Tool-Supported Risk Modeling and Analysis of Evolving Critical Infrastructures

Risk management is coordinated activities to direct and control an organization with regard to risk, and includes the identification, analysis and mitigation of unacceptable risks. For critical infrastructures consisting of interdependent systems, risk analysis and mitigation is challenging because the overall risk picture can be strongly affected by changes in only a few of the systems. In order to continuously manage risks and maintain an adequate level of protection, there is a need to continuously maintain the validity of risk models while systems change and evolve. This paper presents a risk analysis tool that supports the modeling and analysis of changing and evolving risks. The tool supports the traceability of system changes to risk models, as well as the explicit modeling of the impact on the risk picture. The tool, as well as the underlying risk analysis method, is exemplified and validated in the domain of air traffic management.

[1]  Roberto Gorrieri,et al.  Foundations of Security Analysis and Design VII , 2014, Lecture Notes in Computer Science.

[2]  Christopher J. Alberts,et al.  OCTAVEsm Criteria, Version 2.0 , 2001 .

[3]  Ruth Breu,et al.  MoVEing Forward: Towards an Architecture and Processes for a Living Models Infrastructure , 2011 .

[4]  Ketil Stølen,et al.  Risk Analysis of Changing and Evolving Systems Using CORAS , 2011, FOSAD.

[5]  Ruth Breu,et al.  Using an Enterprise Architecture for IT Risk Management , 2006, ISSA.

[6]  Thomas Peltier,et al.  Information Security Risk Analysis: A Pedagogic Model Based on a Teaching Hospital , 2006 .

[7]  Ketil Stølen,et al.  Modular analysis and modelling of risk scenarios with dependencies , 2010, J. Syst. Softw..

[8]  Ketil Stølen,et al.  Using Indicators to Monitor Security Risk in Systems of Systems: How to Capture and Measure the Impact of Service Dependencies on the Security of Provided Services , 2013 .

[9]  John Mylopoulos,et al.  Security Requirements Engineering: The SI* Modeling Language and the Secure Tropos Methodology , 2010, Advances in Intelligent Information Systems.

[10]  Ketil Stølen,et al.  Evolution in Relation to Risk and Trust Management , 2010, Computer.

[11]  Ketil Stølen,et al.  Using Indicators to Monitor Risk in Interconnected Systems: How to Capture and Measure the Impact of Service Dependencies on the Quality of Provided Services , 2012 .

[12]  Zbigniew W. Ras,et al.  Advances in Intelligent Information Systems , 2010, Advances in Intelligent Information Systems.

[13]  Ketil Stølen,et al.  Model-Driven Risk Analysis - The CORAS Approach , 2010 .