Evolutionary Risk Analysis: Expert Judgement

  • Massimo Felici
  • Valentino Meduri
  • Bjørnar Solhaug
  • Alessandra Tedeschi
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6894)


New systems and functionalities are continuously deployed in complex domains such as Air Traffic Management (ATM). Unfortunately, methodologies provide limited support in order to deal with changes and to assess their impacts on critical features (e.g. safety, security, etc.). This paper is concerned with how change requirements affect security properties. A change requirement is a specification of changes that are to be implemented in a system. The paper reports our experience to support an evolutionary risk analysis in order to assess change requirements and their impacts on security properties. In particular, this paper discusses how changes to structured risk analysis models are perceived by domain experts by presenting insights from a risk assessment exercise that uses the CORAS model-driven risk analysis in an ATM case study. It discusses how structured models supporting risk analysis help domain experts to analyse and assess the impact of changes on critical system features.


Air Traffic Management Change Requirements Security Requirements Evolutionary Risk Analysis CORAS 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    ISO 31000, Risk Management: Principles and Guidelines, International Organization for Standardization (2009)Google Scholar
  2. 2.
    Alberts, C.J., Davey, J.: OCTAVE criteria version 2.0. Technical report CMU/SEI-2001-TR-016. Carnegie Mellon University (2004)Google Scholar
  3. 3.
    Barber, B., Davey, J.: The use of the CCTA risk analysis and management methodology CRAMM in health information systems. In: 7th International Congress on Medical Informatics, MEDINFO 1992, pp. 1589–1593 (1992)Google Scholar
  4. 4.
    CRAMM - The total information security toolkit, (accessed March 2, 2011)
  5. 5.
    Robinson, R.M., Anderson, K., Browning, B., Francis, G., Kanga, M., Millen, T., Milman, C.: Risk and Reliability. An Introductory Text, 5th edn. R2A (2001)Google Scholar
  6. 6.
    IEC 61025, Fault Tree Analysis (FTA), International Electrotechnical Commission (1990)Google Scholar
  7. 7.
    IEC 60300-3-9, Dependability management - Part 3: Application guide - Section 9: Risk analysis of technological systems - Event Tree Analysis (ETA), International Electrotechnical Commission (1995)Google Scholar
  8. 8.
    Schneier, B.: Attack trees: Modeling security threats. Dr. Dobb’s J. 24(12), 21–29 (1999)Google Scholar
  9. 9.
    Nielsen, D.S.: The cause/consequence diagram method as basis for quantitative accident analysis. Technical report RISO-M-1374, Danish Atomic Energy Commission (1971)Google Scholar
  10. 10.
    Ben-Gal, I.: Bayesian networks. In: Ruggeri, F., Kenett, R.S., Faltin, F.W. (eds.) Encyclopedia of Statistics in Quality and Reliability. John Wiley & Sons, Chichester (2007)Google Scholar
  11. 11.
    Lund, M.S., Solhaug, B., Stølen, K.: Model-Driven Risk Analysis: The CORAS Approach. Springer, Heidelberg (2011)CrossRefzbMATHGoogle Scholar
  12. 12.
    Brændeland, G., Refsdal, A., Stølen, K.: Modular analysis and modelling of risk scenarios with dependencies. Journal of Systems and Software 83(10), 1995–2013 (2010)CrossRefGoogle Scholar
  13. 13.
    Lund, M.S., Solhaug, B., Stølen, K., Innerhofer-Oberperfler, F., Felici, M., Meduri, V., Tedeschi, A.: Assessment Method, SecureChange deliverable (2011)Google Scholar
  14. 14.
    OMG Unified Modeling Language, Superstructure, version 2.2, Object Management Group (2009)Google Scholar
  15. 15.
    Perrow, C.: Normal accidents: living with high-risk technologies. Princeton University Press, Princeton (1999)Google Scholar
  16. 16.
    Edwards, E.: Man and machine: Systems for safety. In: Proceedings of British Airline Pilots Associations Technical Symposium, British Airline Pilots Associations, pp. 21-36 (1972)Google Scholar
  17. 17.
    Reason, J.: Managing the Risks of Organizational Accidents, Ashgate (1997)Google Scholar
  18. 18.
    Pasquini, A., Pozzi, S.: Evaluation of air traffic management procedures - safety assessment in an experimental environment. Reliability Engineering & System Safety 89(1), 105–117 (2005)CrossRefGoogle Scholar
  19. 19.
    Pasquini, A., Pozzi, S., Save, L.: A critical view of severity classification in risk assessment methods. Reliability Engineering & System Safety 96(1), 53–63 (2011)CrossRefGoogle Scholar
  20. 20.
    EUROCONTROL. Safety Nets - Ensuring Effectiveness (2009)Google Scholar
  21. 21.
    EUROCONTROL safety regulatory requirements (ESARR), ESARR 4 - risk assessment and mitigation in ATM, Edition 1.0 (2001)Google Scholar
  22. 22.
    EUROCONTROL safety regulatory requirements (ESARR), ESARR 6 - Software in ATM Systems, Edition 1.0 (2003)Google Scholar
  23. 23.
    EUROCONTROL, Baseline Integrated Risk Picture for Air Traffic Management in Europe, EEC Note No. 15/05 (2005)Google Scholar
  24. 24.
    Brooker, P.: The Überlingen accident: Macro-level safety lessons. Safety Science 46(10), 1483–1508 (2008)CrossRefGoogle Scholar
  25. 25.
    Felici, M.: Evolutionary safety analysis: Motivations from the air traffic management domain. In: Winther, R., Gran, B.A., Dahll, G. (eds.) SAFECOMP 2005. LNCS, vol. 3688, pp. 208–221. Springer, Heidelberg (2005)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • Massimo Felici
    • 1
  • Valentino Meduri
    • 1
  • Bjørnar Solhaug
    • 2
  • Alessandra Tedeschi
    • 1
  1. 1.Deep Blue S.r.l.RomaItaly
  2. 2.SINTEF ICTBlindernNorway

Personalised recommendations