A Graphical Approach to Risk Identification, Motivated by Empirical Investigations

Hogganvik, Ida; Stølen, Ketil

doi:10.1007/11880240_40

Cited by 35 publications

(25 citation statements)

References 9 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…It also differs from other approaches in that it has been developed to facilitate communication and interaction during structured brainstorming sessions involving people of heterogeneous backgrounds [7,8,21]. To this end the CORAS language makes use of graphical symbols, or icons, that are closely related to the underlying risk analysis concepts, and that are intended to be easily comprehensible.…”

Section: Coras Approachmentioning

confidence: 99%

Security risk analysis of system changes exemplified within the oil and gas domain

Refsdal

Solhaug

Stølen

2014

Int J Softw Tools Technol Transfer

Self Cite

View full text Add to dashboard Cite

Changes, such as the introduction of new technology, may have considerable impact on the risk to which a system or organization is exposed. For example, in the oil & gas domain, introduction of technology that allows offshore installations to be operated from onshore means that fewer people are exposed to risk on the installation, but it also introduces new risks and vulnerabilities. We need suitable methods and techniques in order to understand how a change will affect the risk picture. This paper presents an approach that offers specialized support for analysis of risk with respect to change. The approach allows links between elements of the target of analyses and the related parts of the risk model to be explicitly captured, which facilitates tool support for identifying the parts of a risk model that need to be reconsidered when a change is made to the target. Moreover, the approach offers language constructs for capturing the risk picture before and after a change. The approach is demonstrated on a case concerning new software technology to support decision making on petroleum installations.

show abstract

Section: Coras Approachmentioning

confidence: 99%

Security risk analysis of system changes exemplified within the oil and gas domain

Refsdal

Solhaug

Stølen

2014

Int J Softw Tools Technol Transfer

Self Cite

View full text Add to dashboard Cite

show abstract

“…The CORAS language has later been customised and rened in several aspects, based on experiences from industrial case studies, and by empirical investigations documented in [5,6,7]. Misuse cases [3,21,22] was an important source of inspiration in the development of the UML prole mentioned above.…”

Section: Related Workmentioning

confidence: 99%

Using Dependent CORAS Diagrams to Analyse Mutual Dependency

Brændeland

Dahl

Engan

et al. 2008

Critical Information Infrastructures Security

Self Cite

View full text Add to dashboard Cite

Abstract. The CORAS method for security risk analysis provides a customized language, the CORAS diagrams, for threat and risk modelling. In this paper, we extend this language to capture context dependencies, and use it as a means to analyse mutual dependency. We refer to the extension as dependent CORAS diagrams. We dene a textual syntax using EBNF and explain how a dependent CORAS diagram may be schematically translated via the textual syntax into a paragraph in English, characterizing its intended meaning. Then we demonstrate the suitability of the language by means of a core example.

show abstract

“…15 An asset's capacity is reduced (under-provisioning). 16 An asset is subjected to more use than expected (overuse). 17 An asset commits to do more than it can.…”

Section: Threat Modellingmentioning

confidence: 99%

“…For example, Secure Tropos [14] provides a diagrammatic approach to risk modeling, which has been extended [15] to provide a domain model covering assets, risks and risk treatment related concepts, and asset security criteria for confidentiality, integrity and availability. The CORAS project [16], [17] also used a graphical approach to identify, explain and document security threats and risk scenarios. A graphical notation was developed to perform five security analysis tasks: Context establishment, Risk identification, Risk estimation, Risk evaluation and Treatment identification.…”

Section: Related Workmentioning

confidence: 99%

Run-Time Risk Management in Adaptive ICT Systems

Surridge¹,

Nasser²,

Chen³

et al. 2013

2013 International Conference on Availability, Reliability and Security

View full text Add to dashboard Cite

Abstract-We will present results of the SERSCIS project related to risk management and mitigation strategies in adaptive multi-stakeholder ICT systems. The SERSCIS approach involves using semantic threat models to support automated design-time threat identification and mitigation analysis. The focus of this paper is the use of these models at run-time for automated threat detection and diagnosis. This is based on a combination of semantic reasoning and Bayesian inference applied to run-time system monitoring data. The resulting dynamic risk management approach is compared to a conventional ISO 27000 type approach, and validation test results presented from an Airport Collaborative Decision Making (A-CDM) scenario involving data exchange between multiple airport service providers.

show abstract

A Graphical Approach to Risk Identification, Motivated by Empirical Investigations

Cited by 35 publications

References 9 publications

Security risk analysis of system changes exemplified within the oil and gas domain

Security risk analysis of system changes exemplified within the oil and gas domain

Using Dependent CORAS Diagrams to Analyse Mutual Dependency

Run-Time Risk Management in Adaptive ICT Systems

Contact Info

Product

Resources

About