Abstract
We present a novel approach for the identification of risks for IT-based systems, where we base risk identification on the system architecture, in particular, the architectural principles a system is built on. Such principles can be expressed as architectural patterns, which are amenable to specific risks. We represent those risks – concerning e.g. safety, security or fault tolerance – as Risk Issue Questionnaires (RIQs). A RIQ enumerates the typical risks associated with a given architectural pattern. Risk identification proceeds by identifying the architectural patterns contained in a system architecture and processing the associated RIQs, i.e., for each issue in the RIQ it has to be assessed whether it is relevant for the system under analysis or not. We present an example of a RIQ, a RIQ-driven risk identification method, an application example, and the results of an initial experiment evaluating the RIQ method.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
See e.g. [2] for software architectural patterns. System architectures are more general than software architectures, because they can contain hardware components, as well.
- 2.
https://www.first.org/cvss/, accessed April 19, 2020.
- 3.
https://cwe.mitre.org/data/index.html, accessed April 19, 2021.
- 4.
https://cwe.mitre.org/cwraf/, accessed April 19, 2021.
- 5.
https://cve.mitre.org/cve/, accessed April 19, 2021.
- 6.
- 7.
https://collaborate.mitre.org/attackics/index.php, accessed April 19, 2021.
- 8.
https://cwe.mitre.org/cwraf/data/vignettes.html, accessed April 19, 2021.
References
Lund, M.S., Solhaug, B., Stølen, K.: Model-Driven Risk Analysis. The CORAS Approach. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-12323-8
Buschmann, F., Meunier, R., Rohnert, H., Sommerlad, P., Stal, M.: Pattern-Oriented Software Architecture: A System of Patterns. Wiley, Hoboken (1996)
Jackson, M.: Problem Frames: Analyzing and Structuring Software Development Problems. Addison-Wesley Longman Publishing Co., Inc., Boston (2001)
Omerovic, A., Vefsnmo, H., Erdogan, G., Gjerde, O., Gramme, E., Simonsen, S.: A feasibility study of a method for identification and modelling of cybersecurity risks in the context of smart power grids. In: Muñoz, V.M., Firouzi, F., Estrada, E., Chang, V., (eds.) Proceedings of the 4th International Conference on Complexity, Future Information Systems and Risk, pp. 39–51. COMPLEXIS, SciTePress (2019)
Shostack, A.: Threat Modeling: Designing for Security. Wiley, Hoboken (2014)
Lin, L., Nuseibeh, B., Ince, D.C., Jackson, M., Moffett, J.D.: Introducing abuse frames for analysing security requirements. In: 11th IEEE International Conference on Requirements Engineering, RE, pp. 371–372. IEEE Computer Society (2003)
Li, T., Paja, E., Mylopoulos, J., Horkoff, J., Beckers, K.: Security attack analysis using attack patterns. In: Tenth IEEE International Conference on Research Challenges in Information Science, RCIS, pp. 1–13. IEEE (2016)
Hashizume, K., Fernández, E.B., Yoshioka, N.: Misuse patterns for cloud computing. In: Proceedings of the 23rd International Conference on Software Engineering & Knowledge Engineering (SEKE’2011), Eden Roc Renaissance, Miami Beach, USA, 7–9 July 2011, pp. 683–686. Knowledge Systems Institute Graduate School (2011)
Halkidis, S.T., Tsantalis, N., Member, S., Chatzigeorgiou, E., Stephanides, G.: Architectural risk analysis of software systems based on security patterns. IEEE Trans. Dependable Secure Comput. 5, 129–142 (2008)
Wirtz, R., Heisel, M.: A systematic method to describe and identify security threats based on functional requirements. In: Zemmari, A., Mosbah, M., Cuppens-Boulahia, N., Cuppens, F. (eds.) CRiSIS 2018. LNCS, vol. 11391, pp. 205–221. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-12143-3_17
Wirtz., R., Heisel., M.: Risk identification: from requirements to threat models. In: Proceedings of the 6th International Conference on Information Systems Security and Privacy, vol. 1: ICISSP, pp. 385–396. INSTICC, SciTePress (2020)
Casola, V., Benedictis, A.D., Rak, M., Villano, U.: A novel security-by-design methodology: modeling and assessing security by SLAs with a quantitative approach. J. Syst. Softw. 163, 110537 (2020)
Leveson, N.: Safeware: System Safety and Computers. Addison-Wesley, Boston (1995)
Safety Management System and Safety Culture Working Group (SMS WG): Guidance on hazard identification. Technical report (2009)
IEC: Hazard and Operability Studies (HAZOP studies). IEC 61882, International Electrotechnical Commission (IEC) (2001)
Leveson, N.: Engineering a Safer World : Systems Thinking Applied to Safety. MIT Press, Cambridge (2011)
International Organization for Standardization: ISO 26262 road vehicles - functional safety (2011)
Beckers, K., Frese, T., Hatebur, D., Heisel, M.: A structured and model-based hazard analysis and risk assessment method for automotive systems. In: Proceedings of the 24th IEEE International Symposium on Software Reliability Engineering, pp. 238–247. IEEE Computer Society (2013)
Slyngstad, O.P.N., Li, J., Conradi, R., Babar, M.A.: Identifying and understanding architectural risks in software evolution: an empirical study. In: Jedlitschka, A., Salo, O. (eds.) PROFES 2008. LNCS, vol. 5089, pp. 400–414. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-69566-0_32
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Heisel, M., Omerovic, A. (2021). Risk Identification Based on Architectural Patterns. In: Paiva, A.C.R., Cavalli, A.R., Ventura Martins, P., Pérez-Castillo, R. (eds) Quality of Information and Communications Technology. QUATIC 2021. Communications in Computer and Information Science, vol 1439. Springer, Cham. https://doi.org/10.1007/978-3-030-85347-1_25
Download citation
DOI: https://doi.org/10.1007/978-3-030-85347-1_25
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-85346-4
Online ISBN: 978-3-030-85347-1
eBook Packages: Computer ScienceComputer Science (R0)