On the comprehension of security risk scenarios

Methods for security risk analysis are often based on structured brainstorming (e.g. what [F. Redmill et al., (1999)] calls HazOp). A structured brainstorming gathers a group of different system experts and the idea is that they will find more risks as a team than one-by-one. The CORAS modelling language [M. S. Lund et al., (2003)] has been designed to support the brainstorming process and to document security risk scenarios identified during these sessions. The language is graphical, based upon the Unified Modelling Language (UML) [R. E. Walpole et al., (1998)], and is recommended by OMG. This paper reports the results from two empirical experiments concerning the CORAS language. Our results show (1) many security risk analysis terms are used in the daily language and therefore well understood, but the more abstract or less frequently used terms can be a possible source for misunderstandings in a security analysis, and (2) the language's graphical icons make diagram "navigation" faster, but the diagrams are not necessarily understood more correctly than those without graphical icons.

[1]  Recommended Practice for Architectural Description of Software-Intensive Systems , 1999 .

[2]  Ketil Stølen,et al.  Integrating Security in the Development Process with UML , 2005, Encyclopedia of Information Science and Technology.

[3]  John Krogstie,et al.  Assessing Enterprise Modeling Languages Using a Generic Quality Framework , 2005, Information Modeling Methods and Methodologies.

[4]  Ketil Stølen,et al.  Model-based risk assessment to improve enterprise security , 2002, Proceedings. Sixth International Enterprise Distributed Object Computing.

[5]  Miroslaw Staron,et al.  An empirical study on using stereotypes to improve understanding of UML models , 2004, Proceedings. 12th IEEE International Workshop on Program Comprehension, 2004..

[6]  Standards New Zealand.,et al.  Risk management guidelines: companion to AS/NZS 4360:2004 , 2004 .

[7]  Sintef Ict Empirical Investigations of the CORAS Language for Structured Brainstorming , 2005 .

[8]  Brian Henderson-Sellers,et al.  Stereotypical Encounters of the Third Kind , 2002, UML.

[9]  K. Stølen,et al.  Uml Profile for Security Assessment Sintef Telecom and Informatics , 2003 .

[10]  Brian Ritchie,et al.  Integrating Model-based Security Risk Management into eBusiness Systems Development: The CORAS Approach , 2002, I3E.

[11]  R. H. Myers,et al.  STAT 319 : Probability & Statistics for Engineers & Scientists Term 152 ( 1 ) Final Exam Wednesday 11 / 05 / 2016 8 : 00 – 10 : 30 AM , 2016 .

[12]  R. H. Myers,et al.  Probability and Statistics for Engineers and Scientists , 1978 .

[13]  Ketil Stølen,et al.  Experiences from Using the CORAS Methodology to Analyze a Web Application , 2005, J. Cases Inf. Technol..

[14]  Standard Glossary of Software Engineering Terminology , 1990 .

[15]  Ivar Jacobson,et al.  The unified modeling language reference manual , 2010 .