Abstract
Traditional risk analysis and assessment is based on failure-oriented models of the system. In contrast to this, model-based risk assessment (MBRA) utilizes success-oriented models describing all intended system aspects, including functional, operational and organisational aspects of the target. The target models are then used as input sources for complementary risk analysis and assessment techniques, as well as a basis for the documentation of the assessment results. The EU-funded CORAS project developed a tool-supported methodology for model-based risk analysis of security-critical systems. The methodology has been tried out within the telemedicine and e-commerce areas, and provided through a series of seven trials a sound basis for risk assessments. This paper gives an overview of the results with focus on how the approach can be applied for addressing security aspects in a safety critical application and discusses how the methodology can be applied as a part of a trust case development.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Thunem, A.P.-J.: Modelling of Knowledge Intensive Computerised Systems Based on Capability-Oriented Agent Theory (COAT). In: Proc. International IEEE Conference on Integration of Knowledge Intensive Multi-Agent Systems, IEEE-KIMAS 2003, Cambridge (MA), USA, pp. 58–63 (2003)
Garrett, C.J., Guarro, S.B., Apostolakis, G.E.: The dynamic flow graph methodology for assessing the dependability of embedded software systems. IEEE Trans. on Systems, Man, and Cybernetics 25(5), 824–840 (1985)
Jalashgar, A., Thunem, A.P.-J.: A Cognitive and Formal Terminology for Descriptive Parameters in Concurrent Real-Time Distributed Software Systems, ch. 2, Part 3. In: Soft Computing for Risk Evaluation and Management, pp. 229–248. Physica Verlag Publisher (2001)
Jalashgar, A., Thunem, A.P.-J.: Identification of Hidden Failures in Process Control Systems Based on the HMG Method. International Journal of Intelligent Systems 13, 159–179 (1998)
Kim, I.S., Modarres, M.: Application of Goal Tree-Success Tree Model as the Knowledge- Base of Operator Advisory System. Nuclear Engineering & Design J. 104, 67–81 (1987)
CORAS: A Platform for Risk Analysis of Security Critical systems, IST-2000-25031 (2000), http://coras.sourceforge.net/
Fredriksen, R., Gran, B.A., Stølen, K., Djordjevic, I.: Experiences from application of model-based risk assessment. In: Swets, Zeitlinger (eds.) Proc. European Conference on Safety and Reliability (ESREL 2003), vol. 1, pp. 643–648 (2003)
Redmill, F., Chudleigh, M., Catmur, J.: Hazop and Software Hazop. Wiley & Sons, Chichester (1999)
Andrews, J.D., Moss, T.R.: Reliability and Risk Assessment, 1st edn. Longman Group, UK (1993)
Bouti, A., Kadi, A.D.: A state-of-the-art review of FMEA/FMECA. International Journal of Reliability, Quality and Safety Engineering 1(4), 515–543 (1994)
Littlewood, B.: A Reliability Model for Systems with Markov Structure. Applied Statistics 24(2), 172–177 (1975)
Barber, B., Davey, J.: Use of the CRAMM in Health Information Systems. In: Lun, K.C., Degoulet, P., Piemme, T.E., Rienhoff, O. (eds.) MEDINFO 1992, pp. 1589–1593. North Holland Publishing Co., Amsterdam (1992)
OMG. Unified Modeling Language specification. Version 1.4 (2001)
Houmb, S.-H., den Braber, F., Lund, M.S., Stølen, K.: Towards a UML profile for modelbased risk assessment. In: Proc. UML 2002 Satellite Workshop on Critical Systems Development with UML, Munich University of Technology, pp. 79–91 (2002)
Contribution in response to request for proposals for UML Profile for Modelling Quality of Service and Fault Tolerance Characteristics and Mechanisms issued by the Object Management Group. Submitted by SINTEF in collaboration with OpenIT, September 9, 2002. Resubmitted in revised form, May and (August 2003)
Australian Standard: Risk Management. AS/NZS 4360:1999. Strathfield: Standards Australia (1999)
Winther, R., Johnsen, O.A., Gran, B.A.: Security Assessments of Safety Critical Systems Using HAZOPs. In: Voges, U. (ed.) SAFECOMP 2001. LNCS, vol. 2187, pp. 14–24. Springer, Heidelberg (2001)
Stamatiou, Y., et al.: The CORAS approach for model-based risk management applied to a telemedicine service. In: Proc. Medical Informatics Europe (MIE 2003), pp. 206–211. IOS Press, Amsterdam (2003)
Raptis, D., Dimitrakos, T., Gran, B.A., Stølen, K.: The CORAS Approach for Modelbased Risk Management applied to e-Commerce Domain. In: Proc. Communication and Multimedia Security (CMS 2002), pp. 169–181. Kluwer, Dordrecht (2002)
SECURIS, Model-driven development and analysis of secure information systems, Research Council of Norway 152839/220
IEC 61508: Functional Safety of Electrical/Electronic/Programmable Electronic Safety- Related (E/E/PE) Systems, 1998-2000
Herrmann, D.S.: Software Safety and Reliability. IEEE Computer Society Press, Los Alamitos (1999)
den Braber, F., Dimitrakos, T., Gran, B.A., Soldal Lund, M., Stølen, K., Aagedal, J.Ø.: UML and the Unified Process. In: Favre, L. (ed.) The CORAS methodology: Model-based risk assessment using UML and UP, pp. 332–357. IRM Press (2003)
Górski, J., Jarzebowicz, A., Leszczyna, R., Miler, J., Olszewski, M.E.: An approach to trust case development. In: Anderson, S., Felici, M., Littlewood, B. (eds.) SAFECOMP 2003. LNCS, vol. 2788, pp. 193–206. Springer, Heidelberg (2003)
Sindre, G., Opdahl, A.L.: Eliciting security requirements by misuse cases. In: Proc. TOOLS_PACIFIC 2000, pp. 120–131. IEEE Computer Society Press, Los Alamitos (2000)
Stølen, K., den Braber, F., Fredriksen, R., Gran, B.A., Houmb, S.H., Soldal Lund, M., Stamatiou, Y.C., Aagedal, J.Ø.: Model-based risk assessment - the CORAS approach. In: Proc. Norsk Informatikkkonferanse (NIK 2002), Tapir, pp. 239–249 (2002)
Thunem, A.P.-J., Fredriksen, R., Gran, B.A.: An Information Retrieval Terminology for Model-Based Risk Assessment. Paper to appear in proceedings from ESREL/PSAM7, Berlin (2004)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2004 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Gran, B.A., Fredriksen, R., Thunem, A.P.J. (2004). An Approach for Model-Based Risk Assessment. In: Heisel, M., Liggesmeyer, P., Wittmann, S. (eds) Computer Safety, Reliability, and Security. SAFECOMP 2004. Lecture Notes in Computer Science, vol 3219. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-30138-7_26
Download citation
DOI: https://doi.org/10.1007/978-3-540-30138-7_26
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-23176-9
Online ISBN: 978-3-540-30138-7
eBook Packages: Springer Book Archive