Skip to main content
SpringerLink
Log in

Evolutionary Risk Analysis: Expert Judgement

  • Conference paper
Computer Safety, Reliability, and Security (SAFECOMP 2011)

Part of the book series: Lecture Notes in Computer Science ((LNPSE,volume 6894))

Included in the following conference series:

Abstract

New systems and functionalities are continuously deployed in complex domains such as Air Traffic Management (ATM). Unfortunately, methodologies provide limited support in order to deal with changes and to assess their impacts on critical features (e.g. safety, security, etc.). This paper is concerned with how change requirements affect security properties. A change requirement is a specification of changes that are to be implemented in a system. The paper reports our experience to support an evolutionary risk analysis in order to assess change requirements and their impacts on security properties. In particular, this paper discusses how changes to structured risk analysis models are perceived by domain experts by presenting insights from a risk assessment exercise that uses the CORAS model-driven risk analysis in an ATM case study. It discusses how structured models supporting risk analysis help domain experts to analyse and assess the impact of changes on critical system features.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. ISO 31000, Risk Management: Principles and Guidelines, International Organization for Standardization (2009)

    Google Scholar 

  2. Alberts, C.J., Davey, J.: OCTAVE criteria version 2.0. Technical report CMU/SEI-2001-TR-016. Carnegie Mellon University (2004)

    Google Scholar 

  3. Barber, B., Davey, J.: The use of the CCTA risk analysis and management methodology CRAMM in health information systems. In: 7th International Congress on Medical Informatics, MEDINFO 1992, pp. 1589–1593 (1992)

    Google Scholar 

  4. CRAMM - The total information security toolkit, http://www.cramm.com/ (accessed March 2, 2011)

  5. Robinson, R.M., Anderson, K., Browning, B., Francis, G., Kanga, M., Millen, T., Milman, C.: Risk and Reliability. An Introductory Text, 5th edn. R2A (2001)

    Google Scholar 

  6. IEC 61025, Fault Tree Analysis (FTA), International Electrotechnical Commission (1990)

    Google Scholar 

  7. IEC 60300-3-9, Dependability management - Part 3: Application guide - Section 9: Risk analysis of technological systems - Event Tree Analysis (ETA), International Electrotechnical Commission (1995)

    Google Scholar 

  8. Schneier, B.: Attack trees: Modeling security threats. Dr. Dobb’s J. 24(12), 21–29 (1999)

    Google Scholar 

  9. Nielsen, D.S.: The cause/consequence diagram method as basis for quantitative accident analysis. Technical report RISO-M-1374, Danish Atomic Energy Commission (1971)

    Google Scholar 

  10. Ben-Gal, I.: Bayesian networks. In: Ruggeri, F., Kenett, R.S., Faltin, F.W. (eds.) Encyclopedia of Statistics in Quality and Reliability. John Wiley & Sons, Chichester (2007)

    Google Scholar 

  11. Lund, M.S., Solhaug, B., Stølen, K.: Model-Driven Risk Analysis: The CORAS Approach. Springer, Heidelberg (2011)

    Book  MATH  Google Scholar 

  12. Brændeland, G., Refsdal, A., Stølen, K.: Modular analysis and modelling of risk scenarios with dependencies. Journal of Systems and Software 83(10), 1995–2013 (2010)

    Article  Google Scholar 

  13. Lund, M.S., Solhaug, B., Stølen, K., Innerhofer-Oberperfler, F., Felici, M., Meduri, V., Tedeschi, A.: Assessment Method, SecureChange deliverable (2011)

    Google Scholar 

  14. OMG Unified Modeling Language, Superstructure, version 2.2, Object Management Group (2009)

    Google Scholar 

  15. Perrow, C.: Normal accidents: living with high-risk technologies. Princeton University Press, Princeton (1999)

    Google Scholar 

  16. Edwards, E.: Man and machine: Systems for safety. In: Proceedings of British Airline Pilots Associations Technical Symposium, British Airline Pilots Associations, pp. 21-36 (1972)

    Google Scholar 

  17. Reason, J.: Managing the Risks of Organizational Accidents, Ashgate (1997)

    Google Scholar 

  18. Pasquini, A., Pozzi, S.: Evaluation of air traffic management procedures - safety assessment in an experimental environment. Reliability Engineering & System Safety 89(1), 105–117 (2005)

    Article  Google Scholar 

  19. Pasquini, A., Pozzi, S., Save, L.: A critical view of severity classification in risk assessment methods. Reliability Engineering & System Safety 96(1), 53–63 (2011)

    Article  Google Scholar 

  20. EUROCONTROL. Safety Nets - Ensuring Effectiveness (2009)

    Google Scholar 

  21. EUROCONTROL safety regulatory requirements (ESARR), ESARR 4 - risk assessment and mitigation in ATM, Edition 1.0 (2001)

    Google Scholar 

  22. EUROCONTROL safety regulatory requirements (ESARR), ESARR 6 - Software in ATM Systems, Edition 1.0 (2003)

    Google Scholar 

  23. EUROCONTROL, Baseline Integrated Risk Picture for Air Traffic Management in Europe, EEC Note No. 15/05 (2005)

    Google Scholar 

  24. Brooker, P.: The Überlingen accident: Macro-level safety lessons. Safety Science 46(10), 1483–1508 (2008)

    Article  Google Scholar 

  25. Felici, M.: Evolutionary safety analysis: Motivations from the air traffic management domain. In: Winther, R., Gran, B.A., Dahll, G. (eds.) SAFECOMP 2005. LNCS, vol. 3688, pp. 208–221. Springer, Heidelberg (2005)

    Chapter  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Deep Blue S.r.l., Piazza Buenos Aires 20, 00198, Roma, Italy

    Massimo Felici, Valentino Meduri & Alessandra Tedeschi

  2. SINTEF ICT, P.O. Box 124, Blindern, 0314, Oslo, Norway

    Bjørnar Solhaug

Authors
  1. Massimo Felici
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Valentino Meduri
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Bjørnar Solhaug
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Alessandra Tedeschi
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Ansaldo STS, Via Argine, 425, 80147, Napoli, Italy

    Francesco Flammini

  2. Italian Association Critical Infrastructure (AIIC), Rome, Italy

    Sandro Bologna

  3. Dipartimento di Informatica e Sistemistica, Università di Napoli Federico II, Via Claudio, 21, Napoli, Italy

    Valeria Vittorini

Rights and permissions

Reprints and permissions

Copyright information

© 2011 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Felici, M., Meduri, V., Solhaug, B., Tedeschi, A. (2011). Evolutionary Risk Analysis: Expert Judgement. In: Flammini, F., Bologna, S., Vittorini, V. (eds) Computer Safety, Reliability, and Security. SAFECOMP 2011. Lecture Notes in Computer Science, vol 6894. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-24270-0_8

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-24270-0_8

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-24269-4

  • Online ISBN: 978-3-642-24270-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation