Abstract
Risk management is an important part of the software quality management because security issues can result in big economical losses and even worse legal consequences. While risk assessment as the base for any risk treatment is widely regarded to be important, doing a risk assessment itself remains a challenge especially for complex large scaled networked systems. This paper presents an ongoing case study in which such a system is assessed. In order to deal with the challenges from that case study, the RACOMAT method and the RACOMAT tool for compositional risk assessment closely combined with security testing and incident simulation for have been developed with the goal to reach a new level of automation results in risk assessment.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Lund, M.S., Solhaug, B., Stølen, K.: Model-Driven Risk Analysis – The CORAS Approach. Springer, Heidelberg (2011)
International Standards Organization. ISO 31000:2009(E), Risk management – Principles and guidelines, (2009)
International Standards Organization. ISO 29119 Software and system engineering - Software Testing-Part 1–4 (2012)
Bouti, A., Kadi, D.A.: A state-of-the-art review of FMEA/FMECA. Int. J. Reliab. Qual. Saf. Eng. 1, 515–543 (1994)
International Electrotechnical Commission: IEC 61025 Fault Tree Analysis (FTA) (1990)
International Electrotechnical Commission: IEC 60300-3-9 Dependability management – Part 3: Application guide – Section 9: Risk analysis of technological systems – Event Tree Analysis (ETA) (1995)
Lund, M.S., Solhaug, B., Stølen, K.: Evolution in relation to risk and trust management. IEEE Comput. 43(5), 49–55 (2010)
Kaiser, B., Liggesmeyer, P., Mäckel, O.: A new component concept for fault trees. In: 8th Australian Workshop on Safety Critical Systems and Software (SCS 2003), pp. 37–46. Australian Computer Society (2003)
Papadoupoulos, Y., McDermid, J., Sasse, R., Heiner, G.: Analysis and synthesis of the behaviour of complex programmable electronic systems in conditions of failure. Reliab. Eng. Syst. Saf. 71(3), 229–247 (2001). Elsevier
Viehmann, J.: Reusing risk analysis results - an extension for the CORAS risk analysis method. In: 4th International Conference on Information Privacy, Security, Risk and Trust (PASSAT 2012), pp. 742–751. IEEE (2012). doi:10.1109/SocialCom-PASSAT.2012.91
Gleißner, W., Berger, T.: Auf nach Monte Carlo: Simulationsverfahren zur Risiko-Aggregation. RiskNews 1, 30–37 (2004). doi:10.1002/risk.200490005. Wiley
Greenland, S.: Sensitivity analysis, monte carlo risk analysis, and bayesian uncertainty assessment. Risk Anal. 21, 579–584 (2001)
Viehmann, J.: Towards integration of compositional risk analysis using Monte Carlo simulation and security Testing. In: Bauer, T., Großmann, J., Seehusen, F., Stølen, K., Wendland, M.-F. (eds.) RISK 2013. LNCS, vol. 8418, pp. 109–119. Springer, Heidelberg (2014)
Handbook: webMethods Command Central Help, Version 9.6, Software AG Darmstadt Germany, April 2014. http://documentation.softwareag.com/webmethods/wmsuites/wmsuite9-6/Command_Central_and_Platform_Manager/9-6_Command_Central_Help.pdf
Kloos, J., Hussain, T., and Eschbach, R.: Risk-based testing of safety-critical embedded systems driven by fault tree analysis. In: Software Testing, Verication and Validation Work-shops (ICSTW 2011), pp. 26–33. IEEE (2011)
Stallbaum, H., Metzger, A., Pohl, K.: An automated technique for risk-based test case generation and prioritization. In: Proceedings of Workshop on Automation of Software Test, AST 2008, Germany, pp. 67–70 (2008)
Smith, B.: Security Test Patterns (2008). http://www.securitytestpatterns.org/doku.php
Erdogan, G., Seehusen, F., Stølen, K., Aagedal, J.: Assessing the usefulness of testing for validating the correctness of security risk models based on an industrial case study. In: Proceedings of the Workshop on Quantitative Aspects in Security Assurance (QASA 2012), Pisa (2012)
Benet, A.F.: A risk driven approach to testing medical device software. In: Advances in Systems Safety, pp. 157–168. Springer (2011)
Großmann, J., Schneider, M., Viehmann, J., Wendland, M.-F.: Combining risk analysis and security testing. In: Margaria, T., Steffen, B. (eds.) ISoLA 2014, Part II. LNCS, vol. 8803, pp. 322–336. Springer, Heidelberg (2014)
Federal Office for Information Security (BSI): IT-Grundschutz Catalogues, Bonn Germany (2013). https://www.bsi.bund.de/EN/Topics/ITGrundschutz/ITGrundschutzCatalogues/itgrundschutzcatalogues_node.html
MITRE: Common Attack Pattern Enumeration and Classification, MITRE (2015). http://capec.mitre.org/
MITRE: Common Weakness Enumeration, MITRE (2015). http://cwe.mitre.org/data/index.html
MITRE: Common Vulnerabilities and Exposures, MITRE (2015). https://cve.mitre.org/cve/cve.html
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Viehmann, J., Werner, F. (2015). Risk Assessment and Security Testing of Large Scale Networked Systems with RACOMAT. In: Seehusen, F., Felderer, M., Großmann, J., Wendland, MF. (eds) Risk Assessment and Risk-Driven Testing. RISK 2015. Lecture Notes in Computer Science(), vol 9488. Springer, Cham. https://doi.org/10.1007/978-3-319-26416-5_1
Download citation
DOI: https://doi.org/10.1007/978-3-319-26416-5_1
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-26415-8
Online ISBN: 978-3-319-26416-5
eBook Packages: Computer ScienceComputer Science (R0)