Model-based security analysis in seven steps - A guided tour to the CORAS method

BT Technology Journal

Volumn 25, Issue 1, 2007, Pages 101-117

  den Braber, F ^a   Hogganvik, I ^a   Lund, M S ^a   Stolen K ^a   Vraalsen, F ^a  

^a NONE

Author keywords

[No Author keywords available]

Indexed keywords

DATA REDUCTION; PROFESSIONAL ASPECTS; RISK ANALYSIS; SOCIETIES AND INSTITUTIONS;

SECURITY ANALYSIS; SECURITY RISK MODELLING;

RISK MANAGEMENT;

EID: 33947368645     PISSN: 13583948     EISSN: None     Source Type: Journal    
DOI: 10.1007/s10550-007-0013-9     Document Type: Article

References (25)

1. OMG: 'Unified Modeling Language (UML): Superstructure, version 2.0', Object Management Group (2005).
2. Lund M S, den Braber F, Stølen K and Vraalsen F: 'A UML profile for the identification and analysis of security risks during structured brainstorming', SINTEF ICT, Tech report STF40 A03067 (2004).
3. Stathiakis N, Chronaki C, Skipenes E, Henriksen E, Charalambous E, Sykianakis A, Vrouchos G, Antonakis N, Tsiknakis M and Orphanoudakis S: 'Risk assessment of a cardiology eHealth service in HYGEIAnet', in Proc Computers in Cardiology (CIC'2003), pp 201-204 (2003).
4. AS/NZS4360, Australian/New Zealand Standard for Risk Management: Standards Australia/Standards New Zealand (2004).
5. ISO/IEC13335, Information Technology - Guidelines for management of IT Security (1996-2000).
6. IEC61025, Fault Tree Analysis (FTA) (1990).
7. den Braber F, Mildal A B, Nes J, Stølen K and Vraalsen F: 'Experiences from using the CORAS methodology to analyse a Web application', Journal of Cases on Information Technology, 7, No 3, pp 110-130 (2005).
8. Hogganvik I and Stølen K: 'On the comprehension of security risk scenarios', in Proc Int Workshop on Program Comprehension (IWPC'05), pp 115-124 (2005).
9. Hogganvik I and Stølen K: 'Risk analysis terminology for IT-systems, does it match intuition?' in Proc Int Symposium on Empirical Software Engineering (ISESE'05), pp 13-23 (2005).
10. Hogganvik I and Stølen K: 'A graphical approach to risk identification, motivated by empirical investigations', in Proc MoDELS'06 LNCS 4199, pp 574-588 (2006).
11. Barber B and Davey J: 'The Use of the CCTA Risk Analysis and Management Methodology CRAMM in Health Information Systems', in Proc MEDINFO'92, pp 1589-1593 (1992).
12. Alberts C J and Dorofee A J: 'OCTAVE Criteria Version 2.0', Tech report CMU/SEI-2001-TR-016, ESC-TR-2001-016 (2001).
13. Redmill F, Chudleigh M and Catmur J: 'HAZOP and Software HAZOP', Wiley (1999).
14. Alexander I: 'Misuse cases: Use cases with hostile intent', IEEE Software, 20, No 1, pp 58-66 (2003).
15. Sindre G and Opdahl A L: 'Eliciting Security Requirements by Misuse Cases', in Proc TOOLS-PACIFIC, pp 120-131 (2000).
16. Sindre G and Opdahl A L: 'Templates for Misuse Case Description', in Proc Workshop of Requirements Engineering: Foundation of Software Quality (REFSQ'01), pp 125-136 (2001).
17. Jacobson I, Christerson M, Jonsson P and Övergaard G: 'Object-Oriented Software Engineering: A Use Case Driven Approach', Addison-Wesley (1992).
18. Lund M S, Hogganvik I, Seehusen F and Stølen K: 'UML profile for security assessment', SINTEF Telecom and Informats, Tech report STF40 A03066 (2003).
19. OMG: 'UML Profile for Modeling Quality of Service and Fault Tolerance Characteristics and Mechanisms', Object Management Group 2006.
20. Jürjens J: 'Secure systems development with UML', Springer (2005).
21. Lodderstedt T, Basin D and Doser J: 'SecureUML: A UML-Based Modeling Language for Model-Driven Security', in Proc UML'02, LNCS 2460, pp 426-441 (2002).
22. Schneier B: 'Attack trees: Modeling security threats', Dr Dobb's Journal, 24, No 12, pp 21-29 (1999).
23. Howard M and LeBlanc D: 'Writing Secure Code', 2nd edition, Microsoft Press (2003).
24. IEC60300-3-9, Event Tree Analysis in Dependability management - Part 3: Application guide - Section 9: Risk analysis of technological systems (1995).
25. Nielsen D S: 'The Cause/Consequence Diagram Method as a Basis for Quantitative Accident Analysis', Danish Atomic Energy Commission, RISO-M-1374 (1971).