Risk analysis terminology for IT-systems: does it match intuition?

Hogganvik, Ida; Stølen, Ketil

doi:10.1109/isese.2005.1541810

Cited by 8 publications

(12 citation statements)

References 4 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…• a survey of security risk analysis terminology that helped us to identify the intuitive and more problematic parts of the language's conceptual foundation -the subjects were professionals and master students within software engineering [9],…”

Section: Conclusion and Related Workmentioning

confidence: 99%

Model-based security analysis in seven steps — a guided tour to the CORAS method

Braber¹,

Hogganvik²,

Lund³

et al. 2007

BT Technol J

Self Cite

164

118

View full text Add to dashboard Cite

This paper presents the CORAS method for model-based security analysis. The presentation is case-driven. We follow two analysts in their interaction with an organisation by which they have been hired to carry out a security risk analysis. The analysis is divided into seven main steps, and the paper devotes a separate section to each of them. The paper focuses in particular on the use of the CORAS security risk modelling language as a means for communication and interaction during the seven steps.

show abstract

Section: Conclusion and Related Workmentioning

confidence: 99%

Model-based security analysis in seven steps — a guided tour to the CORAS method

Braber¹,

Hogganvik²,

Lund³

et al. 2007

BT Technol J

Self Cite

164

118

View full text Add to dashboard Cite

show abstract

“…It also differs from other approaches in that it has been developed to facilitate communication and interaction during structured brainstorming sessions involving people of heterogeneous backgrounds [24,25]. It also differs from other approaches in that it has been developed to facilitate communication and interaction during structured brainstorming sessions involving people of heterogeneous backgrounds [24,25].…”

Section: Situating Coras Within This Picturementioning

confidence: 99%

“…A dedicated network between the regional hospital and several primary 24 3 A Guided Tour of the CORAS Method health care centres (PHCC) allows a general practitioner (GP) to conduct a cardiological examination of a patient (at the PHCC) in cooperation with a cardiologist located at the hospital. A dedicated network between the regional hospital and several primary 24 3 A Guided Tour of the CORAS Method health care centres (PHCC) allows a general practitioner (GP) to conduct a cardiological examination of a patient (at the PHCC) in cooperation with a cardiologist located at the hospital.…”

Section: Preparations For the Analysismentioning

confidence: 99%

Model-Driven Risk Analysis

Lund¹,

Solhaug²,

Stølen³

2011

218

View full text Add to dashboard Cite

The use of general descriptive names, registered names, trademarks, etc. in this publication does not imply, even in the absence of a specific statement, that such names are exempt from the relevant protective laws and regulations and therefore free for general use. Cover design: KünkelLopka GmbH, HeidelbergPrinted on acid-free paper Springer is part of Springer Science+Business Media (www.springer.com) PrefaceExposure to risk is inescapable in most domains. People and families, enterprises, governments, private and public organisations, infrastructure providers, service providers, and so forth all encounter risks on an ongoing and frequent basis. The kinds of risks however vary from domain to domain, be it safety, economy, information and ICT security, politics, civil protection, emergency planning, defence, law, health, and so on. The need for understanding and managing risk is self-evident. Risk management is moreover in many cases imposed as a prerequisite, be it by law and legal regulations or from the public opinion, in particular within critical areas that may affect privacy and welfare, or even health and human life. In other cases, the lack of good routines, cultures and processes for managing risk may be a decisive factor for risks to emerge that should or could have been avoided.In this book, we present CORAS, which is a model-driven approach to risk analysis. Risk analysis is a core part of the overall process of risk management. In order to conduct risk analysis in practice, there is clearly a need for well-defined methods, techniques and guidelines for how to do this, and this is precisely what CORAS offers. Risk analysts, or for that matter anyone with a need for identifying and understanding risks, will in this book find guidance on how to conduct a stepwise, structured and systematic analysis and documentation of risks.The book also serves as an introduction to risk analysis in general, and as an introduction to the central and well-established underlying concepts and terminology. Practitioners, as well as graduate or undergraduate students, particularly within the IT domain, are therefore main target groups of this book. CORAS is strongly related to international standards on risk management, and this book therefore serves as an introduction to many of the issues that are addressed in these standards.An important objective of this book is to accompany standardised risk management guidelines and terminology with comprehensive pragmatic support. International standards generally focus on the what, but say little or nothing about the how. This book is a self-contained contribution not only to understand what risk management, risk analysis and risk related concepts are, but also to learn how to do risk analysis in practice. Extensive use of practical and illustrative examples furthermore facilitates a deep understanding of both the pragmatics and the conceptual aspects. v vi PrefaceThe comprehensiveness of CORAS is manifested by the three complementary parts of the approach. CORAS consists of a cust...

show abstract

“…It also differs from other approaches in that it has been developed to facilitate communication and interaction during structured brainstorming sessions involving people of heterogeneous backgrounds [7,8,21]. To this end the CORAS language makes use of graphical symbols, or icons, that are closely related to the underlying risk analysis concepts, and that are intended to be easily comprehensible.…”

Section: Coras Approachmentioning

confidence: 99%

Security risk analysis of system changes exemplified within the oil and gas domain

Refsdal

Solhaug

Stølen

2014

Int J Softw Tools Technol Transfer

View full text Add to dashboard Cite

Changes, such as the introduction of new technology, may have considerable impact on the risk to which a system or organization is exposed. For example, in the oil & gas domain, introduction of technology that allows offshore installations to be operated from onshore means that fewer people are exposed to risk on the installation, but it also introduces new risks and vulnerabilities. We need suitable methods and techniques in order to understand how a change will affect the risk picture. This paper presents an approach that offers specialized support for analysis of risk with respect to change. The approach allows links between elements of the target of analyses and the related parts of the risk model to be explicitly captured, which facilitates tool support for identifying the parts of a risk model that need to be reconsidered when a change is made to the target. Moreover, the approach offers language constructs for capturing the risk picture before and after a change. The approach is demonstrated on a case concerning new software technology to support decision making on petroleum installations.

show abstract

Risk analysis terminology for IT-systems: does it match intuition?

Cited by 8 publications

References 4 publications

Model-based security analysis in seven steps — a guided tour to the CORAS method

Model-based security analysis in seven steps — a guided tour to the CORAS method

Model-Driven Risk Analysis

Security risk analysis of system changes exemplified within the oil and gas domain

Contact Info

Product

Resources

About