论文信息 - An Experience Repository Supporting Security Risk Analysis

An Experience Repository Supporting Security Risk Analysis

ABSTRACT This paper presents an experience repository aiming to support the reuse of generic aspects of security risk analyses documentation. The generic aspects address three main purposes. They are used to (1) characterize and document the target of evaluation, its context and the assumptions on which the analysis is based, (2) specify undesirable behavior, impacts and scenarios resulting from security breaches and threats, (3) document security risk analysis results. The generic aspects are documented in so-called experience packages. An experience package is either constructive or supportive. A constructive experience package may be instantiated, specialized, extended or adjusted into concrete risk analysis documentation. A supportive experience package, supports the process of documenting by capturing methodological aspects in the form of checklists, patterns, and manual or automated procedures. Each experience package is decomposed into 22 concerns, each of which addressing a specific aspect in the overall security risk management process. Concerns consist of elements, examples of which are UML diagrams, table formats, domains of risk values, or sets of guidewords for structured brainstorming. The repository currently contains 139 elements. The elements have been extracted from major security analyses within e-commerce and telemedicine.

Ketil Stølen | Fredrik Vraalsen | Folker den Braber | Fredrik Seehusen | Chingw oei Gan

[1] Erhard Rahm,et al. Web, Web-Services, and Database Systems , 2003, Lecture Notes in Computer Science.

[2] Ketil Stølen,et al. Towards a UML Profile for Model-Based Risk Assessment , 2002 .

[3] Ketil Stølen,et al. Model-based risk assessment to improve enterprise security , 2002, Proceedings. Sixth International Enterprise Distributed Object Computing.

[4] Andreas L. Opdahl,et al. Eliciting security requirements with misuse cases , 2004, Requirements Engineering.

[5] Ketil Stølen,et al. The coras approach for model-based risk management applied to e-commerce domain , 2002, Communications and Multimedia Security.

[6] Wolfgang Meier,et al. eXist: An Open Source Native XML Database , 2002, Web, Web-Services, and Database Systems.

[7] David Clark,et al. Structuring and Design of Reactive Systems Using RSDS and B , 2000, FASE.

[8] Richard L. Craft,et al. The Use of Object-Oriented Analysis Methods in Surety Analysis , 1999 .

[9] Brian Ritchie,et al. Integrating Model-based Security Risk Management into eBusiness Systems Development: The CORAS Approach , 2002, I3E.

[10] Rick Kazman,et al. Evaluating Software Architectures: Methods and Case Studies , 2001 .

[11] F. Redmill,et al. Principles underlying a guideline for applying HAZOP to programmable electronic systems , 1997 .

[12] Ketil Stølen,et al. The CORAS approach for model-based risk management applied to a telemedicine service , 2003, MIE.