Risk in Secure and Dependable System : a Survey

Modeling and analyzing risk is one of the most critical activities in system engineering. Through this measure, an analyst ensures the security and dependability of a system. In secure and dependable community, Security property is defined as confidentiality, integrity, and availability while dependability with reliability, availability, safety, integrity, and maintainability. These attributes can be achieved by means of controlling the risks that can affect to the system. Risk management is a set of activity that consists of organizational analysis, risk identification, risk assessment, risk evaluation, risk treatment, and risk monitoring. In this paper, we present several significant works that have been proposed in literature to model and analyze critical information systems (i.e., from infrastructures until organizational structures). Moreover, we also relate them to the risk management process such that can guarantee the achievement of security and dependability properties.

[1]  Fausto Giunchiglia,et al.  Tropos: An Agent-Oriented Software Development Methodology , 2004, Autonomous Agents and Multi-Agent Systems.

[2]  John Mylopoulos,et al.  Risk Modelling and Reasoning in Goal Models , 2006 .

[3]  Martin S. Feather,et al.  A quantitative risk model for early lifecycle decision making , 2002 .

[4]  Andreas L. Opdahl,et al.  Eliciting security requirements with misuse cases , 2004, Requirements Engineering.

[5]  Trevor Kletz Hazop—past and future , 1997 .

[6]  Glyn A. Holton Defining Risk , 2004 .

[7]  Vasant Honavar,et al.  A Software Fault Tree Approach to Requirements Analysis of an Intrusion Detection System , 2002, Requirements Engineering.

[8]  Carl E. Landwehr,et al.  Basic concepts and taxonomy of dependable and secure computing , 2004, IEEE Transactions on Dependable and Secure Computing.

[9]  A. N. Kolmogorov,et al.  Foundations of the theory of probability , 1960 .

[10]  Dileep R. Sule,et al.  A generalized reliability block diagram (RBD) simulation , 1990, 1990 Winter Simulation Conference Proceedings.

[11]  Paul Fischbeck,et al.  Multi-attribute risk assessment , 2002 .

[12]  Martin S. Feather Risk reduction using ddp (defect detection and prevention): software support and software applications , 2001, Proceedings Fifth IEEE International Symposium on Requirements Engineering.

[13]  Suresh L. Konda,et al.  Taxonomy-Based Risk Identification , 1993 .

[14]  John P. McDermott,et al.  Using abuse case models for security requirements analysis , 1999, Proceedings 15th Annual Computer Security Applications Conference (ACSAC'99).

[15]  L. Zadeh Fuzzy sets as a basis for a theory of possibility , 1999 .

[16]  Axel van Lamsweerde,et al.  From system goals to intruder anti-goals: attack generation and resolution for security requirements engineering , 2003 .

[17]  Axel van Lamsweerde,et al.  Handling Obstacles in Goal-Oriented Requirements Engineering , 2000, IEEE Trans. Software Eng..

[18]  Shawn A. Butler Security attribute evaluation method: a cost-benefit approach , 2002, ICSE '02.

[19]  John Mylopoulos,et al.  Security and privacy requirements analysis within a social setting , 2003, Proceedings. 11th IEEE International Requirements Engineering Conference, 2003..

[20]  Ketil Stølen,et al.  The CORAS methodology: model-based risk assessment using UML and UP , 2003 .

[21]  Didier Dubois Possibility Theory, Probability Theory and Multiple-Valued Logics: A Clarification , 2001, Fuzzy Days.

[22]  T. Bedford,et al.  Probabilistic Risk Analysis: Foundations and Methods , 2001 .

[23]  Stephen Fickas,et al.  Goal-Directed Requirements Acquisition , 1993, Sci. Comput. Program..