Skip to main content
Springer Nature Link
Log in

Using Dependent CORAS Diagrams to Analyse Mutual Dependency

  • Conference paper
Critical Information Infrastructures Security (CRITIS 2007)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 5141))

Abstract

The CORAS method for security risk analysis provides a customized language, the CORAS diagrams, for threat and risk modelling. In this paper, we extend this language to capture context dependencies, and use it as a means to analyse mutual dependency. We refer to the extension as dependent CORAS diagrams. We define a textual syntax using EBNF and explain how a dependent CORAS diagram may be schematically translated via the textual syntax into a paragraph in English, characterizing its intended meaning. Then we demonstrate the suitability of the language by means of a core example.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Similar content being viewed by others

References

  1. Aagedal, J.Ø., den Braber, F., Dimitrakos, T., Gran, B.A., Raptis, D., Stølen, K.: Model-based risk assessment to improve enterprise security. In: EDOC 2002, pp. 51–64. IEEE Computer Society Press, Los Alamitos (2002)

    Google Scholar 

  2. Abadi, M., Lamport, L.: Conjoining specifications. ACM Transactions on programming languages and systems 17(3), 507–534 (1995)

    Article  Google Scholar 

  3. Alexander, I.F.: Misuse cases: Use cases with hostile intent. IEEE Software 20(1), 58–66 (2003)

    Article  Google Scholar 

  4. Dahl, H.E.I., Hogganvik, I., Stølen, K.: Structured semantics for the CORAS security risk modelling language. Technical Report A970, SINTEF ICT (2007)

    Google Scholar 

  5. Hogganvik, I., Stølen, K.: On the comprehension of security risk scenarios. In: IWPC 2005, pp. 115–124. IEEE Computer Society Press, Los Alamitos (2005)

    Google Scholar 

  6. Hogganvik, I., Stølen, K.: Risk analysis terminology for IT systems: Does it match intuition. In: ISESE 2005, pp. 13–23. IEEE Computer Society Press, Los Alamitos (2005)

    Google Scholar 

  7. Hogganvik, I., Stølen, K.: A graphical approach to risk identification, motivated by empirical investigations. In: Nierstrasz, O., Whittle, J., Harel, D., Reggio, G. (eds.) MoDELS 2006. LNCS, vol. 4199, pp. 574–588. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  8. IEC60300. Event Tree Analysis in Dependability management – Part 3: Application guide – Section 9: Risk analysis of technological systems (1995)

    Google Scholar 

  9. IEC61025. Fault Tree Analysis (FTA) (1990)

    Google Scholar 

  10. ISO/IEC 14977:1996(E). Information Technology — Syntactic Metalanguage — Extended BNF, 1 edn. (1996)

    Google Scholar 

  11. Jacobson, I., Christenson, M., Jonsson, P., Övergaard, G.: Object-Oriented Software Engineering. A Use Case Driven Approach. Addison-Wesley, Reading (1992)

    MATH  Google Scholar 

  12. Jones, C.B.: Development Methods for Computer Programmes Including a Notion of Interference. PhD thesis, Oxford University, UK (1981)

    Google Scholar 

  13. Jürjens, J.: Secure Systems Development with UML. Springer, Heidelberg (2005)

    MATH  Google Scholar 

  14. Lamport, L.: How to write a proof. Technical report, Digital Systems Research Center (1993)

    Google Scholar 

  15. Lodderstedt, T., Basin, D.A., Doser, J.: SecureUML: A UML-based modeling language for model-driven security. In: Jézéquel, J.-M., Hussmann, H., Cook, S. (eds.) UML 2002. LNCS, vol. 2460, pp. 426–441. Springer, Heidelberg (2002)

    Google Scholar 

  16. Lund, M.S., Hogganvik, I., Seehusen, F., Stφlen, K.: UML profile for security assessment. Technical Report STF40 A03066, SINTEF ICT (2003)

    Google Scholar 

  17. Misra, J., Chandy, K.M.: Proofs of networks of processes. IEEE Transactions on Software Engineering 7(4), 417–426 (1981)

    Article  MathSciNet  Google Scholar 

  18. OMG. Unified Modeling Language Specification, version 2.0 (2004)

    Google Scholar 

  19. OMG. UML Profile for Modeling Quality of Service and Fault Tolerance Characteristics and Mechanisms (2005)

    Google Scholar 

  20. Schneier, B.: Attack trees: Modeling security threats. Dr. Dobb’s Journal of Software Tools 24(12), 21–29 (1999)

    Google Scholar 

  21. Sindre, G., Opdahl, A.L.: Eliciting security requirements with misuse cases. In: TOOLS-PACIFIC 2000, pp. 120–131. IEEE Computer Society, Los Alamitos (2000)

    Google Scholar 

  22. Sindre, G., Opdahl, A.L.: Templates for misuse case description. In: REFSQ 2001, pp. 125–136 (2001)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. SINTEF ICT, Oslo, Norway

    Gyrd Brændeland, Heidi E. I. Dahl, Iselin Engan & Ketil Stølen

  2. Department of Informatics, UiO, Oslo, Norway

    Gyrd Brændeland & Ketil Stølen

Authors
  1. Gyrd Brændeland
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Heidi E. I. Dahl
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Iselin Engan
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Ketil Stølen
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of Computer Science, University of Malaga, 29071, Málaga, Spain

    Javier Lopez

  2. Hochschule Technik und Architektur Luzern (HTA), Bodenhofstraße 29, 6005, Luzern, Switzerland

    Bernhard M. Hämmerli

Rights and permissions

Reprints and permissions

Copyright information

© 2008 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Brændeland, G., Dahl, H.E.I., Engan, I., Stølen, K. (2008). Using Dependent CORAS Diagrams to Analyse Mutual Dependency. In: Lopez, J., Hämmerli, B.M. (eds) Critical Information Infrastructures Security. CRITIS 2007. Lecture Notes in Computer Science, vol 5141. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-89173-4_12

Download citation

  • DOI: https://doi.org/10.1007/978-3-540-89173-4_12

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-89095-9

  • Online ISBN: 978-3-540-89173-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation