Top

Published in:

2020 | OriginalPaper | Chapter

Model-Based Risk Analysis and Evaluation Using CORAS and CVSS

Authors : Roman Wirtz, Maritta Heisel

Published in: Evaluation of Novel Approaches to Software Engineering

Publisher: Springer International Publishing

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

The consideration of security during software development is an important factor for deploying high-quality software. The later one considers security in a software development lifecycle the higher the effort to address security-related incident scenarios. Following the principle of security-by-design, we aim at providing methods to develop secure software right from the beginning, i.e. methods for an application during requirements engineering.

The level of risk can be used to prioritize the treatment of scenarios, thus spending the required effort in an efficient manner. It is defined as the likelihood of a scenario and its consequence for an asset. The higher a risk level, the higher the priority to address the corresponding incident scenario. In previous work, we proposed a method that allows to semi-automatically estimate and evaluate risks based on the Common Vulnerability Scoring System using a template-based description of scenarios. In the present paper, we show how the method can be integrated into an existing risk management process like CORAS. To relate the CORAS diagrams and the template, we provide a metamodel. Our model-based approach ensures consistency and traceability between the different steps of the risk management process.

Furthermore, we enhance the existing method with a questionnaire to improve the assessment of an incident scenario’s likelihood.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

previous chapter Live Software Development Environment Using Virtual Reality: A Prototype and Experiment

next chapter Towards GDPR Compliant Software Design: A Formal Framework for Analyzing System Models

ProCOR - https://swe.uni-due.de/ (last access: August 14, 2019).

Eclipse Sirius - https://www.eclipse.org/sirius/ (last access: August 14, 2019).

https://nvd.nist.gov/ - NVD by NIST (last accessed on 3 December 2018).

www.scopus.com - Scopus (last access: December 4, 2018).

Abeywardana, K., Pfluegel, E., Tunnicliffe, M.: A layered defense mechanism for a social engineering aware perimeter, pp. 1054–1062 (2016). https://doi.org/10.1109/SAI.2016.7556108

Argyropoulos, N., Angelopoulos, K., Mouratidis, H., Fish, A.: Risk-aware decision support with constrained goal models. Inf. Comput. Secur. 26(4), 472–490 (2018). https://doi.org/10.1108/ICS-01-2018-0010CrossRef

Beckers, K.: Pattern and Security Requirements - Engineering-Based Establishment of Security Standards. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-16664-3CrossRef

Common Criteria: Common Criteria for Information Technology Security Evaluation v3.1. Release 5. Standard (2017). http://www.iso.org/iso/ catalogue_detail?csnumber=65694

Elahi, G., Yu, E., Zannone, N.: A vulnerability-centric requirements engineering framework: analyzing security attacks, countermeasures, and requirements based on vulnerabilities. Requirements Eng. 15(1), 41–62 (2010). https://doi.org/10.1007/s00766-009-0090-zCrossRef

FIRST.org: Common Vulnerability Scoring System v3.0: Specification Document (2015). https://www.first.org/cvss/cvss-v30-specification-v1.8.pdf

International Organization for Standardization: ISO 27005:2011 Information technology - Security techniques - Information security risk management. Standard (2011). http://www.iso.org/iso/catalogue_detail?csnumber=65694

Ionita, D., Kegel, R., Baltuta, A., Wieringa, R.: Arguesecure: out-of-the-box security risk assessment, pp. 74–79 (2017). https://doi.org/10.1109/REW.2016.19

Islam, M.M., Lautenbach, A., Sandberg, C., Olovsson, T.: A risk assessment framework for automotive embedded systems. In: Proceedings of the 2Nd ACM International Workshop on Cyber-Physical System Security, CPSS 2016, pp. 3–14. ACM, New York (2016). https://doi.org/10.1145/2899015.2899018

10.

ISO: ISO 31000 Risk management - Principles and guidelines. International Organization for Standardization (2009)

11.

Labunets, K., Massacci, F., Paci, F.: On the equivalence between graphical and tabular representations for security risk assessment. In: Grünbacher, P., Perini, A. (eds.) REFSQ 2017. LNCS, vol. 10153, pp. 191–208. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-54045-0_15CrossRef

12.

Llansó, T., Dwivedi, A., Smeltzer, M.: An approach for estimating cyber attack level of effort. In: 2015 Annual IEEE Systems Conference (SysCon) Proceedings, pp. 14–19 (2015)

13.

Lund, M.S., Solhaug, B., Stølen, K.: Model-Driven Risk Analysis. The CORAS Approach. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-12323-8CrossRefMATH

14.

Pardue, H., Landry, J., Yasinsac, A.: A risk assessment model for voting systems using threat trees and monte carlo simulation. In: 2009 First International Workshop on Requirements Engineering for e-Voting Systems, pp. 55–60, August 2009. https://doi.org/10.1109/RE-VOTE.2009.1

15.

Rajbhandari, L.: Consideration of opportunity and human factor: required paradigm shift for information security risk management. In: 2013 European Intelligence and Security Informatics Conference, pp. 147–150, August 2013. https://doi.org/10.1109/EISIC.2013.32

16.

Saaty, T.L.: What is the analytic hierarchy process? In: Mitra, G., Greenberg, H.J., Lootsma, F.A., Rijkaert, M.J., Zimmermann, H.J. (eds.) Mathematical Models for Decision Support, pp. 109–121. Springer, Heidelberg (1988). https://doi.org/10.1007/978-3-642-83555-1_5CrossRef

17.

Steinberg, D., Budinsky, F., Paternostro, M., Merks, E.: EMF: Eclipse Modeling Framework 2.0, 2nd edn. Addison-Wesley Professional, Boston (2009)

18.

Stonerburner, G., Goguen, A., Feringe, A.: Risk management guide for information technology systems, 2002 (NIST Special Publication 800-30) (2007)

19.

Tundis, A., Mühlhäuser, M., Gallo, T., Garro, A., Saccá, D., Citrigno, S., Graziano, S.: Systemic risk analysis through se methods and techniques, vol. 2010, pp. 101–104 (2017). https://www.scopus.com/inward/record.uri?eid=2-s2.0-850388 55133&partnerID=40&md5=513629eb20df7e1f564d579af6a655b8

20.

Tundis, A., Mühlhäuser, M., Garro, A., Gallo, T., Saccá, D., Citrigno, S., Graziano, S.: Systemic risk modeling & evaluation through simulation & Bayesian networks, vol. Part F130521 (2017). https://doi.org/10.1145/3098954.3098993

21.

Wirtz, R., Heisel, M.: CVSS-based estimation and prioritization for security risks. In: Proceedings of the 14th International Conference on Evaluation of Novel Approaches to Software Engineering - Volume 1: ENASE, pp. 297–306. INSTICC, SciTePress (2019). https://doi.org/10.5220/0007709902970306

22.

Wirtz, R., Heisel, M.: A systematic method to describe and identify security threats based on functional requirements. In: Zemmari, A., Mosbah, M., Cuppens-Boulahia, N., Cuppens, F. (eds.) CRiSIS 2018. LNCS, vol. 11391, pp. 205–221. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-12143-3_17CrossRef

Title: Model-Based Risk Analysis and Evaluation Using CORAS and CVSS
Authors: Roman Wirtz
Maritta Heisel
Publisher: Springer International Publishing
Book: Evaluation of Novel Approaches to Software Engineering
Print ISBN: 978-3-030-40222-8

Electronic ISBN: 978-3-030-40223-5

Copyright Year: 2020
DOI: https://doi.org/10.1007/978-3-030-40223-5_6

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Premium Partner