Skip to main content
SpringerLink
Log in
Book cover

International Conference on the Quality of Information and Communications Technology

QUATIC 2021: Quality of Information and Communications Technology pp 341–355Cite as

Risk Identification Based on Architectural Patterns

  • Conference paper
  • First Online:

Part of the book series: Communications in Computer and Information Science ((CCIS,volume 1439))

Abstract

We present a novel approach for the identification of risks for IT-based systems, where we base risk identification on the system architecture, in particular, the architectural principles a system is built on. Such principles can be expressed as architectural patterns, which are amenable to specific risks. We represent those risks – concerning e.g. safety, security or fault tolerance – as Risk Issue Questionnaires (RIQs). A RIQ enumerates the typical risks associated with a given architectural pattern. Risk identification proceeds by identifying the architectural patterns contained in a system architecture and processing the associated RIQs, i.e., for each issue in the RIQ it has to be assessed whether it is relevant for the system under analysis or not. We present an example of a RIQ, a RIQ-driven risk identification method, an application example, and the results of an initial experiment evaluating the RIQ method.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   99.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   129.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Notes

  1. 1.

    See e.g. [2] for software architectural patterns. System architectures are more general than software architectures, because they can contain hardware components, as well.

  2. 2.

    https://www.first.org/cvss/, accessed April 19, 2020.

  3. 3.

    https://cwe.mitre.org/data/index.html, accessed April 19, 2021.

  4. 4.

    https://cwe.mitre.org/cwraf/, accessed April 19, 2021.

  5. 5.

    https://cve.mitre.org/cve/, accessed April 19, 2021.

  6. 6.

    https://www.enisa.europa.eu/news/enisa-news/your-must-have-iot-security-checklist-enisas-online-tool-for-iot-and-smart-infrastructures-security, accessed April 19, 2021.

  7. 7.

    https://collaborate.mitre.org/attackics/index.php, accessed April 19, 2021.

  8. 8.

    https://cwe.mitre.org/cwraf/data/vignettes.html, accessed April 19, 2021.

References

  1. Lund, M.S., Solhaug, B., Stølen, K.: Model-Driven Risk Analysis. The CORAS Approach. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-12323-8

    Book  MATH  Google Scholar 

  2. Buschmann, F., Meunier, R., Rohnert, H., Sommerlad, P., Stal, M.: Pattern-Oriented Software Architecture: A System of Patterns. Wiley, Hoboken (1996)

    Google Scholar 

  3. Jackson, M.: Problem Frames: Analyzing and Structuring Software Development Problems. Addison-Wesley Longman Publishing Co., Inc., Boston (2001)

    Google Scholar 

  4. Omerovic, A., Vefsnmo, H., Erdogan, G., Gjerde, O., Gramme, E., Simonsen, S.: A feasibility study of a method for identification and modelling of cybersecurity risks in the context of smart power grids. In: Muñoz, V.M., Firouzi, F., Estrada, E., Chang, V., (eds.) Proceedings of the 4th International Conference on Complexity, Future Information Systems and Risk, pp. 39–51. COMPLEXIS, SciTePress (2019)

    Google Scholar 

  5. Shostack, A.: Threat Modeling: Designing for Security. Wiley, Hoboken (2014)

    Google Scholar 

  6. Lin, L., Nuseibeh, B., Ince, D.C., Jackson, M., Moffett, J.D.: Introducing abuse frames for analysing security requirements. In: 11th IEEE International Conference on Requirements Engineering, RE, pp. 371–372. IEEE Computer Society (2003)

    Google Scholar 

  7. Li, T., Paja, E., Mylopoulos, J., Horkoff, J., Beckers, K.: Security attack analysis using attack patterns. In: Tenth IEEE International Conference on Research Challenges in Information Science, RCIS, pp. 1–13. IEEE (2016)

    Google Scholar 

  8. Hashizume, K., Fernández, E.B., Yoshioka, N.: Misuse patterns for cloud computing. In: Proceedings of the 23rd International Conference on Software Engineering & Knowledge Engineering (SEKE’2011), Eden Roc Renaissance, Miami Beach, USA, 7–9 July 2011, pp. 683–686. Knowledge Systems Institute Graduate School (2011)

    Google Scholar 

  9. Halkidis, S.T., Tsantalis, N., Member, S., Chatzigeorgiou, E., Stephanides, G.: Architectural risk analysis of software systems based on security patterns. IEEE Trans. Dependable Secure Comput. 5, 129–142 (2008)

    Article  Google Scholar 

  10. Wirtz, R., Heisel, M.: A systematic method to describe and identify security threats based on functional requirements. In: Zemmari, A., Mosbah, M., Cuppens-Boulahia, N., Cuppens, F. (eds.) CRiSIS 2018. LNCS, vol. 11391, pp. 205–221. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-12143-3_17

    Chapter  Google Scholar 

  11. Wirtz., R., Heisel., M.: Risk identification: from requirements to threat models. In: Proceedings of the 6th International Conference on Information Systems Security and Privacy, vol. 1: ICISSP, pp. 385–396. INSTICC, SciTePress (2020)

    Google Scholar 

  12. Casola, V., Benedictis, A.D., Rak, M., Villano, U.: A novel security-by-design methodology: modeling and assessing security by SLAs with a quantitative approach. J. Syst. Softw. 163, 110537 (2020)

    Article  Google Scholar 

  13. Leveson, N.: Safeware: System Safety and Computers. Addison-Wesley, Boston (1995)

    Google Scholar 

  14. Safety Management System and Safety Culture Working Group (SMS WG): Guidance on hazard identification. Technical report (2009)

    Google Scholar 

  15. IEC: Hazard and Operability Studies (HAZOP studies). IEC 61882, International Electrotechnical Commission (IEC) (2001)

    Google Scholar 

  16. Leveson, N.: Engineering a Safer World : Systems Thinking Applied to Safety. MIT Press, Cambridge (2011)

    Google Scholar 

  17. International Organization for Standardization: ISO 26262 road vehicles - functional safety (2011)

    Google Scholar 

  18. Beckers, K., Frese, T., Hatebur, D., Heisel, M.: A structured and model-based hazard analysis and risk assessment method for automotive systems. In: Proceedings of the 24th IEEE International Symposium on Software Reliability Engineering, pp. 238–247. IEEE Computer Society (2013)

    Google Scholar 

  19. Slyngstad, O.P.N., Li, J., Conradi, R., Babar, M.A.: Identifying and understanding architectural risks in software evolution: an empirical study. In: Jedlitschka, A., Salo, O. (eds.) PROFES 2008. LNCS, vol. 5089, pp. 400–414. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-69566-0_32

    Chapter  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. University of Duisburg-Essen, Duisburg, Germany

    Maritta Heisel

  2. Norwegian Computing Center, Oslo, Norway

    Aida Omerovic

Authors
  1. Maritta Heisel
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Aida Omerovic
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Maritta Heisel .

Editor information

Editors and Affiliations

  1. Faculty of Engineering of the University of Porto, Porto, Portugal

    Ana C. R. Paiva

  2. Institut Polytechnique de Paris, Paris, France

    Ana Rosa Cavalli

  3. University of Algarve, Faro, Portugal

    Paula Ventura Martins

  4. University of Castila-La Mancha, Ciudad Real, Ciudad Real, Spain

    Ricardo Pérez-Castillo

Rights and permissions

Reprints and permissions

Copyright information

© 2021 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Heisel, M., Omerovic, A. (2021). Risk Identification Based on Architectural Patterns. In: Paiva, A.C.R., Cavalli, A.R., Ventura Martins, P., Pérez-Castillo, R. (eds) Quality of Information and Communications Technology. QUATIC 2021. Communications in Computer and Information Science, vol 1439. Springer, Cham. https://doi.org/10.1007/978-3-030-85347-1_25

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-85347-1_25

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-85346-4

  • Online ISBN: 978-3-030-85347-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation