Abstract
The CORAS project develops a practical framework for model-based risk management of security critical systems by exploiting the synthesis of risk analysis methods with semiformal specification methods, supported by an adaptable tool-integration platform. The framework is also accompanied by the CORAS process, which is a systems development process based on the integration of RUP and a standardised security risk management process, and it is supported by an XML-based tool-integration platform. The CORAS framework and process are being validated in extensive user trials in the areas of e-commerce and telemedicine. This paper presents an overview of the CORAS framework, emphasising on the modelling approach followed in the first of the user trials (concerning the authentication mechanism of an e-commerce platform) and it provides some examples of the risk analyses employed in this context.
The original version of this chapter was revised: The copyright line was incorrect. This has been corrected. The Erratum to this chapter is available at DOI: 10.1007/978-0-387-35612-9_23
Chapter PDF
Similar content being viewed by others
References
Australian/New Zealand Standard AS/NZS 4360:1999: Risk Management.
Barber, B., Davey, J. The use of the CCTA risk analysis and management methodology CRAMM. Proc. MEDINF092, North Holland, 1589 —1593, 1992.
R. Baskerville, Information Systems Security Design Methods: Implications for Information Systems Development, ACM Computing Surveys, Vol. 25, No 4, Dec. 1993, pp. 375–414.
den Braber, F., Dimitrakos, T., Gran, B.A., Stolen K., Aagedal, J.Q. Model-based Risk Management using UML and RUP, Issues and Trends of Information Technology Management in Contemporary Organizations 2002, Information Resources Management Association International Conference, May 2002. (To appear).
Bouti, A., Ait Kadi, D. A state-of-the-art review of FMEA/FMECA. International Journal of Reliability, Quality and Safety Engineering 1: 515–543, 1994.
EP–27046–ACTIVE, Final Prototype and User Manual,D4.2.2, Ver. 2.0, 2001–02–22.
K. Fu, E. Sit, K. Smith and N. Feamster, Dos and Don’t of Client Authentication on the Web,MIT Technical Report 818, MIT Laboratory for Computer Science, 2001. http://cookies.lcs.mit.edu/webauth: tr.pdf
ISO/IEC 10746 series: 1995 Basic reference model for open distributed processing.
ISO/IEC TR 13335–1:2001: Information technology — Guidelines for the management of IT Security — Part 1: Concepts and models for IT Security.
ISO/IEC 17799: 2000 Information technology — Code of practise for information security management.
IEC 1025: 1990 Fault tree analysis (FTA).
Krutchten, P. The Rational unified process, an introduction. Addison-Wesley, 1999.
OMG, Unified Modeling Language (UML) Specification,Ver. 1.3, Mar. 2000.
OMG, XML Metadata Interchange (XMI) Specification,Ver. 1.1, Nov. 2000.
Redmill, F., Chudleigh, M., Catmur, J. Hazop and Software Hazop. Wiley, 1999.
World Wide Web Consortium, Extensible Markup Language (XML) v1.0,W3C Recommendation, Second Edition, 6 Oct. 2000.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2002 IFIP International Federation for Information Processing
About this chapter
Cite this chapter
Raptis, D., Dimitrakos, T., Gran, B.A., Stølen, K. (2002). The Coras Approach for Model-Based Risk Management Applied to E-Commerce Domain. In: Jerman-Blažič, B., Klobučar, T. (eds) Advanced Communications and Multimedia Security. IFIP — The International Federation for Information Processing, vol 100. Springer, Boston, MA. https://doi.org/10.1007/978-0-387-35612-9_13
Download citation
DOI: https://doi.org/10.1007/978-0-387-35612-9_13
Publisher Name: Springer, Boston, MA
Print ISBN: 978-1-4757-4405-7
Online ISBN: 978-0-387-35612-9
eBook Packages: Springer Book Archive