Abstract:This paper presents the CORAS method for model-based security analysis. The presentation is case-driven. We follow two analysts in their interaction with an organisation by which they have been hired to carry out a security risk analysis. The analysis is divided into seven main steps, and the paper devotes a separate section to each of them. The paper focuses in particular on the use of the CORAS security risk modelling language as a means for communication and interaction during the seven steps.
“…It is based on ISO 15408:2007 [89][90][91] and consists of four main components: Figure 2.1: Sub-processes of CORAS risk management process [14] (1) a risk documentation framework based on RM-ODP [69]; (2) a risk management process based on the AS/NZS 4360:2004 [97]; (3) an integrated risk management and system development process based on the Unified Process [28] and (4) a platform for tool inclusion based on data-integration using XML.…”
Section: Background Information 221 Corasmentioning
confidence: 99%
“…During these HazOp sessions, to motivate the attendees to structured thinking, the risk [14] To/From HazOp FTA HazOp…”
Section: Step 4: Threat and Vulnerability Identificationmentioning
confidence: 99%
“…When applied together they can be applied as input/output to each other, as documented by Table 2.1 [14].…”
Section: Step 4: Threat and Vulnerability Identificationmentioning
confidence: 99%
“…Another proposal is that of Braber et al [14], who developed the CORAS framework to produce an improved method for precise, unambiguous, and efficient risk analysis of security-critical systems. CORAS focuses on the tight integration of viewpoint-oriented visual modelling in the RA process, using a UML-based approach in the context of security and RA.…”
Section: Related Workmentioning
confidence: 99%
“…For this reason, the European Telecommunications Standards Institute (ETSI) developed a threat, vulnerability, risk analysis (eTVRA) method to support telecommunication companies in the Common Criteria (CC) evaluation. eTVRA builds on the risk management component of the CORAS framework [14] and is structured to provide output that can be directly used for the security evaluation. Thus, it aims a more cost-efficient CC evaluation process.…”
“…It is based on ISO 15408:2007 [89][90][91] and consists of four main components: Figure 2.1: Sub-processes of CORAS risk management process [14] (1) a risk documentation framework based on RM-ODP [69]; (2) a risk management process based on the AS/NZS 4360:2004 [97]; (3) an integrated risk management and system development process based on the Unified Process [28] and (4) a platform for tool inclusion based on data-integration using XML.…”
Section: Background Information 221 Corasmentioning
confidence: 99%
“…During these HazOp sessions, to motivate the attendees to structured thinking, the risk [14] To/From HazOp FTA HazOp…”
Section: Step 4: Threat and Vulnerability Identificationmentioning
confidence: 99%
“…When applied together they can be applied as input/output to each other, as documented by Table 2.1 [14].…”
Section: Step 4: Threat and Vulnerability Identificationmentioning
confidence: 99%
“…Another proposal is that of Braber et al [14], who developed the CORAS framework to produce an improved method for precise, unambiguous, and efficient risk analysis of security-critical systems. CORAS focuses on the tight integration of viewpoint-oriented visual modelling in the RA process, using a UML-based approach in the context of security and RA.…”
Section: Related Workmentioning
confidence: 99%
“…For this reason, the European Telecommunications Standards Institute (ETSI) developed a threat, vulnerability, risk analysis (eTVRA) method to support telecommunication companies in the Common Criteria (CC) evaluation. eTVRA builds on the risk management component of the CORAS framework [14] and is structured to provide output that can be directly used for the security evaluation. Thus, it aims a more cost-efficient CC evaluation process.…”
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.