((LNISA,volume 3477))

Included in the following conference series:

  • 2146 Accesses

Abstract

The paper makes two main contributions: (1) It presents experiences from using the CORAS language for security threat modelling to specify legal risk scenarios. These experiences are summarised in the form of requirements to a more expressive language providing specific support for the legal domain. (2) Its second main contribution is to present ideas towards the fulfilment of these requirements. More specifically, it extends the CORAS conceptual model for security risk analysis with legal concepts and associations. Moreover, based on this extended conceptual model, it introduces a number of promising language constructs addressing some of the identified deficiencies.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Similar content being viewed by others

References

  1. Jøsang, A., Ismail, R., Boyd, C.: A Survey of Trust and Reputation Systems for Online Service Provision. Decision Support Systems (to appear), http://security.dstc.edu.au/papers/JIB2005-DSS.pdf

  2. Egger, F.N.: Towards a model of trust for e-commerce system design. In: CHI 2000: Workshop Designing Interactive Systems for 1-to-1 E-commerce (2000), http://www.zurich.ibm.com/~mrs/chi2000/contributions/egger.html

  3. Jones, S., Wilikens, M., Morris, P., Masera, M.: Trust requirements in e-business. Communications of the ACM 43, 81–87 (2000)

    Article  Google Scholar 

  4. Wahlgren, P.: Juridisk riskanalys - Mot en säkrare juridisk metod. Jure, Stockholm (2003) (in Swedish)

    Google Scholar 

  5. Susskind, R.: The Future of Law. Clarendon Press, Oxford (1996)

    Google Scholar 

  6. Reidenberg, J.: Lex Informatica: The Formulation of Information Policy Rules Through Technology. In: Texas Law Review, vol. 76, pp. 553–593 (1998)

    Google Scholar 

  7. CORAS: The CORAS project (2005), http://coras.sourceforge.net/ (visited February 2005)

  8. Dimitrakos, T., Ritchie, B., Raptis, D., Aagedal, J.Ø., den Braber, F., Stølen, K., Houmb, S.H.: Integrating model-based security risk managament into eBusiness systems development: The CORAS approach. In: I3E 2002, pp. 159–175. Kluwer, Dordrecht (2002)

    Google Scholar 

  9. Raptis, D., Dimitrakos, T., Gran, B.A., Stølen, K.: The CORAS approach for model-based risk management applied to e-commerce domain. In: CMS 2002, pp. 169–181. Kluwer, Dordrecht (2002)

    Google Scholar 

  10. OMG: UML 2.0 Superstructure Specification (2004) OMG Document: ptc/2004-10-02

    Google Scholar 

  11. Lund, M.S., Hogganvik, I., Seehusen, F., Stølen, K.: UML profile for security assessment. Technical Report STF40 A03066, SINTEF Telecom and informatics (2003)

    Google Scholar 

  12. OMG: UML Profile for Modeling Quality of Service and Fault Tolerance Characteristics and Mechanisms, Draft Adopted Specification (2004), OMG Document: ptc/2004-06-01

    Google Scholar 

  13. TrustCoM: Trust and Contract Management in Virtual Organisations (2005), http://www.eu-trustcom.com/ (visited February 2005)

  14. Redmill, F., Chudleigh, M., Catmur, J.: HazOp and software HazOp. Wiley, Chichester (1999)

    Google Scholar 

  15. Chellas, B.F.: Modal Logic - An Introduction. Cambridge University Press, Cambridge (1980)

    MATH  Google Scholar 

  16. Elgesem, D.: The Modal Logic of Agency. Nordic Journal of Philosophical Logic 2 (1997)

    Google Scholar 

  17. Brændeland, G., Stølen, K.: Using risk analysis to assess user trust - a net-bank scenario. In: Jensen, C., Poslad, S., Dimitrakos, T. (eds.) iTrust 2004. LNCS, vol. 2995, pp. 146–160. Springer, Heidelberg (2004)

    Chapter  Google Scholar 

  18. den Braber, F., Lund, M.S., Stølen, K.: Using the CORAS Threat Modelling Language to Document Threat Scenarios for several Microsoft relevant Technologies. Technical Report STF90 A04057, SINTEF ICT (2004)

    Google Scholar 

  19. Berardi, D., Calì, A., Calvanese, D., De Giacomo, G.: Reasoning on UML Class Diagrams. Technical Report 11-03, Dipartimento di Informatica e Sistemistica, Università di Roma La Sapienza (2003)

    Google Scholar 

  20. Haugen, Ø., Husa, K.E., Runde, R.K., Stølen, K.: Why timed sequence diagrams require three-event semantics. In: Leue, S., Systä, T.J. (eds.) Scenarios: Models, Transformations and Tools. LNCS, vol. 3466, pp. 1–25. Springer, Heidelberg (2005)

    Chapter  Google Scholar 

  21. ISO/IEC: FCD 15414: Information Technology - Open Distributed Processing - Reference Model - Enterprise Viewpoint. JTC1/SC7 N2359, ISO/IEC (2000)

    Google Scholar 

  22. Damianou, N., Dulay, N., Lupu, E., Sloman, M.: The Ponder Specification Language. In: Sloman, M., Lobo, J., Lupu, E.C. (eds.) POLICY 2001. LNCS, vol. 1995, p. 18. Springer, Heidelberg (2001)

    Chapter  Google Scholar 

  23. OASIS: eXtensible Access Control Markup Language (XACML) Version 1.0. Technical report, OASIS (2003)

    Google Scholar 

  24. Chu, Y.H., Feigenbaum, J., LaMacchia, B., Resnick, P., Strauss, M.: Referee: Trust management for web applications. In: Sixth International World Wide Web Conference, Santa Clara, CA, USA (1997)

    Google Scholar 

  25. Blaze, M., Feigenbaum, J., Ioannidis, J., Keromytis, A.D.: The KeyNote Trust Management System, Version 2. Request For Comments (RFC) 2704, AT&T Labs and University of Pennsylvania (1999)

    Google Scholar 

  26. Biskup, J., Karabulut, Y.: A Hybrid PKI Model with an Application for Secure Mediation. In: 16th Annual IFIP WG 11.3 Working Conference on Data and Application Security, Cambridge, England, pp. 271–282. Kluwer Academic Press, Dordrecht (2002)

    Google Scholar 

  27. PERMIS: Privilege and Role Management Infrastructure Standards Validation (2004), http://sec.isi.salford.ac.uk/permis/ (visited December 2004)

  28. Bresciani, P., Giorgini, P., Giunchiglia, F., Mylopoulos, J., Perini, A.: TROPOS: An Agent-Oriented Software Development Methodology. Journal of Autonomous Agents and Multi-Agent Systems 8, 203–236 (2004)

    Article  Google Scholar 

  29. Sagri, M.T., Tiscornia, D., Gangemi, A.: An ontology-based model for Representing Bundle-of-rights. In: Meersman, R., Tari, Z., Corsaro, A. (eds.) OTM-WS 2004. LNCS, vol. 3292, pp. 674–688. Springer, Heidelberg (2004)

    Chapter  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. SINTEF, Norway

    Fredrik Vraalsen, Mass Soldal Lund & Ketil Stølen

  2. Norwegian Research Center for Computers and Law, University of Oslo, Norway

    Tobias Mahler

  3. King’s College London, UK

    Xavier Parent

Authors
  1. Fredrik Vraalsen
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Mass Soldal Lund
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Tobias Mahler
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Xavier Parent
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Ketil Stølen
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of Telematics, Norwegian University of Science and Technology (NTNU), N-7491, Trondheim, Norway

    Peter Herrmann

  2. INRIA-Rocquencourt, Domaine de Voluceau, 78153, Le Chesnay, France

    Valérie Issarny

  3. Department of Computing, The Hong Kong Polytechnic University, HungHom, Kowloon, Hong Kong

    Simon Shiu

Rights and permissions

Reprints and permissions

Copyright information

© 2005 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Vraalsen, F., Lund, M.S., Mahler, T., Parent, X., Stølen, K. (2005). Specifying Legal Risk Scenarios Using the CORAS Threat Modelling Language. In: Herrmann, P., Issarny, V., Shiu, S. (eds) Trust Management. iTrust 2005. Lecture Notes in Computer Science, vol 3477. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11429760_4

Download citation

  • DOI: https://doi.org/10.1007/11429760_4

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-26042-4

  • Online ISBN: 978-3-540-32040-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics