Skip to main content
Fachgebiete
Automobil + Motoren Bauwesen + Immobilien Business IT + Informatik Elektrotechnik + Elektronik Energie + Nachhaltigkeit Finance + Banking Management + Führung Marketing + Vertrieb Maschinenbau + Werkstoffe Versicherung + Risiko
DE
EN
Themenseiten
Organisationspsychologie Projektmanagement Marketing Smart Manufacturing
Bücher
Zeitschriften
Weitere Formate
Webinare Technik Webinare Wirtschaft Kongresse Veranstaltungskalender Awards
Jetzt Einzelzugang starten
Zugang für Unternehmen
Referenzkunden
ATZ-Fachkongress

Chassis.tech plus 2024


4 Kongresse in einer Veranstaltung

Treffen Sie in München die Fachleute von Chassis, Lenkung, Bremsen sowie Reifen/Räder.
Erweiterte Suche
Anmelden
nach oben

2011 | Buch

Introduction Kapitel lesen Erstes Kapitel lesen

Model-Driven Risk Analysis

The CORAS Approach

verfasst von: Mass Soldal Lund, Bjørnar Solhaug, Ketil Stølen

Verlag: Springer Berlin Heidelberg

Enthalten in: Springer Professional "Wirtschaft+Technik" , Springer Professional "Technik" , Springer Professional "Wirtschaft"

Einloggen, um Zugang zu erhalten
insite
SUCHEN

Über dieses Buch

The term “risk” is known from many fields, and we are used to references to contractual risk, economic risk, operational risk, legal risk, security risk, and so forth. We conduct risk analysis, using either offensive or defensive approaches to identify and assess risk. Offensive approaches are concerned with balancing potential gain against risk of investment loss, while defensive approaches are concerned with protecting assets that already exist. In this book, Lund, Solhaug and Stølen focus on defensive risk analysis, and more explicitly on a particular approach called CORAS. CORAS is a model-driven method for defensive risk analysis featuring a tool-supported modelling language specially designed to model risks. Their book serves as an introduction to risk analysis in general, including the central concepts and notions in risk analysis and their relations. The authors’ aim is to support risk analysts in conducting structured and stepwise risk analysis. To this end, the book is divided into three main parts. Part I of the book introduces and demonstrates the central concepts and notation used in CORAS, and is largely example-driven. Part II gives a thorough description of the CORAS method and modelling language. After having completed this part of the book, the reader should know enough to use the method in practice. Finally, Part III addresses issues that require special attention and treatment, but still are often encountered in real-life risk analysis and for which CORAS offers helpful advice and assistance. This part also includes a short presentation of the CORAS tool support. The main target groups of the book are IT practitioners and students at graduate or undergraduate level. They will appreciate a concise introduction into the emerging field of risk analysis, supported by a sound methodology, and completed with numerous examples and detailed guidelines.

Inhaltsverzeichnis

Frontmatter

Introductory Overview

Frontmatter
Chapter 1. Introduction
Abstract
In this chapter, we explain the importance of risk analysis in general. The asset-driven and model-based approach of CORAS is explained and motivated, and the overall aims of the book are given. The chapter furthermore gives a structural overview of the book, including its decomposition into parts and chapters and how these are related.
Mass Soldal Lund, Bjørnar Solhaug, Ketil Stølen
Chapter 2. Background and Related Approaches
Abstract
This chapter introduces and explains the basic risk related terminology on which this book builds. It also positions CORAS in the setting of the most well-known alternative approaches to risk modeling and analysis.
Mass Soldal Lund, Bjørnar Solhaug, Ketil Stølen
Chapter 3. A Guided Tour of the CORAS Method
Abstract
This chapter presents a guided tour of the CORAS method. The method is divided into eight steps, and a separate section is devoted to each of them. The guided tour familiarises the reader with the main features of CORAS, and demonstrates the use of the CORAS risk modeling language as a means for facilitating the analysis, for supporting communication and interaction, and for documenting the analysis results. The chapter serves both as a brief introduction to CORAS, and as a good basis for the subsequent chapters in which the CORAS language and method are presented in detail.
Mass Soldal Lund, Bjørnar Solhaug, Ketil Stølen

Core Approach

Frontmatter
Chapter 4. The CORAS Risk Modelling Language
Abstract
This chapter gives a careful and more detailed presentation of the CORAS risk modeling language, including its syntax and its semantics. The CORAS language is tightly interwoven with the CORAS risk analysis method, and is furthermore firmly based on the central underlying concepts of risk analysis. We explain this by introducing and defining the core risk related concepts, and by demonstrating how these concepts are reflected in the language by specific language constructs. The chapter introduces the five basic kinds of CORAS diagrams and explains their use in the practical setting of risk analysis, both to support communication and to facilitate the various tasks of the risk analysis process.
Mass Soldal Lund, Bjørnar Solhaug, Ketil Stølen
Chapter 5. Preparations for the Analysis
Abstract
The CORAS method is divided into eight steps, and this chapter is devoted to the first of these, namely the initial preparations for a risk analysis. The main objective with Step 1 is to get a basic idea about what is to be the target and what will be the size of the analysis such that we can make the necessary preparations for the actual analysis tasks.
Mass Soldal Lund, Bjørnar Solhaug, Ketil Stølen
Chapter 6. Customer Presentation of the Target
Abstract
This chapter presents Step 2 of the CORAS method, which is the introductory meeting with the customer on the behalf of which the analysis is conducted. The main item on the agenda for this meeting is to get the representatives of the customer to present their overall goals of the analysis and the target they wish to have analysed. The objective is to achieve a common initial understanding of the target of analysis, and of what the parties of the analysis are most concerned about. The overall goals of the analysis are put forward, the focus and scope of the analysis are set, and the rest of the analysis is planned.
Mass Soldal Lund, Bjørnar Solhaug, Ketil Stølen
Chapter 7. Refining the Target Description Using Asset Diagrams
Abstract
This chapter presents Step 3 of the CORAS method, the main objective of which is to ensure a common understanding of the target of analysis, including its focus, scope and main assets. The analysis team presents its understanding of what they learned at the first meeting and from studying documentation that has been made available to them by the customer. The target models presented by the analysis team are corrected and amended. Based on interaction with the customer, the analysis team will also identify the main assets to be protected. The analysis team furthermore conducts a rough, high-level analysis to identify major threat scenarios, vulnerabilities and enterprise level risks that should be investigated further. The outcome of Step 3 is a refined and more detailed understanding of the target description and the objectives of the analysis, which at this point are documented by the analysts.
Mass Soldal Lund, Bjørnar Solhaug, Ketil Stølen
Chapter 8. Approval of the Target Description
Abstract
This chapter presents Step 4 of the CORAS method. The main objective of this analysis step is to ensure that the background documentation for the rest of the analysis, including the target, focus and scope is correct and complete as seen by the customer. The step involves presenting a more refined description of the target to be analysed, including assumptions and preconditions being made. Typically, the analysts describe the target using a formal or semi-formal notation. Before the actual risk analysis starts at the next step of the analysis process, the description of the target should be approved by the customer. Step 4 furthermore includes defining the scales that will be used for estimating likelihoods, consequences and risk levels, as well as deciding the risk evaluation criteria for each asset. This analysis step concludes the context establishment.
Mass Soldal Lund, Bjørnar Solhaug, Ketil Stølen
Chapter 9. Risk Identification Using Threat Diagrams
Abstract
This chapter presents Step 5 of the CORAS method, which is the risk identification. To identify risks, CORAS makes use of structured brainstorming. Structured brainstorming is a step-by-step walkthrough of the target of analysis and is carried out as a workshop led by the analysts. The main idea of structured brainstorming is that since the workshop participants represent different competences, backgrounds and interests, they will view the target from different perspectives and consequently identify more, and possibly other, risks than individuals or a more homogeneous group would have managed. The risk identification involves a systematic identification of threats, unwanted incidents, threat scenarios and vulnerabilities with respect to the identified assets. The activities are supported by the CORAS language, and the results are documented on-the-fly by means of CORAS threat diagrams.
Mass Soldal Lund, Bjørnar Solhaug, Ketil Stølen
Chapter 10. Risk Estimation Using Threat Diagrams
Abstract
This chapter presents Step 6 of the CORAS method. The objective of the risk estimation is to determine the risk level of the risks that are represented by the identified unwanted incidents. The unwanted incidents were documented in threat diagrams during Step 5, and these diagrams serve as the basis for the risk estimation. Step 6 is conducted as a brainstorming involving personnel with various backgrounds, and basically involves the estimation of the likelihoods and consequences of the unwanted incidents. These values in combination yield the risk level for each of the identified risks. The CORAS threat diagrams facilitate the likelihood estimation by supporting the estimation of the likelihood for threats and threat scenarios to cause the unwanted incidents.
Mass Soldal Lund, Bjørnar Solhaug, Ketil Stølen
Chapter 11. Risk Evaluation Using Risk Diagrams
Abstract
This chapter presents Step 7 of the CORAS method. The objective is to decide which of the identified risks are acceptable, and which of the risks must be further evaluated for possible treatment. Whether or not the risks are acceptable is determined by using the already defined risk evaluation criteria and the results of the risk estimation. Step 7 furthermore involves estimating and evaluating risks with respect to indirect assets.
Mass Soldal Lund, Bjørnar Solhaug, Ketil Stølen
Chapter 12. Risk Treatment Using Treatment Diagrams
Abstract
This chapter presents Step 8, which is the last step of the CORAS method, and is concerned with the identification and analysis of treatments. The risks that are found to be unacceptable are evaluated to find means to reduce them. A treatment should contribute to reduced likelihood and/or consequence of an unwanted incident. Since treatments can be costly, they are assessed with respect to their cost-benefit, before a final treatment plan is made.
Mass Soldal Lund, Bjørnar Solhaug, Ketil Stølen

Selected Issues

Frontmatter
Chapter 13. Analysing Likelihood Using CORAS Diagrams
Abstract
Assigning likelihoods to the unwanted incidents of CORAS diagrams is a necessary prerequisite for risk estimation. This chapter explains how CORAS diagrams can be used to analyse and reason about likelihoods of threat scenarios and unwanted incidents. The likelihoods can be given in terms of probabilities or frequencies, and as precise values or as intervals. We explain how to calculate the likelihood of a given threat scenario or unwanted incident based on likelihoods assigned to other diagram elements, and we explain how to check the consistency of the likelihoods of a CORAS diagram. The likelihood analysis is supported by explicit rules that are presented in this chapter. The chapter furthermore explains how to restructure diagrams in order to enable and facilitate further reasoning about likelihoods.
Mass Soldal Lund, Bjørnar Solhaug, Ketil Stølen
Chapter 14. The High-level CORAS Language
Abstract
This chapter presents high-level CORAS, which is an extension of the CORAS language to support hierarchical modeling. Hierarchical risk modeling allows the risk related information to be represented at different levels of details in one and the same diagram. High-level CORAS is designed to handle large and complex risk models by abstraction and to allow detailed analysis of selected issues by refinement. The established rules and techniques for likelihood analysis apply also for high-level CORAS, which means that we can conduct detailed likelihood analysis of selected diagram fragments at low levels of abstraction.
Mass Soldal Lund, Bjørnar Solhaug, Ketil Stølen
Chapter 15. Using CORAS to Support Change Management
Abstract
A risk analysis is based on a description that represents the target of analysis at a given point in time, as well as a set of assumptions about the target and its environment. The results of a risk analysis, including the documented risk picture, are therefore valid only under this description and these assumptions. This chapter presents methods for how to take into account changes that the target of analysis and its surroundings may undergo. Such changes generally imply that also the risks change, and the methods therefore address the problem of how to update and correct the risk picture in order to keep the risk analysis results valid.
Mass Soldal Lund, Bjørnar Solhaug, Ketil Stølen
Chapter 16. The Dependent CORAS Language
Abstract
The CORAS language as defined so far in this book offers no support for the explicit documentation of assumptions. This may be unfortunate since the validity of the diagrams we make during a risk analysis, and therefore the very validity of the risk analysis results, may depend on assumptions. This chapter presents dependent CORAS, which is a language extension to support the documentation of and reasoning about risk analysis assumptions. The reasoning about assumptions and dependencies is supported by four deduction rules.
Mass Soldal Lund, Bjørnar Solhaug, Ketil Stølen
Chapter 17. Using CORAS to Analyse Legal Aspects
Abstract
This chapter has special focus on legal issues connected to risk analysis. When we are conducting risk analyses, we often need to understand and to take into account legal aspects in order to properly present the risk picture. This chapter introduces the notion of legal risk, and explains how we can decompose a risk analysis into a legal dimension and a factual dimension. The former is concerned with identifying relevant legal norms and the legal uncertainty of their impact on the general risk picture, whereas the latter is concerned with standard CORAS risk analysis. The general risk picture that takes legal aspects into account is derived by combining these dimensions. The chapter presents legal CORAS which is an extension of the CORAS language that facilitates the modelling of legal risks.
Mass Soldal Lund, Bjørnar Solhaug, Ketil Stølen
Chapter 18. The CORAS Tool
Abstract
This chapter presents the CORAS tool, which is a graphical editor for making any kind of CORAS diagram. The CORAS tool is well-suited for creating risk models on-the-fly during brainstorming sessions, and moreover facilitates the documentation and presentation of risk analysis results. On the one hand, this chapter presents the CORAS tool and gives a description of its functionality. On the other hand, the chapter explains how the tool may be used during a CORAS risk analysis to facilitate and support the various analysis tasks, with particular focus on the task of risk identification as a selected example.
Mass Soldal Lund, Bjørnar Solhaug, Ketil Stølen
Chapter 19. Relating CORAS to the State of the Art
Abstract
This chapter gives a detailed comparison of CORAS and related work. The presentation of the state of the art is structured according to the various features of CORAS as presented in Part II and Part III of the book.
Mass Soldal Lund, Bjørnar Solhaug, Ketil Stølen
Backmatter
Metadaten
Titel
Model-Driven Risk Analysis
verfasst von
Mass Soldal Lund
Bjørnar Solhaug
Ketil Stølen
Copyright-Jahr
2011
Verlag
Springer Berlin Heidelberg
Electronic ISBN
978-3-642-12323-8
Print ISBN
978-3-642-12322-1
DOI
https://doi.org/10.1007/978-3-642-12323-8

Premium Partner

    Bildnachweise