The use of general descriptive names, registered names, trademarks, etc. in this publication does not imply, even in the absence of a specific statement, that such names are exempt from the relevant protective laws and regulations and therefore free for general use.
Cover design: KünkelLopka GmbH, HeidelbergPrinted on acid-free paper Springer is part of Springer Science+Business Media (www.springer.com)
PrefaceExposure to risk is inescapable in most domains. People and families, enterprises, governments, private and public organisations, infrastructure providers, service providers, and so forth all encounter risks on an ongoing and frequent basis. The kinds of risks however vary from domain to domain, be it safety, economy, information and ICT security, politics, civil protection, emergency planning, defence, law, health, and so on. The need for understanding and managing risk is self-evident. Risk management is moreover in many cases imposed as a prerequisite, be it by law and legal regulations or from the public opinion, in particular within critical areas that may affect privacy and welfare, or even health and human life. In other cases, the lack of good routines, cultures and processes for managing risk may be a decisive factor for risks to emerge that should or could have been avoided.In this book, we present CORAS, which is a model-driven approach to risk analysis. Risk analysis is a core part of the overall process of risk management. In order to conduct risk analysis in practice, there is clearly a need for well-defined methods, techniques and guidelines for how to do this, and this is precisely what CORAS offers. Risk analysts, or for that matter anyone with a need for identifying and understanding risks, will in this book find guidance on how to conduct a stepwise, structured and systematic analysis and documentation of risks.The book also serves as an introduction to risk analysis in general, and as an introduction to the central and well-established underlying concepts and terminology. Practitioners, as well as graduate or undergraduate students, particularly within the IT domain, are therefore main target groups of this book. CORAS is strongly related to international standards on risk management, and this book therefore serves as an introduction to many of the issues that are addressed in these standards.An important objective of this book is to accompany standardised risk management guidelines and terminology with comprehensive pragmatic support. International standards generally focus on the what, but say little or nothing about the how. This book is a self-contained contribution not only to understand what risk management, risk analysis and risk related concepts are, but also to learn how to do risk analysis in practice. Extensive use of practical and illustrative examples furthermore facilitates a deep understanding of both the pragmatics and the conceptual aspects. v vi PrefaceThe comprehensiveness of CORAS is manifested by the three complementary parts of the approach. CORAS consists of a cust...