Risk profiles and distributed risk assessment

Computers and Security

Volumn 28, Issue 7, 2009, Pages 521-535

  Chivers, Howard ^a   Clark, John A ^b   Cheng, Pau Chen ^c  

^a CRANFIELD UNIVERSITY   (United Kingdom)

^b UNIVERSITY OF YORK   (United Kingdom)

^c IBM T J WATSON RESEARCH CENTER   (United States)

Author keywords

Distributed algorithm; Distributed systems; Risk management; Security; Security model

Indexed keywords

AD-HOC COLLABORATION; CONTINUOUS ASSESSMENT; CRITICAL ASSET; DISTRIBUTED ALGORITHM; DISTRIBUTED COMPUTATIONS; DISTRIBUTED SYSTEMS; DYNAMIC SYSTEMS; OPERATIONAL LIFE; PATH ENUMERATION; POLICY CHANGES; RISK PROFILE; SECURITY; SECURITY MODEL; SYSTEM CHANGE;

COMPUTATIONAL EFFICIENCY; DECISION MAKING; DYNAMICAL SYSTEMS; PARALLEL ALGORITHMS; RISK ANALYSIS; RISK MANAGEMENT;

RISK ASSESSMENT;

EID: 70349596824     PISSN: 01674048     EISSN: None     Source Type: Journal    
DOI: 10.1016/j.cose.2009.04.005     Document Type: Article

References (38)

1. Alberts C., and Dorofee A. Managing information security risks - the octave approach. SEI series in software engineering (2003), Addison-Wesley
2. Azzedin F., and Maheswaran M. Trust modeling for peer-to-peer based computing systems. Proceedings of the international parallel and distributed processing symposium (IPDPS'03) (2003), IEEE Computer Society
3. Baskerville R. Information systems security design methods: implications for information systems development. ACM Computing Surveys 25 4 (1993) 375-414
4. Braber F., Hogganvik I., Lund M.S., Stølen K., and Vraalsen F. Model-based security analysis in seven steps - a guided tour to the CORAS method. BT Technology Journal 25 1 (2007) 101-117
5. Cahill V., et al. Using trust for secure collaboration in uncertain environments. IEEE Pervasive Computing 2 3 (2003) 52-61
6. Chivers H., and Fletcher M. Applying security design analysis to a service based system. Software Practice and Experience: Special Issue on Grid Security 35 9 (2005) 873-897
7. Chivers H., and Jacob J. Specifying information-flow controls. Proceedings of the 25th IEEE international conference on distributed computing systems workshops (ICDCSW'05) second international workshop on security in distributed computing systems (SDCS) (2005), IEEE Computer Society 114-120
8. Chivers H. Security design analysis (2006), Department of Computer Science, The University of York, York, UK p. 484
9. Chivers H. Information modeling for automated risk analysis. In: Proceedings of the 10th IFIP open conference on communications and multimedia security (CMS 2006); 2006b.
10. Clemen R.T., and Winkler R.L. Combining probability distributions from experts in risk analysis. Risk Analysis 19 2 (1999) 187-203
11. Eschenauer L., Gligor V.D., and Baras J. On trust establishment in mobile ad-hoc networks. Proceedings of the security protocols workshop. Lecture notes in computer science (LNCS) vol. 2845 (2002), Springer-Verlag 47-66
12. Fenton N, Neil M, Combining evidence in risk analysis using Bayesian networks, Agenda white paper, W0704/01; 2004. Available from: [accessed January 2009].
13. Flynn M., Hoverd T., and Brazier D. Formaliser - an interactive support tool for Z. Proceedings of the fourth annual Z user meeting (1990), British Computer Society 128-141
14. Giese H., and Tichy M. Component-based hazard analysis: optimal designs, product lines, and online-reconfiguration. Proceedings of the SAFECOMP '04. Lecture notes in computer science vol. 4166 (2006), Springer, Berlin/Heidelberg 156-169
15. Haley C.B., Laney R., Moffett J.D., and Nuseibeh B. Arguing satisfaction of security requirements. In: Mouratidis H., and Giorgini P. (Eds). Integrating security and software engineering: advances and future vision (2005), Idea Group Publishing, Hershey, PA and London 15-42
16. Haugen Ø., Husa K.E., Runde R.K., and Stølen K. STAIRS towards formal design with sequence diagrams. Software and Systems Modeling 4 4 (2005) 355-357
17. Hogganvik I., and Stølen K. A graphical approach to risk identification, motivated by empirical investigations. Proceedings of the ninth international conference on model driven engineering and systems (MoDELS '06). Lecture notes in computer science (LNCS) vol. 4199 (2006), Springer, Berlin 574-588
18. Information technology - security techniques - information security management systems - requirements (2005), International Organisation for Standards (ISO) ISO/IEC 27001:2005
19. Jürjens J. Towards development of secure systems using UMLsec. Proceedings of the fundamental approaches to software engineering: fourth international conference, FASE 2001: held as part of the joint European conferences on theory and practice of software, ETAPS 2001. Lecture notes in computer science vol. 2029 (2001), Springer-Verlag
20. Jacob J.L. On the derivation of secure components. Proceedings of the 1989 IEEE symposium on security and privacy (1989), IEEE Computer Society 242-247
21. Kaiser B, Liggesmeyer P, Mäckel O, A new component concept for fault trees. In: Proceedings of the eighth Australian workshop on safety critical systems and software; 2003. p. 37-46.
22. Kalloniatis C. Security requirements engineering for e-government applications: analysis of current frameworks. Proceedings of the electronic government: third international conference, EGOV 2004. Lecture notes in computer science vol. 3183/2004 (2004), Springer-Verlag 66-71
23. Liu L., Yu E., and Mylopoulos J. Security and privacy requirements analysis within a social setting. Proceedings of the 11th IEEE international requirements engineering conference (RE'03) (2003), IEEE Computer Society
24. Lodderstedt T., Basin D., and Doser J. SecureUML: a UML-based modeling language for model-driven security. Proceedings of the fifth international conference on the unified modelling language. Lecture notes in computer science (LNCS) vol. 2460 (2002), Springer-Verlag 426-441
25. McDermott J, Fox C, Using abuse case models for security requirements analysis. In: Proceedings of the 15th annual computer security applications conference; 1999.
26. McLean J. A general theory of composition for trace sets closed under selective interleaving functions. Proceedings of the IEEE symposium on research in security and privacy (1994), IEEE Computer Society 79-93
27. Moffett J.D., Haley C.B., and Nuseibeh B.A. Core security requirements artifacts (2004), Open University, Department of Computing. http://computing-reports.open.ac.uk/index.php/content/download/166/999/f ile/2004_23.pdf Technical Report no. 2004/23 [accessed January 2006]
28. Morgan M.G., Fischhoff B., Bostrom A., and Atman C.J. Risk communication: a mental models approach (2002), Cambridge University Press, Cambridge, UK
29. Papadopoulos Y., McDermid J., Sasse R., and Heiner G. Analysis and synthesis of the behaviour of complex programmable electronic systems in conditions of failure. Reliability Engineering and System Safety 71 3 (2001) 229-247
30. Risk management guide for information technology systems. SP 800-30 (2002), National Institute of Standards and Technology (NIST). http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf [accessed January 2006]
31. Schneider E.A. Security architecture-based system design. Proceedings of the 1999 workshop on new security paradigms (1999), ACM Press 25-31
32. Sheyner O., and Wing J. Tools for generating and analyzing attack graphs. Proceedings of the formal methods for components and objects symposium vol. 2004/3188 (2003), Springer-Verlag, Berlin, Heidelberg p. 344-71
33. Shirey R. Internet security glossary (2000), The Internet Society, Reston, USA. http://ietfreport.isoc.org/rfc/rfc2828.txt RFC 2828[accessed January 2006]
34. Spivey J.M. In: Hoare C.A.R. (Ed). The Z notation: a reference manual. Prentice hall international series in computer science (1989), Prentice Hall
35. Srivatanakul T., Clark J., and Polack F. Security zonal analysis (2004), University of York, Department of Computer Science, York, UK. http://www.cs.york.ac.uk/ftpdir/reports/YCS-2004-374.pdf Technical Report YCS-2004-374
36. Swiderski F., and Snyder W. Threat modelling, Microsoft professional (2004), Microsoft Press
37. Vesely W.E., Goldberg F.F., Roberts N.H., and Haasl D.F. Fault tree handbook (1981), U.S. Nuclear Regulatory Commission Report NUREG-0492209
38. Xu D., and Nygard K.E. Threat-driven modeling and verification of secure software using aspect-oriented petri nets. IEEE Transactions on Software Engineering 32 4 (2006) 265-278