The CORAS Language – why it is designed the way it is

  title={The CORAS Language – why it is designed the way it is},
  author={Bj{\o}rnar Solhaug and Ketil St{\o}len},
CORAS1 [6] is an approach to risk analysis based on the ISO 31000 international standard on risk management [4]. The approach is model-driven in the sense that graphical models are actively used throughout the whole risk analysis process to support the various analysis tasks and activities, and to document the results. It is defensive, which means that the risk analysis is concerned with protecting existing assets, rather than balancing potential gain against risk of investment loss (as, for… 

Figures from this paper

Security risk analysis of system changes exemplified within the oil and gas domain

An approach that offers specialized support for analysis of risk with respect to change is presented, which allows links between elements of the target of analyses and the related parts of the risk model to be explicitly captured, which facilitates tool support for identifying the parts of a risk model that need to be reconsidered when a change is made to the target.

Development of Tool Support within the Domain of Risk-Driven Security Testing

This thesis investigates how the CORAL approach can be supported by a tool, in order to fulfil the overall aim of introducing proper tool support for the domain of risk-driven security testing, and proposes a tool developed as a plug-in for the Eclipse Papyrus tool, which supports the CORal approach.

An integrated conceptual model for information system security risk management supported by enterprise architecture management

This paper elaboration and validation of an existing ISSRM domain model is improved, i.e. a conceptual model depicting the domain of IS SRM, with the concepts of EAM, and an integrated EAM-ISSRM integrated model is defined.

An Integrated Conceptual Model for Information System Security Risk Management and Enterprise Architecture Management Based on TOGAF

A first step towards a better integration of both domains is to define an EAM-ISSRM conceptual integrated model, a conceptual model depicting the domain of ISSRM with the concepts of EAM, a well-known EAM standard.

Software Security Specifications and Design: How Software Engineers and Practitioners Are Mixing Things up

This research represents a corrective study that sheds light on what has been achieved in analyzing and designing secure software and what are the problems committed and how to handle them.

Tool Support for Risk-driven Planning of Trustworthy Smart IoT Systems within DevOps

This paper focuses on the planning stage of DevOps and proposes a tool-supported method for risk-driven planning considering security and privacy risks, and indicates that the approach is comprehensible for intended users, supports the Planning stage in terms of security and Privacy risk assessment, and feasible for use in the DevOps practice.

The Trouble with Security Requirements

  • Sven Türpe
  • Computer Science
    2017 IEEE 25th International Requirements Engineering Conference (RE)
  • 2017
This perspective paper systematizes the problem space of security requirements engineering and identifies the three perspectives necessary to develop secure systems: threats, security goals, and system design.

Supporting ISO 27001 Establishment with CORAS

This work presents an extension to this method called ISMS-CORAS, which enables security engineers to create an ISO 27001 compliant ISMS including the needed documentation, which is applied to a smart grid scenario provided by the industrial partners of the NESSoS project.

Pattern and Security Requirements

An overview of existing research approaches to address the possibility to mitigate security threats using security standards and the problems that engineers face when doing so, which are caused by ambiguity in these standards.

DesignThreats Goals System Adversaries Possible attacks Consequences Stakeholders Environment

This perspective paper systematizes the problem space of security requirements engineering and examines the interplay of three dimensions: threats, security goals, and system design to develop secure systems.



Model-Driven Risk Analysis - The CORAS Approach

This book serves as an introduction to risk analysis in general, including the central concepts and notions in risk analysis and their relations, and is to support risk analysts in conducting structured and stepwise risk analysis.

Risk Analysis of Changing and Evolving Systems Using CORAS

This paper introduces general techniques and guidelines for managing risk in changing systems, and instantiate these in the CORAS approach to model-driven risk analysis.

Model-driven risk analysis of evolving critical infrastructures

An approach to model-driven security risk analysis of changing and evolving systems is presented, a tool-supported method with techniques and modeling support for traceability of system changes to risk models, as well as the explicit modeling of the impact of changes on the current risk picture.

A graphical approach to risk identification, motivated by empirical investigations

A graphical approach to identify, explain and document security threats and risk scenarios is proposed and guidelines for its use have been based on a combination of empirical investigations and experiences gathered from utilizing the approach in large scale industrial field trials.

Modular analysis and modelling of risk scenarios with dependencies

Business Process Model and Notation - BPMN

A Practical Approach to Uncertainty Handling and Estimate Acquisition in Model-based Prediction of System Quality

An approach to the representation, propagation and analysis of uncertainties in DVs is proposed and it is argued that this uncertainty handling approach is comprehensible, sound, practically useful and better than any other approach aware of.

International Organization for Standardization

This chapter provides an overview of the International Organization for Standardization (ISO). Operating since 1947, the International Organization for Standardization (ISO) is a nongovernmental

Fuzzy fault tree analysis

  • D. Weber
  • Business
    Proceedings of 1994 IEEE 3rd International Fuzzy Systems Conference
  • 1994
A fuzzy logic method employing Weibulls to represent membership functions for a set of fuzzy values (and fuzzy intervals) has been developed and can address subjective, qualitative, and quantitative uncertainties involving risk analysis.