Information Modeling for Automated Risk Analysis

  • Howard Chivers
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4237)


Systematic security risk analysis requires an information model which integrates the system design, the security environment (the attackers, security goals etc) and proposed security requirements. Such a model must be scalable to accommodate large systems, and support the efficient discovery of threat paths and the production of risk-based metrics; the modeling approach must balance complexity, scalability and expressiveness. This paper describes such a model; novel features include combining formal information modeling with informal requirements traceability to support the specification of security requirements on incompletely specified services, and the typing of information flow to quantify path exploitability and model communications security.


security risk model information threat service-oriented communication 


  1. 1.
    Information Security Management Part 2 Specification for information security management systems, British Standards Institution, BS 7799-2 (1999)Google Scholar
  2. 2.
    Risk Management Guide for Information Technology Systems, National Institute of Standards and Technology (NIST), SP 800-30 (January 2002) (accessed January 2006),
  3. 3.
    Chivers, H., Fletcher, M.: Applying Security Design Analysis to a Service Based System. Software Practice and Experience: Special Issue on Grid Security 35(9), 873–897 (2005)CrossRefGoogle Scholar
  4. 4.
    Chivers, H., Jacob, J.: Specifying Information-Flow Controls. In: Proceedings of the Second International Workshop on Security in Distributed Computing Systems (SDCS) (ICDCSW 2005), pp. 114–120. IEEE Computer Society, Columbus, Ohio, USA (2005)Google Scholar
  5. 5.
    Chivers, H.: Security Design Analysis, Thesis at Department of Computer Science, The University of York, York, UK, accessed July 2006, p. 484 (2006), available online at:
  6. 6.
    Baskerville, R.: Information Systems Security Design Methods: Implications for Information Systems Development. ACM Computing Surveys 25(4), 375–414 (1993)CrossRefGoogle Scholar
  7. 7.
    CRAMM Risk Assessment Tool Overview, Insight Consulting Limited (accessed May 2005), available at:
  8. 8.
    Dimitrakos, T., Raptis, D., Ritchie, B., Stølen, K.: Model-Based Security Risk Analysis for Web Applications: The CORAS approach. In: Proceedings of the EuroWeb 2002, (accessed January 2006) (Electronic Workshops in Computing). British Computer Society, St Anne’s College, Oxford, UK (2002), available on-line at:
  9. 9.
    Swiderski, F. and Snyder, W., Threat Modelling. Microsoft Professional. 2004: Microsoft Press. Google Scholar
  10. 10.
    Jürjens, J.: Towards Development of Secure Systems Using UMLsec. In: Hussmann, H. (ed.) FASE 2001. LNCS, vol. 2029, p. 187. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  11. 11.
    Kalloniatis, C.: Security Requirements Engineering for e-Government Applications: Analysis of Current Frameworks. In: Traunmüller, R. (ed.) EGOV 2004. LNCS, vol. 3183, pp. 66–71. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  12. 12.
    Schaefer, M.: Symbol Security Condition Considered Harmful. In: Proceedings of the IEEE Symposium on Security and Privacy, pp. 20–46. IEEE Computer Society, Oakland, CA (1989)Google Scholar
  13. 13.
    Mayfield, T., Roskos, J.E., Welke, S.R., Boone, J.M.: Integrity in Automated Information Systems, National Computer Security Center (NCSC), Technical Report 79-91 (accessed January 2006),
  14. 14.
    Jacob, J.L.: On The Derivation of Secure Components. In: Proceedings of the 1989 IEEE Symposium on Security and Privacy, pp. 242–247. IEEE Computer Society, Los Alamitos (1989)CrossRefGoogle Scholar

Copyright information

© IFIP International Federation for Information Processing 2006

Authors and Affiliations

  • Howard Chivers
    • 1
  1. 1.Department of Information SystemsCranfield UniversityShrivenham, SwindonUK

Personalised recommendations