Skip to main content
SpringerLink
Log in

An Approach for Model-Based Risk Assessment

  • Conference paper
Computer Safety, Reliability, and Security (SAFECOMP 2004)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 3219))

Included in the following conference series:

Abstract

Traditional risk analysis and assessment is based on failure-oriented models of the system. In contrast to this, model-based risk assessment (MBRA) utilizes success-oriented models describing all intended system aspects, including functional, operational and organisational aspects of the target. The target models are then used as input sources for complementary risk analysis and assessment techniques, as well as a basis for the documentation of the assessment results. The EU-funded CORAS project developed a tool-supported methodology for model-based risk analysis of security-critical systems. The methodology has been tried out within the telemedicine and e-commerce areas, and provided through a series of seven trials a sound basis for risk assessments. This paper gives an overview of the results with focus on how the approach can be applied for addressing security aspects in a safety critical application and discusses how the methodology can be applied as a part of a trust case development.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Thunem, A.P.-J.: Modelling of Knowledge Intensive Computerised Systems Based on Capability-Oriented Agent Theory (COAT). In: Proc. International IEEE Conference on Integration of Knowledge Intensive Multi-Agent Systems, IEEE-KIMAS 2003, Cambridge (MA), USA, pp. 58–63 (2003)

    Google Scholar 

  2. Garrett, C.J., Guarro, S.B., Apostolakis, G.E.: The dynamic flow graph methodology for assessing the dependability of embedded software systems. IEEE Trans. on Systems, Man, and Cybernetics 25(5), 824–840 (1985)

    Article  Google Scholar 

  3. Jalashgar, A., Thunem, A.P.-J.: A Cognitive and Formal Terminology for Descriptive Parameters in Concurrent Real-Time Distributed Software Systems, ch. 2, Part 3. In: Soft Computing for Risk Evaluation and Management, pp. 229–248. Physica Verlag Publisher (2001)

    Google Scholar 

  4. Jalashgar, A., Thunem, A.P.-J.: Identification of Hidden Failures in Process Control Systems Based on the HMG Method. International Journal of Intelligent Systems 13, 159–179 (1998)

    Article  MATH  Google Scholar 

  5. Kim, I.S., Modarres, M.: Application of Goal Tree-Success Tree Model as the Knowledge- Base of Operator Advisory System. Nuclear Engineering & Design J. 104, 67–81 (1987)

    Article  Google Scholar 

  6. CORAS: A Platform for Risk Analysis of Security Critical systems, IST-2000-25031 (2000), http://coras.sourceforge.net/

  7. Fredriksen, R., Gran, B.A., Stølen, K., Djordjevic, I.: Experiences from application of model-based risk assessment. In: Swets, Zeitlinger (eds.) Proc. European Conference on Safety and Reliability (ESREL 2003), vol. 1, pp. 643–648 (2003)

    Google Scholar 

  8. Redmill, F., Chudleigh, M., Catmur, J.: Hazop and Software Hazop. Wiley & Sons, Chichester (1999)

    Google Scholar 

  9. Andrews, J.D., Moss, T.R.: Reliability and Risk Assessment, 1st edn. Longman Group, UK (1993)

    Google Scholar 

  10. Bouti, A., Kadi, A.D.: A state-of-the-art review of FMEA/FMECA. International Journal of Reliability, Quality and Safety Engineering 1(4), 515–543 (1994)

    Article  Google Scholar 

  11. Littlewood, B.: A Reliability Model for Systems with Markov Structure. Applied Statistics 24(2), 172–177 (1975)

    Article  MathSciNet  Google Scholar 

  12. Barber, B., Davey, J.: Use of the CRAMM in Health Information Systems. In: Lun, K.C., Degoulet, P., Piemme, T.E., Rienhoff, O. (eds.) MEDINFO 1992, pp. 1589–1593. North Holland Publishing Co., Amsterdam (1992)

    Google Scholar 

  13. OMG. Unified Modeling Language specification. Version 1.4 (2001)

    Google Scholar 

  14. Houmb, S.-H., den Braber, F., Lund, M.S., Stølen, K.: Towards a UML profile for modelbased risk assessment. In: Proc. UML 2002 Satellite Workshop on Critical Systems Development with UML, Munich University of Technology, pp. 79–91 (2002)

    Google Scholar 

  15. Contribution in response to request for proposals for UML Profile for Modelling Quality of Service and Fault Tolerance Characteristics and Mechanisms issued by the Object Management Group. Submitted by SINTEF in collaboration with OpenIT, September 9, 2002. Resubmitted in revised form, May and (August 2003)

    Google Scholar 

  16. Australian Standard: Risk Management. AS/NZS 4360:1999. Strathfield: Standards Australia (1999)

    Google Scholar 

  17. Winther, R., Johnsen, O.A., Gran, B.A.: Security Assessments of Safety Critical Systems Using HAZOPs. In: Voges, U. (ed.) SAFECOMP 2001. LNCS, vol. 2187, pp. 14–24. Springer, Heidelberg (2001)

    Chapter  Google Scholar 

  18. Stamatiou, Y., et al.: The CORAS approach for model-based risk management applied to a telemedicine service. In: Proc. Medical Informatics Europe (MIE 2003), pp. 206–211. IOS Press, Amsterdam (2003)

    Google Scholar 

  19. Raptis, D., Dimitrakos, T., Gran, B.A., Stølen, K.: The CORAS Approach for Modelbased Risk Management applied to e-Commerce Domain. In: Proc. Communication and Multimedia Security (CMS 2002), pp. 169–181. Kluwer, Dordrecht (2002)

    Google Scholar 

  20. SECURIS, Model-driven development and analysis of secure information systems, Research Council of Norway 152839/220

    Google Scholar 

  21. IEC 61508: Functional Safety of Electrical/Electronic/Programmable Electronic Safety- Related (E/E/PE) Systems, 1998-2000

    Google Scholar 

  22. Herrmann, D.S.: Software Safety and Reliability. IEEE Computer Society Press, Los Alamitos (1999)

    Google Scholar 

  23. den Braber, F., Dimitrakos, T., Gran, B.A., Soldal Lund, M., Stølen, K., Aagedal, J.Ø.: UML and the Unified Process. In: Favre, L. (ed.) The CORAS methodology: Model-based risk assessment using UML and UP, pp. 332–357. IRM Press (2003)

    Google Scholar 

  24. Górski, J., Jarzebowicz, A., Leszczyna, R., Miler, J., Olszewski, M.E.: An approach to trust case development. In: Anderson, S., Felici, M., Littlewood, B. (eds.) SAFECOMP 2003. LNCS, vol. 2788, pp. 193–206. Springer, Heidelberg (2003)

    Chapter  Google Scholar 

  25. Sindre, G., Opdahl, A.L.: Eliciting security requirements by misuse cases. In: Proc. TOOLS_PACIFIC 2000, pp. 120–131. IEEE Computer Society Press, Los Alamitos (2000)

    Google Scholar 

  26. Stølen, K., den Braber, F., Fredriksen, R., Gran, B.A., Houmb, S.H., Soldal Lund, M., Stamatiou, Y.C., Aagedal, J.Ø.: Model-based risk assessment - the CORAS approach. In: Proc. Norsk Informatikkkonferanse (NIK 2002), Tapir, pp. 239–249 (2002)

    Google Scholar 

  27. Thunem, A.P.-J., Fredriksen, R., Gran, B.A.: An Information Retrieval Terminology for Model-Based Risk Assessment. Paper to appear in proceedings from ESREL/PSAM7, Berlin (2004)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Institutt for energiteknikk, OECD Halden Reactor Project, NO-1751, Halden, Norway

    Bjørn Axel Gran, Rune Fredriksen & Atoosa P. -J. Thunem

Authors
  1. Bjørn Axel Gran
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Rune Fredriksen
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Atoosa P. -J. Thunem
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Faculty of Engineering, Department of Computer Science and Cognitive Science, Workgroup Software Engineering, University Duisburg-Essen, Germany

    Maritta Heisel

  2. Fraunhofer Institute Experimental Software Engineering, Kaiserslautern, Germany

    Peter Liggesmeyer

  3. Bundesamt fuer Sicherheit in der Informationstechnik, Godesberger Allee 185-189, 53175, Bonn, Germany

    Stefan Wittmann

Rights and permissions

Reprints and permissions

Copyright information

© 2004 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Gran, B.A., Fredriksen, R., Thunem, A.P.J. (2004). An Approach for Model-Based Risk Assessment. In: Heisel, M., Liggesmeyer, P., Wittmann, S. (eds) Computer Safety, Reliability, and Security. SAFECOMP 2004. Lecture Notes in Computer Science, vol 3219. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-30138-7_26

Download citation

  • DOI: https://doi.org/10.1007/978-3-540-30138-7_26

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-23176-9

  • Online ISBN: 978-3-540-30138-7

  • eBook Packages: Springer Book Archive

Publish with us

Policies and ethics

Search

Navigation