The CORAS Framework for a Model-Based Risk Management Process

Abstract: Abstract. CORAS is a research and technological development project under the Information Society Technologies (IST) Programme (Commission of the European Communities, Directorate-General Information Society). One of the main objectives of CORAS is to develop a practical framework, exploiting methods for risk analysis, semiformal methods for object-oriented modelling, and computerised tools, for a precise, unambiguous, and efficient risk assessment of security critical systems. This paper presents the CORAS fr… Show more

“…CRAMM (Bornman and Labuschagne, 2004;Yazar, 2002;Sarkheyli and Ithnin, 2010;Enterprise, 2005) ii. CORAS (Braber et al, 2007;Vorster and Labuschagne, 2005;Bornman and Labuschagne, 2004;Aagedal et al, 2002;Fredriksen et al, 2002;Raymond, 1993;Lund et al, 2011;Dahl, 2008;Refsdal, 2011a,b) iii. OCTAVE (Vorster and Labuschagne, 2005;Bornman and Labuschagne, 2004;Alberts et al, 2003;Sarkheyli and Ithnin, 2010;Albert and Dorofee, 2001;Alberts et al, 2001;Elky, 2006;Visintine, 2003) The reason for the selection of various types of methods for comparison is because they have been well documented.…”

A conceptual framework of info structure for information security risk assessment (ISRA)

“…CRAMM (Bornman and Labuschagne, 2004;Yazar, 2002;Sarkheyli and Ithnin, 2010;Enterprise, 2005) ii. CORAS (Braber et al, 2007;Vorster and Labuschagne, 2005;Bornman and Labuschagne, 2004;Aagedal et al, 2002;Fredriksen et al, 2002;Raymond, 1993;Lund et al, 2011;Dahl, 2008;Refsdal, 2011a,b) iii. OCTAVE (Vorster and Labuschagne, 2005;Bornman and Labuschagne, 2004;Alberts et al, 2003;Sarkheyli and Ithnin, 2010;Albert and Dorofee, 2001;Alberts et al, 2001;Elky, 2006;Visintine, 2003) The reason for the selection of various types of methods for comparison is because they have been well documented.…”

A conceptual framework of info structure for information security risk assessment (ISRA)

“…Several methodologies are used in the analysis, such as matrix-based approach [20], paired comparison [41], and asset-function assignment tables (CMS) [12]. Some researchers have been made to develop complex tools for information security risk analysis such as The Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) [1], CORAS [43], CRAMM [4], Information Security Risk Analysis Method (ISRAM) [24], CCTA Risk Analysis and Management (CRAMM) ( [4], [53]), and CORAS ( [17], [20], [23], [48]). Facilitated Risk Assessment Process (FRAP) ( [6], [33]), the Consultative Objective and Bi-functional Risk Analysis (COBRA) [13], Is Risk Analysis Based on Business Model developed at the Korea Advanced Institute of Science and Technology in 2002 ( [29], [41], [44]), the Risk Watch method as a criterion may be annual loss and estimates are selected from the investment return and Matrix-Based method [20].…”

Information Security Risk Analysis Methods and Research Trends: AHP and Fuzzy Comprehensive Method

“…Today, a collection of information security risk management methods, standards and best-practice guidelines, such as CRAMM [10], NIST SP 800-30 [4], CORAS [11], OCTAVE [12], EBIOS [13], and recently ISO 27005 [14] exist. High level standards such as NIST SP 800-30 and ISO 27005 address the step of determining the importance of an organization's resources by recommending the collection of information on business processes and system/data criticality and sensitivity.…”

Business Process-Based Resource Importance Determination