Abstract
Security evaluation and security assurance are important aspects of trust in e-business. CORAS is a European project which is developing a tool-supported framework for precise, unambiguous, and efficient risk assessment of security critical systems. The framework is obtained through adapting, refining, extending, and combining methods for risk analysis of critical systems and semiformal modelling methods. In this paper we provide an overview of the CORAS framework for model-based risk assessment, emphasising the pursued integration of risk management and semiformal modelling throughout the evolution of an iterative system development process.ut of the process.
The original version of this chapter was revised: The copyright line was incorrect. This has been corrected. The Erratum to this chapter is available at DOI: 10.1007/978-0-387-35617-4_48
Chapter PDF
References
Australian/New Zealand Standard AS/NZS 4360:1999: Risk Management.
Atkinson, C., Bayer, J., Bunse, C., Kamsties, E., Laitenberger, O., Laqua, R., Muthig, D., Paech, B. Wüst, J., Zettel, J., Component-based product line engineering with UML. Addison-Wesley, 2002.
Barber, B., Davey, J., The use of the CCTA risk analysis and management methodology CRAMM. Proc. MEDINF092, North Holland, 1589 –1593, 1992.
den Braber, F., Dimitrakos, T., Gran, B.A., Stolen K., Aagedal, J.Q. Model-based Risk Management using UML and RUP,Issues and Trends of Information Technology
Management in Contemporary Organizations 2002, Information Resources Management Association International Conference, May 2002.
Bouti, A., Ait Kadi, D. A state-of-the-art review of FMEA/FMECA. International Journal of Reliability, Quality and Safety Engineering 1: 515–543, 1994.
Clark, J., XSL transformations (XSLT) 1.0, World Wide Web Consortium recommendation REC-xslt, November 1999.
Cockburn, A., Structuring use cases with goals. Journal of object-oriented programming, Sep/Oct: 35–40, Nov/Dec: 56–62, 1997.
Common Criteria Organisation, “Common Criteria for Information Technology Security Evaluation”,http://www.commoncriteria.org,http://www.commoncriteria.orgaccessed: 2002.
Control Objectives for Information and related Technology, “COBIT”,http://www.isaca.org/ct_denld.htm http://www.isaca.org/ct_denld.htm
CORAS project web-site. http://www.nr.no/coras
Curry, D., Debar Merrill Lynch, H. Intrusion detection message exchange format (IDMEF). Working draft, December 28, 2001.
Dimitrakos Th., Bicarregui J.C. “ Towards A Framework for Managing Trust in e-Services”.
In Proceedings of the 4`s International Conference on Electronic Commerce Research, ATSMA, IFIP, November 2001. ISBN 0–9716253–0–1.
Dimitrakos Th.“System Models,e—Risk and e—Trust.Towards bridging the gap”? in Towards the E—ociety:E—usiness,E—ommerce,and E—overnment,eds.Schmid B.,StanoevskaSlabeva K.,Tschammer V.,Kluwer Academic Publishers,2001.ISBN—7923–75297
K. Fu, E. Sit, K. Smith and N. Feamster, Dos and Don’t of Client Authentication on the Web,MIT Technical Report 818, MIT Laboratory for Computer Science, 2001. http://www.cookies.lcs.mit.edu/webauth:trpdf
ISO/IEC 10746 series: 1995 Basic reference model for open distributed processing. ISO/IEC TR 13335–1:2001: Information technology — Guidelines for the management of IT Security — Part 1: Concepts and models for IT Security.
ISO/IEC 17799: 2000 Information technology — Code of practise for information security management.
IEC 1025: 1990 Fault tree analysis (FTA).
Jacobson, I., Rumbaugh, J., Booch, G. The unified software development process. Addison-Wesley, 1999.
Littlewood, B. A reliability model for systems with Markov structure. Appl. Stat. 24: 172–177, 1975.
Reactive System Design Support, “RSDS”,http://www.dcs.kcl.ac.uk .
Redmill, F., Chudleigh, M., Catmur, J. Hazop and Software Hazop. Wiley, 1999. Sandia National Laboratories, “Surety Analysis”, http://www.sandia.gov, 2002.
Schneider, G., Winters, J. P. Applying use cases: a practical guide. Addison-Wesley, 1998. Sindre, G., Opdahl, A. L. Eliciting security requirements by misuse cases. In Proc.
TOOLS_PACIFIC 2000. IEEE Computer Society Press, 120–131, 2000.
World Wide Web Consortium, Extensible Markup Language (XML) v1.0,W3C Recommendation, Second Edition, 6 Oct. 2000.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2003 IFIP International Federation for Information Processing
About this chapter
Cite this chapter
Dimitrakos, T. et al. (2003). Integrating Model-based Security Risk Management into eBusiness Systems Development. In: Monteiro, J.L., Swatman, P.M.C., Tavares, L.V. (eds) Towards the Knowledge Society. IFIP — The International Federation for Information Processing, vol 105. Springer, Boston, MA. https://doi.org/10.1007/978-0-387-35617-4_11
Download citation
DOI: https://doi.org/10.1007/978-0-387-35617-4_11
Publisher Name: Springer, Boston, MA
Print ISBN: 978-1-4757-6861-9
Online ISBN: 978-0-387-35617-4
eBook Packages: Springer Book Archive